Security Vulnerabilities of Voting Machines
According to an AP News article published in 2018, private equity firms responsible for manufacturing and maintaining voting machines and other election administration equipment “have long skimped on security in favor of convenience,” leaving voting systems across the country “prone to security problems.”
“A trio of companies — ES&S of Omaha, Nebraska; Dominion Voting Systems of Denver and Hart InterCivic of Austin, Texas — sell and service more than 90 percent of the machinery on which votes are cast and results tabulated. Experts say they have long skimped on security in favor of convenience…” “The businesses also face no significant federal oversight and operate under a shroud of financial and operational secrecy despite their pivotal role underpinning American democracy.”
“Academic computer scientists began hacking them with ease more than a decade ago, and not much has changed.” “Hackers could theoretically wreak havoc at multiple stages of the election process. They could alter or erase lists of registered voters to sow confusion, secretly introduce software to flip votes, scramble tabulation systems or knock results-reporting sites offline.”
“Election vendors have long resisted open-ended vulnerability testing by independent, ethical hackers — a process that aims to identify weaknesses an adversary could exploit. Such testing is now standard for the Pentagon and major banks.”
“California conducts some of the most rigorous scrutinies of voting systems in the U.S. and has repeatedly found chronic problems with the most popular voting systems. Last year, a state security contractor found multiple vulnerabilities in ES&S’s Electionware system that could, for instance, allow an intruder to erase all recorded votes at the close of voting.”
In 2017, UpGuard’s Cyber Risk Team discovered that a data repository owned and operated by ES&S was left publicly downloadable on an Amazon cloud server. The database included voter names, addresses, phone numbers, driver’s license numbers, and partial Social Security numbers of 1.8 million Chicago voters. The exposed data cache included roughly a dozen encrypted passwords for ES&S employee accounts. A sophisticated attacker could have used them to infiltrate company systems.
A security analysis of Voatz, the first internet voting application used in U.S. federal elections, was done by three MIT scientists. Their report indicated that “Voatz has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user’s vote.” Another security firm confirmed the flaws during a cybersecurity assessment. Voatz was used during the 2020 U.S. election by residents in Utah, Colorado, West Virginia, and other areas.
In 2017, DEFCON featured a Voting Machine Hacking Village (“Voting Village”) to highlight cyber vulnerabilities in U.S. election infrastructure–including voting machines, voter registration databases, and election office networks. As a result, every piece of equipment in the Voting Village was effectively breached in some manner. The first voting machine to fall–an AVS WinVote model–was hacked and taken control of remotely in a matter of minutes.
In 2019, DEFCON allowed hackers to test voting equipment made by ES&S and Dominion, including e-poll books, optical scan paper voting devices, and direct recording electronic voting machines. The report indicated that “Voting Village participants were able to find new ways, or replicate previously published methods, of compromising every one of the devices in the room in ways that could alter stored vote tallies, change ballots displayed to voters, or alter the internal software that controls the machines.”
One examination report commissioned by the Attorney General of Texas concluded: “Computer systems should be designed to prevent or detect human error whenever possible and minimize the consequences of both human mistakes and equipment failure. Instead, the [DVS] Democracy Suite 5.5-A is fragile and error-prone. In my opinion, it should not be certified for use in Texas. If certification should be granted, it should be with the condition that all open network and USB ports be sealed.”
The New York Times published a video in 2018 demonstrating how to hack into a voting machine to change results.
Fox News also published a report in 2016 showing how a Princeton professor hacked into a voting machine in 7 minutes with a screwdriver and a memory chip.
During the Arizona Election Integrity Hearing held on Nov. 30, 2020, retired army colonel cyber warfare specialist Phil Waldron talked about how hackers can compromise Dominion voting systems and how spreadsheets can be altered to change the outcome of an election. He also detailed how something as simple as a USB drive can make a world of difference. He said the software utilized by a variety of companies all share common code which goes back to SGO Smartmatic. The voting record is able to be modified, deleted, adjusted by administrators or outside threats. Operators can assign votes for write-in votes, blank or error ballots in large numbers, and they have that authority in the user’s manual to do that.
After the 2020 election in Georgia, Coffee County election supervisor, Misty Martin, demonstrated the Dominion Voting System software can be set to allow “adjudication” of all scanned ballots, even blank ones, and allow the operator to add vote marks to a scanned ballot as well as invalidate vote marks already on the ballot. The video showed the weaknesses of the Dominion voting system and the ways in which an election official may alter ballots at will with virtually no chance of being caught.