The U.S. election system continues to march toward November 2020 as long-known security weaknesses remain unpatched while newer systems added to the mix since 2016 likely have created additional attack paths, despite some states adding paper ballots as a backup measure.
Compared with 2016, “the election system in 2020 is more vulnerable to remote attack,” said Harri Hursti, a Finnish computer programmer and ethical hacker who has been tracking vulnerabilities in U.S. election systems for more than a decade. “The big risk now is the voter registration systems that are always on the internet, or the e-poll books, which are always on the internet.”
Since 2016, significant attention from the U.S. and state governments has been focused on ensuring that more states have paper ballot backups and more secure voting machines. But internet-based registration systems and electronic poll books, or e-books, typically tablet computers that poll workers use to check-in voters, will remain open to attacks, Hursti told CQ Roll Call in an interview.
Hacking and altering voter registration data bases and e-poll books could cause chaos on Election Day as poll workers try to manage the check-in of thousands of voters at local precincts.
Despite nearly $1 billion in federal grants provided by Congress to states since 2016 and multiple hearings focused on security weaknesses, Hursti demonstrates in a new HBO documentary called “Kill Chain: The Cyber War on America’s Elections,” airing March 26 at 9 p.m. ET on HBO, that from voting machines to tabulation systems, the election machinery is filled with holes.
The documentary unearths new revelations about the hacking and scanning of election systems in the run up to the 2016 election and some new vulnerabilities in machines purchased by local governments since then.
A hacker-for-hire based in India who goes by the handle @cyberzeist is revealed to have hacked into Alaska’s election system ahead of the 2016 election.
Working for an unnamed Russian group that hired him to scan U.S. election systems for vulnerabilities, @cyberzeist tells Hursti that he was able to use an unspecified tool on the internet-facing website and gain access at the highest level. The access could have enabled him to do whatever he wanted, including potentially deleting a candidate’s name, @cyberzeist says through a video chat with his face hidden.
“I had root access, which not only allowed me to make small changes, but granted me full access of the system,” including a database that held the live voting data from the 2016 election, @cyberzeist tells Hursti. “I felt like I was the God at that time,” the hacker says because he could have altered anything he chose to.
But he chose not to go down that path for fear of being caught and his entire group being burned, he tells Hursti. Instead, he installed a backdoor on the website that may allow him to access it whenever he chooses to, Hursti says.
Typically when criminal hackers gain access to a network they ensure that no other criminal can gain a similar access, Hursti said in the interview, adding that he found @cyberzeist credible. That often means the hacker then would shut down all known vulnerabilities on the system and leave only his or her backdoor as a viable means of gaining access, Hursti said. It’s likely the Indian hacker did the same thing with the Alaska system, Hursti said.
U.S. intelligence agencies have concluded that Russian intelligence services scanned the election systems of all 50 states before the 2016 election and potentially gained access to voter registration and other databases in 21 states. U.S. officials have said no votes were altered.
Although makers of voting machines and state election administrators routinely promise that their equipment is protected from unauthorized access, Hursti found a warehouse full of Accuvote TSX voting machines made by Premier Solutions being sold by a recycler on eBay.
Brett Stimer, owner of eCycle Solutions of Ohio, tells Hursti that he bought the machines from an insurance company after a buyout. The machines were first used sometime in 2002, Stimer tells Hursti. But Hursti turns on one of the machines and finds that it was used as recently as July 2013.
Hursti hands over $225 to Stimer and walks away with three machines. Stimer says he would sell the machine to anyone who wants to buy it, even if the buyer is a foreign buyer.
“The common defense that why the systems are unhackable in the election world has always been that the bad people will have no access to the machines,” Hursti says as he walks away with the machines. “We have 1,200 machines auctioned on eBay. This takes away the argument.” Anyone with $75 can get a machine and as many as they want, he says.
The Accuvote TSX made by Premier Solutions is a direct recording machine that captures votes when users choose their candidates on a touch screen. It is likely to be used in the November 2020 election by nearly 20 states including key battlegrounds such as Florida, Pennsylvania and Wisconsin, according to Verified Voting, a nonpartisan research group.
While election experts have said that paper ballot backups that can be subject to rigorous post-election audits to verify that results produced by electronic machines match voter intentions, Congress has yet to require states to have paper ballots or conduct such audits.
Senate Majority Leader Mitch McConnell and other senior Republican lawmakers squashed a bill backed by Sens. James Lankford, R-Okla., and Amy Klobuchar, D-Minn., in 2018 that would have done both.
McConnell declined to be interviewed for the HBO documentary, filmmaker Sarah Teale told CQ Roll Call. All three makers of voting machines declined to participate in the film, according to the documentary.
Teale was also the executive producer of a 2006 documentary, “Hacking Democracy,” which also featured Hursti demonstrating online how easy it was to hack a voting machine.
In the absence of federal standards defining what constitutes a paper ballot, Georgia’s Gov. Brian Kemp, a Republican, for example, has bought new voting machines for use in 2020 that produce a paper trail, but the paper vote is rendered in the form of a barcode that cannot be ready by humans or used in an audit, the HBO film shows. Kemp also declined to speak with HBO, Teale said.
Teale said she hoped that “Kill Chain” would be seen by all Americans including members of Congress so they can understand the vulnerabilities inherent in the patchwork of election systems managed by more than 8,000 jurisdictions across the country.