The ugly truth about voting security: States won’t fix it
As those of you reading this from the US (hopefully) vote today, in all likelihood your vote will be counted correctly and you won’t be turned away from the polls because someone hacked the voter registration data. Yet for a small but non-zero minority, something will go wrong that will stand in the way of their ability to cast a vote for the candidate of their choice. It could be a glitch in a voting machine interface that wasn’t caught before they commit their ballot, voter registration data that has been flagged as incorrect or has been purged, or maybe a targeted robo-call that gives them bad information about the election.
There are lots of ways to manipulate the vote tally that go beyond exploiting a hiccup in an electronic voting machine. Denial of service attacks—on state or county servers, on the networks that connect precincts to election commissions, and on other vulnerable points in the network architecture—could disrupt voting itself or prevent votes from being properly counted. Tampering with voter registration data in advance of the election could cause voters to be forced to cast provisional ballots or exclude them from voting entirely. And then there’s simply shoddy software implementation and aging hardware, which can cause an unintended denial of service.
In six Texas counties during early voting, it was reported that voters casting a straight party ticket had their vote for US senator checked for the wrong candidate: Democrats found that their vote was being cast for Sen. Ted Cruz, while some Republicans found their vote was being cast for Beto O’Rourke. The problem, according to state election officials, was caused by an interface issue on the Hart eSlate voting system—specifically, voters were turning a selection dial and pressing an “enter” button at the same time, according to a spokesperson for the secretary of state’s office in Texas. State election officials sent out an advisory to county election workers about the problem, which first surfaced during the 2016 presidential election. But it was described as “user error” and not a technical issue. The Hart eSlate is used by 82 out of Texas’ 254 counties.
This sort of problem has been persistent since the passage of the Help America Vote Act in 2002, a policy that first threw money at state and local governments to avoid another sort of voting issue (the legendary, dreaded hanging chad). While the US Election Assistance Commission (EAC)—which is responsible for certifying voting systems for use in elections—has promulgated voluntary guidelines for operating election systems, many states do not require their voting systems to be certified to federal standards. The last update issued by the EAC on the status of certification was published on January 31, 2011, and it showed that 20 states still do not mandate certification to federal standards.
Only 13 states require federal certification of voting systems—the remainder only require a “testing to Federal standards.” And these cover voting systems themselves, not necessarily the back-end systems that connect to those systems (including state voter registration systems and vote tabulation systems). There has never been a full independent code audit and penetration test covering the entire scope of voting systems used by US counties under anything resembling Election Day conditions—either by the voting system vendors or state and local governments.
This is counter to the practices involved in practically every other type of system handling sensitive data. “When I bought an Internet of Things lock,” said Veracode Vice President of Research Chris Eng, “I went to see if there was a white paper about it from a reputable security firm. Why can’t I get that for elections?” Software security audits, including penetration testing, are done for “thousands of small software companies every year, on software for banks, media, and manufacturing,” he added. “Their customers demand that they get a third-party audit of their software. Financial and manufacturing firms are vetting their software. That kind of thinking hasn’t made it to state and county government.”
While DHS has offered some security services, including some penetration testing, they have been limited in scope. Some states have even rejected such offers of help. Eng suggested that what is really needed for all the interconnected systems involved in voting is a “classic, no-holds barred testing” scenario. “Have a mock election day and have the penetration testers try to manipulate the vote tally,” Eng said.
But states are reluctant—and in some cases even hostile—to enlist outside help in evaluating their election system security. The recent concerns over Georgia’s voter registration system are just the latest episode in which Georgia officials have pursued individuals for pointing out security issues with election systems. As Ars reported in September, a US district judge called Georgia’s voting security efforts inadequate after major vulnerabilities were found in balloting systems in the run-up to a Georgia congressional special election. More recently, concerns were raised over the security of the code running Georgia’s online voter registration system.
Georgia is not alone in those woes. At DEF CON this August, security researcher Josh Franklin and his co-researcher (and father) Kevin Franklin of ElectionBuster found that several states’ online voter registration sites had poor implementations of Transport Layer Security. Two states earned an “F” for their implementations, meaning they had misconfigurations that left communications with the site vulnerable. In testing Ars conducted in August using online TLS evaluation tools, we found Georgia was one of those states.
Georgia has since upgraded its TLS implementation and has shut down a number of other bugs, according to security researchers (the online voter registration server is now hosted behind Cloudflare). But other states still use weaker implementations of TLS: eight states and territories were still using TLS 1.0 as of August of this year.
Fixing these problems and others endemic to election security will require time—time that has run out for 2018, obviously. “This is a problem that can’t be solved in a few months,” said Eng. “It’s really going to take years of change, of how you think about vetting the software, and how the manufacturers that are making the software think about security.” And without a mandatory, central standard for security implementation or funding to properly implement that security, it’s doubtful that all states’ lawmakers will get behind fixing a system that got them elected in the first place.