Here Are All the Ways People Have Found to Hack Voting Machines
It’s becoming increasingly common to see the use of electronic systems in electoral voting. Whether online voting or the electronic voting machines you’ll find at polling stations, many elections now use electronic systems of some kind.
However, electronic voting is not without its risks. One of the biggest problems is the potential for such systems to be hacked. Here we’ll explain the various ways people have found to hack voting machines.
How Electronic Voting Works
When you go to a polling station, you may find an electronic voting machine where you enter your vote. This is instead of the traditional pen and paper format. The advantage of using electronic voting machines is that they can count votes faster and more accurately than counting up papers.
Given the importance of security in elections, you might think these machines must be very secure. Unfortunately, though, that’s not the case. There are a number of ways that these machines can be hacked. And replacing outdated machines with newer, more secure ones is extremely expensive.
Hackers Break Into Voting Machines at Def Con
For the last few years at Def Con, a massive security conference attended by many ethical hackers, the organizers have put on an event called the Voting Village. Here, hackers are invited to hack various types of voting machine used in the US. The idea is to test whether these machines are secure.
Unfortunately, they are not. The hackers managed to compromise every single voting machine available at the 2019 event. The machines are available to buy on eBay, which makes it easy for hackers to practice accessing and subverting them.
Another concern was that many of the parts for voting machines come from outside of the US, making them vulnerable to foreign interference. For example, one machine the hackers tested contained hardware which pointed to a foreign IP address. The function of this connection wasn’t clear, but it is concerning to have found it.
Methods Used to Access the Voting Machines
At Def Con, the hackers used methods from correctly guessing weak default passwords, to breaking low-quality encryption. For some of these hacks, the hackers needed to be near the machine to open it up or add hardware. But in some cases, the hackers reported they could even hack the machines without being near them.
One issue was a machine which kept voter data on an SD card which was encrypted. But the keys to decrypt the data were stored in plain text in an XML file. This “allow[ed] all data to be easily accessed and modified, thereby rendering encryption meaningless,” as described in a Def Con report.
Another method the hackers used was accessing the BIOS of voting machines, as officials had not set BIOS passwords. This allowed hackers full access to all system settings. Even though the hardware did support Secureboot, which would stop the machine from running unknown code, election officials had not enabled it.
Yet another boot hack involved inserting a USB stick with a Linux operating system installed on it. When inserted, the voting machine could be made to boot from the USB. This gave hackers access to the machine and its data.
Another concern was that, on some of the voting machines, bloatware was not removed. This refers to pre-installed software which comes from the manufacturer and which may have security holes. These holes can allow hackers to access the machine. In one case, a voting machine was found to have apps installed like Netflix, Hulu, and Prime Video!
A security expert demonstrates the ways hackers can access voting machines in this YouTube video. In it, he purchases a voting machine off eBay and finds ways to hack it.
One issue is that the smart card hardware installed onto the motherboard of the device was not secured. That means anyone could use the connection to add in their own hardware. Hackers could add in a defeat device. This is a piece of hardware that deliberately interferes with the running of the machine. The device could even change data as it enters the system, effectively allowing hackers to change votes.
Another issue is the use of smart cards generally. The machine allows the use of smart cards for voting officials to set up the machine and to collect data once voting is finished. But hackers can insert their own smart card. Even when the card is blank, hackers could use it to access logs of the machine. And this allows hackers to uncover vulnerabilities, and to see vote totals.
The researcher is also able to access error logs on the machine. Those might seem unimportant, but in fact they can hold a wealth of information for a hacker.
Hackers can use error logs both to work out the history of the machine, and to see into the underlying operating system. In this example, the errors are from a Windows system, and hackers could use this information to search for exploits.
Hacking Election Servers
It isn’t only voting machines that are vulnerable to hacking, however. The electronic voting infrastructure can be vulnerable too. At the start of 2020, Ars Technica reported that malicious parties may already have hacked an election server in Georgia, ahead of the 2016 and 2018 US elections.
Hackers were able to hack the server through the use of Shellshock, a vulnerability in Unix revealed in 2014. This vulnerability was particularly concerning because it was relatively easy to exploit, and it left any machine based on Unix or Linux vulnerable.
This issue on the election servers was patched in December 2014, but by that time someone could already have made use of the exploit and accessed the server.
Another issue with election server security occurred in 2016, when researchers discovered the election server at Kennesaw State University was vulnerable to a server flaw known as Drupageddon. This took advantage of a flaw in the Drupal content management system which was running on the server.
Security Issues Around Electronic Voting
Electronic voting has many advantages. It can make voting easier and quicker, and can be more accurate in tallying totals. However, there are also a number of ways that systems are vulnerable to hacking.
And this is just one way in which elections can be hacked. It doesn’t consider factors like manipulating voters or manipulating infrastructure. To learn more about different sorts of threats to elections, see our article on how election hacking works .