IoT: Can You Rig an Election by Hacking a Voting Machine?

By Published on .

Digital voting machines, like this one from the Diebold company, are used in an Oakland, California polling location for an election.
Digital voting machines, like this one from the Diebold company, are used in an Oakland, California polling location for an election. Credit: Justin Sullivan/Getty Images
Most Popular

Anything that can be hacked will be hacked. Electronic voting machines are no exception. Which raises the question, Could you hack enough electronic voting machines to influence (rig) the outcome of the upcoming presidential election? To answer this question, you need to have high confidence in the answers to three additional questions:

  1. Are there a sufficient number of electronic voting machines in swing states?
  2. Can you identify and tamper with (hack) the right machines in the right locations?
  3. Can you infiltrate the required number of the more than 8,000 distributed, local, mostly offline, public polling places, and defraud a sufficient number of ordinary citizen volunteer election monitors, trained and credentialed partisan poll watchers, and the local and state officials who have a system in place to forestall both human error and any type of suspected tampering?

Hacking an Electronic Voting Machine
According to the U.S. Election Assistance Commission's website, "The Help America Vote Act" (HAVA) of 2002 was passed by the United States Congress to make sweeping reforms to the nation's voting process." Its goal was to address "improvements to voting systems and voter access that were identified following the 2000 election."

While HAVA guidelines are voluntary, the act was accompanied by about $4 billion in federal funding to help states update antiquated voting methods. The result was a windfall for companies selling voting machines that utilized turn-of-the-century touch screen technology such as the Premier/Diebold (Dominion) AccuVote TS & TSx, the Advanced Voting Solutions WINvote and the Sequoia (Dominion) AVC Advantage. Importantly, the vast majority of these machines were sold before 2006 (when the HAVA cut off federal funding). The internet is replete with articles, reports and blog posts about the security issues with these and other similar vintage electronic voting machines. If you're interested in these machines and want to see a good list of security concerns for each, you should visit www.verifiedvoting.org.

Between now and Election Day, you are sure to hear all manner of pundits and experts talk about the possibility of hacking voting machines. While it is not "child's play," for someone schooled in the art, the work can be done in a matter of minutes. Your smartphone is significantly harder to hack than any of these "digital" voting machines.

Rigging an Election
There's a compelling and reassuring post by Chris Ashby, a Republican campaign finance and election lawyer, that clearly explains what would be necessary to "rig" an election. It's a good read. In it, Chris opines: "To rig an election, you would need 1) technological capabilities that exist only in Mission Impossible movies, plus 2) the cooperation of the Republicans and Democrats who are serving as the polling place's election officials, plus 3) the blind eyes of the partisan poll watchers who are standing over their shoulders, plus 4) the cooperation of another set of Republicans and Democrats -- the officials at the post-elections canvass, plus 5) the blind eyes of the canvass watchers, too."

What Chris means by "technological capabilities that exist only in Mission Impossible movies" is that even though hacking an individual machine is relatively easy, hacking the right machines in the right places to successfully and undetectably "rig" a national election would take an almost impossible-to-imagine coordinated effort by an army of technicians and wizened election volunteers from both political parties.

Other electoral hacks
On Friday (October 21, 2016) a remarkably large number of well-known websites such as Netflix, Twitter, Spotify, GitHub and some sites hosted on Amazon Web Services, were effectively taken offline by one of the largest, smartest, scariest Distributed Denial of Service (DDoS) attacks ever reported. What made this particular DDoS attack scary?

This attack, which involved tens of millions of Internet Protocol addresses, utilized tactics that have not been seen at this scale before. Flashpoint has confirmed that some of the infrastructure responsible for the DDoS attacks against Dyn DNS (the primary strategic target) were botnets compromised by Mirai malware. This is malware that conscripts Internet of Things devices such as DVRs, IP video cameras, baby monitors and other commonly used low-tech consumer electronics equipment. This particular attack lasted less than a day, but it cost the collective targets tens, if not hundreds, of millions of dollars of down time, and many more millions to defend against.

"DDOS attacks are a comparatively benign example of the catastrophic risks intrinsic to how our networks are currently designed. Consolidation increases efficiency but decreases resilience, which is clearly demonstrated every time there is an attack on a provider," says Maura Sullivan, PhD, Managing Director, Eidos Group and former Chief of Strategy and Innovation for the Department of the Navy. "Physical security models do not work for networked systems and a new mental model is required to make intelligent trade-offs between efficiency and resilience." Sullivan's words are not comforting.

Was this just a test? Is there a bigger, more disruptive DDoS attack planned for Election Day? How would that impact our ability to vote or count votes?

A direct technical attack is not the only type of hack. What about social engineering? It is usually the lowest-tech, highest-efficacy type of attack. Could there be a massive social engineering hack on, or near, Election Day?

The answer to all of the above is maybe. But -- and this is important -- everyone who can do anything about any of this is fully aware that it might happen, and they are as ready for it as anyone can be. It's the things we haven't thought of and that we don't see coming that are the most dangerous -- and we're on the lookout for them, too!

Hacked does not equal rigged
Between all of the hacked documents being released by WikiLeaks, the massive Yahoo email hack and the recent super-sized DDoS attack, it's natural to wonder if a technical hack could impact or rig the upcoming election.

While conspiracy theorists, fear-mongers and attention seekers may want you to believe it's probable, and while it is true that the chances that hackers might influence the outcome of the upcoming election are non-zero, in practice, it's just not possible. The thousands of very well-distributed, mostly old-fashioned, partisan-monitored, local election polling places that make up our national election system are on full alert, and it is more than capable of defending our democracy on November 8th. So please, go out and vote with confidence. America needs you.