Next week at the annual DEF CON security conference, hackers will demonstrate severe flaws in our democracy, but not the ones they expect.
Before the conference has even started we’re already seeing a swirl of recycled reports from last year touting hackers’ success in breaching election machines. Those reports are at best misleading, playing on ignorance and fear. By the time they filter beyond the trade press to mainstream news media, their contents are fake news in the truest sense – stories tainted with falsehood, repeated uncritically, stirring up fear to sell clicks.
Here’s the problem in a nutshell. Few hackers understand the details of the election process. Election officials don’t understand computer security. And the journalists reporting on these events don’t understand either. Hackers “breach” election equipment during a highly publicized workshop via methods that bear no resemblance to the real world. Workshop sponsors report their success to credulous reporters who print them under inflammatory headlines. And voters are worked into a lather, inspiring larger and larger budgets. Vendors are standing by, ready to capitalize on this cycle of fear and misinformation.
Russian intelligence explored many potential angles of attack against our system in 2016, stealing data from political parties, candidates, and even stealing voter records. But they don’t appear to have wasted any energy on voting machines. The explanation is fairly plain. A regime with deep experience generating phony election results knows how difficult it is to compromise voting machines. In fact, such a project was much simpler and more common in the age of paper ballots. To put the matter in perspective, Russian elections use paper ballots.
If there’s anything we learned from the subversion of our democracy in 2016 it’s this: the easiest target of mass hacking in our political system is not our voting machines, but our voters.
Is it possible to compromise our voting infrastructure? As my great-grandpappy used to say, “given enough time and money I can do anything.” Subverting election results with machine voting would require the same logistics necessary under simpler processes, and then some. It would take planning, access to the equipment, collaboration from sympathetic or corrupt officials, and help from many people performing manual tasks all through the process. Adding to the complexity, those collaborators would need a sophisticated understanding of technology to avoid leaving a trail, a problem much more complex than dropping ballots in a dumpster or stuffing a box. Our fear that electronic voting might allow some “400 pound guy in New Jersey” to steal an election just for giggles is a paranoid fantasy.
With a few variations, voting machines work like this. Machines are stored in a secure warehouse between elections, with their storage media removed and access to the warehouse recorded. Early versions used full computer operating systems, like the ones on a commercial laptop. Modern machines either use custom operating systems or modifications of stripped-down OS’s like Windows CE.
In better jurisdictions, updates are performed on a regular schedule. In many places updates are rare. Prior to deployment, the machines are tested to demonstrate a “zero-vote.” They are tested again by poll workers before voting commences.
When voters arrive their names are checked against a list of registered voters. Once confirmed, a voter is issued a smart-card activated to allow a vote to be cast. A voter inserts the card into a machine, is issued a ballot on a touch-screen, makes and checks their selections, then submits their vote. Most machines print and store a paper version of the ballot selections. The card is deactivated by the machine and the voter’s selections are stored on a removable media, like an SD card or similar device.
Some machines perform a running tabulation. Others merely record each vote. Newer machines encrypt their stored data so that only the tabulation application can read it. Access to the removable media is usually behind a locked door or seal. Some have the capability to be connected to a network. This connection would have to be physical (plugged into a wire), designed to facilitate software and firmware updates. Machines currently in use do not have wireless access to the Internet. Few voting machines have any networking capability. They can only be accessed directly, in-person. A detailed description of available voting machines is provided by the group, Verified Voting.
So, how would you hack this system?
Traditional network-connected hacking is usually summarized into five phases, reconnaissance, access, persistence, exploitation, and concealment. It begins with an assessment of the target to identify vulnerabilities. Those vulnerabilities are leveraged to gain access to the target system. Some method must then be found to maintain access long enough to complete the desired exploit, whether data exfiltration, surveillance, compromising the machine with malicious software, or some other purpose. Finally, action should be taken to conceal the hack, sometimes deleting or altering logs, or ensuring that the exploit itself is made to look “normal,” conforming with the machine’s ordinary function.
Without access to the Internet, whatever process might compromise these machines will not be the kind of invisible, remote computer hack we’ve grown accustomed to seeing. That means the first two steps of any hack would involve putting hands on machines under the control of supervision of a local government. Making the attack meaningful to an election outcome would require anticipating far ahead of the election what outcome was desired, then somehow programming that outcome into hundreds or even thousands of machines, without detection or error. Any effort to tamper with removable media on individual machines at a polling place would have to be repeated on a mass scale, a sophisticated and time-consuming sleight of hand effort requiring collaboration and repeated success under adverse, hostile scrutiny.
Some remote precincts report results back to election authorities over an intranet connection. In theory, compromising that connection would allow hackers to substitute fake results for the real ones. However, even after solving the puzzle of which connection would need to be hacked, how to intercept it, executing the hack, and inserting fake data formatted to convincingly match real results in real time, that still leaves the media at the local site with different results that would need to be destroyed. And precincts using this arrangement tend to be very small, which make them lousy targets for influencing an outcome. A year’s worth of planning by sophisticated hackers could be thrown in the toilet by an election official who makes an ad hoc decision to pick up the phone to report results instead of using the network connection.
Is it possible to hack our voting machines? Almost anything is possible with enough resources, but it would be much easier to steal an election with paper ballots, which explains Putin’s preference for the old methods.
Contrast these real world challenges with the structure of the DEF CON demonstration. Organizers cobble together a collection of voting machines scrounged from eBay or wherever else they can get them, often relying on outdated equipment. Hackers perform the reconnaissance portion of the cycle in person, looking at the machines, often taking them apart to peer at their innards. One machine in particular, an out-of-service AVS WINVote model is particularly popular in these stunts because it can be accessed if you can get close to it, thanks to a vulnerable Wi-Fi connection.
What follows is a brief race to hack the machines, likely won by whoever went after the WINVote. Success in these stunts means getting only to the second stage of a five-part process, under conditions that would never be replicated in real life. Reports generally claim that all of the machines were “hacked,” even though in most cases all they did was identify a potential vulnerability. Nobody wants to stage a hackathon just to watch everyone fail.
Want to see a real demonstration of election hacking? Put those same hackers in a room in St. Petersburg with nothing but a laptop and an Internet connection. Ask them to hack a single voting machine anywhere in the world. Watch them fail. You won’t see that demonstration because that story makes lousy clickbait.
This bring us to the real hack, the one undermining democracy on a day-by-day basis. As the complexity of our world accelerates to a blur, it’s getting harder for us to keep pace. Our political system gains its stability by resting on the expressed preferences of the widest possible collection of citizens. A delta between the level of expertise necessary for making competent policy decisions and the median expertise of the electorate is growing into a chasm. This is not a story about dumb people. This is not a problem that can be remedied by education or training. Your doctor and your professor don’t understand the relative security of different voting machines or, for that matter, the detailed requirements for assembling a competent national health care system. No human being has the time to keep pace with the explosion of data all around us, or the public policy demands rising from that data flood.
Where there’s a problem, there’s a market, and opportunists are capitalizing on this delta. Our voting machine panic is just one feature of this larger breakdown. Smart, educated people are refusing to vaccinate their kids. Clever people who should know better believe climate change is a hoax. We already live in a world where only our machines can keep pace with the demands created by our machines. What this means for the future of our democracy is hard to say, but what it says about our elections is pretty clear. The biggest threat to the integrity of our elections isn’t the machines, but the users.
This post is part of a series exploring what’s next after liberal democracy and what we should do to prepare. Much of this material was covered in The Politics of Crazy, though from the perspective of a more optimistic era. The work fits better as a whole, but reading through a 6000+ word piece on a computer seems impractical. When these are complete I’ll gather them into a series of links on a single page.