The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Voting machines touted as secure option are actually vulnerable to hacking, study finds

with Tonya Riley


New voting machines that hundreds of districts will use for the first time in 2020 don’t have enough safeguards against hacking by Russia and other U.S. adversaries, according to a study out this morning from researchers at the University of Michigan. 

The study marks the first major independent review of the machines called ballot-marking devices, or BMDs, which at least 18 percent of the country's districts will use as their default voting machines in November. The results are a major blow for voting machine companies and election officials, who have touted BMDs as a secure option in the wake of Russia’s 2016 efforts to compromise U.S. election infrastructure.

“The implication of our study is that it’s extremely unsafe [to use BMDs], especially in close elections,” Alex Halderman, a University of Michigan computer science professor and one of seven authors of the study, said in an interview. 

People who use BMDs cast their votes using a computer touch screen, but the machine spits out a paper record of those votes. That is usually used to tally the results and can be saved for audits that ensure votes were tallied correctly. 

The machines were touted by election officials as a compromise between paperless voting machines, which experts uniformly agree are far too vulnerable to hacking, and hand-marked paper ballots, which serious cybersecurity hawks favor but which can be tougher to tally and are inaccessible for many people with disabilities.

But only a handful of people who vote on BMDs are likely to check that their votes were recorded accurately, the researchers found – meaning that if hackers succeed in altering even a small percentage of electronic votes, they might be able to change the outcome of a close election without being detected. 

“There's been a lot of discussion in the election security community about whether BMD verification works as a defense against hacking, but nobody really had any hard numbers,” Halderman told me. “Now, for the first time, we have an experimental data point and, unfortunately, the results confirm some of our worst fears.”

The findings come as election security groups in Pennsylvania are already suing to block some counties from using a specific brand of BMDs, the ExpressVote XL machines designed by Election Systems & Software, over hacking fears. The same machines also went haywire and called the wrong winner in a Pennsylvania county judge's race in November. 

ES&S told me by email it would review the the study "for insight into how we can assist election officials in ensuring a smooth voting process."

The researchers list several recommendations for how election officials can use BMDs as safely as possible, but the clear lesson is that voting jurisdictions should switch to hand-marked paper ballots if at all possible, Halderman told me. 

“There is a strong security reasons to prefer hand-marked paper ballots,” he said. 

The researchers watched 241 people vote on a BMD machine in a simulated election — all of whom had at least one of their votes changed on the printed-out ballot. They found only 40 percent of voters reviewed their ballots at all and only about 7 percent told a poll worker something was wrong. At those rates, it's highly likely that if hackers changed just 1 or 2 percent of votes in a close election, they wouldn't be discovered, they said. 

The researchers also tried several methods to get voters to check their ballots for errors, including postings signs and having poll workers urge them to review the ballots — but none of them improved error detection “to the point that BMDs can be used safely in close or small elections,” the researchers found. 

Congress, however, has steered clear of mandating that states use specific voting equipment, such as machines with paper ballots, or to conduct post-election security audits. Lawmakers have appropriated about $900 million for election security since 2016, including $425 million in December, but none of it has come with any of those specific cybersecurity mandates favored by Democrats.

Yet even most Democrats don’t insist that voters should use use hand-marked paper ballots rather than BMDs. Only one major bill, sponsored by Sen. Ron Wyden (D-Ore.), would mandate that hand-marked ballots are the default for voters. That bill also includes $250 million to develop secure BMDs for people with disabilities who cannot use hand-marked paper ballots. 

This story has been updated to add comment from ES&S.


PINGED: Vulnerabilities in Chinese social media app TikTok could have allowed hackers to access user account information, such as phone numbers, and to spread videos without users' knowledge or consent, researchers at the cybersecurity firm CheckPoint revealed in a report out this morning.

The findings come as TikTok deals with growing concerns in Washington that its Chinese ownership poses a threat to the safety of American users' data.

“As long as TikTok remains a Chinese company, and therefore subject to compulsory [Chinese Communist Party] data collection requirements, there will be no end to concerns regarding the safety of the sensitive data it is vacuuming up from millions of Americans,” Sen. Tom Cotton (R-Ark.) said in reaction to the findings.

Several branches of the U.S. military recently banned members from using the app, citing security concerns. And its acquisition by parent company ByteDance faces an ongoing investigation by the Treasury Department.

“There has been lots of speculation as to how safe or unsafe is TikTok,” said Checkpoint's lead researcher, Oded Vanunu. “We proved that there were, indeed, serious security issues.”

TikTok patched the vulnerability after researchers notified the company in November. The company didn’t find any evidence that hackers had actually exploited the vulnerability, TikTok Security Team researcher Luke Deshotels said in a statement.

PATCHED: Congressional leaders of a commission focused on improving national cybersecurity previewed a bevy of possible recommendations yesterday, including beefing up Pentagon cybersecurity audits and creating a special congressional committee focused on cybersecurity, CyberScoop's Shannon Vavra reports. 

The report, set to be released this spring, will also likely include ideas to boost cybersecurity in the private sector, such as pushing insurance companies to offer better rates for companies that follow stricter cybersecurity reporting guidelines, commission co-chairs Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.) said at an event hosted by the Council on Foreign Relations. 

The bipartisan commission also will probably push for the return of the White House cybersecurity coordinator position, which then-national security adviser John Bolton axed in 2018.

“There is near unanimity on the need to get a focal point in the White House to do oversight of the cyber community,” Gallagher said.

PWNED: The FBI has asked Apple to help it unlock two encrypted iPhones belonging to a gunman who killed three people at a Florida military base last month, Jack Nicas and Katie Benner at the New York Times report. The case could become a new flash point in the years-long dispute between the FBI and the tech industry over special law enforcement access to encrypted data. 

The FBI asked Apple to help it access the devices only after checking with government agencies for another way into them, sources familiar with the investigation told the Times. Apple, meanwhile, said that it had turned over all data in its possession. 

Apple previously refused to help the FBI crack into an encrypted iPhone used by San Bernardino, Calif., shooter Syed Farook in 2015, sparking a lengthy legal battle. The new request comes as law enforcement officials are pushing lawmakers to reconsider mandating police access to encryption -- and making Apple a prime target

Apple’s top global privacy official Jane Horvath defended Apple's position during a panel discussion at the Consumer Electronics Show in Las Vegas yesterday, saying granting police special access to encryption would not make Americans safer, CNBC reported


— The nonprofit group MITRE, which runs numerous federal research programs, released a game plan yesterday for how energy plants, transportation hubs and other critical infrastructure can protect themselves against cyberattacks. Check it out here

— The Aspen Tech Policy Hub is partnering with another nonprofit, the Cybercrime Support Network, to develop an online tool that will make it easier for victims to report online fraud to state, local and federal law enforcement. CSN, which has received $1 million in funding from the Department of Homeland Security, will build off a prototype reporting tool developed by Aspen Tech Policy fellows this summer. They say the tool will be easier to use for elderly people who are often victims of online scams. 

— More cybersecurity news from the public sector:

Senators set for briefing on cyber threats from Iran (The Hill)

Iran courted US security expert for years, seeking industrial hacking training (Ars Technica)

Iranian Hackers Claim Defacement of Texas Government and Alabama Veterans Websites (Vice)

Veterans group says Trump administration ignoring Russian disinformation targeting troops, vets


— Cybersecurity news from the private sector:

Tech Giants Defend Privacy Efforts, Promise Improvements (The Wall Street Journal)

Google Project Zero shifts to full 90-day disclosures to improve patch uptake (ZDNet)

New Tactics Punch Holes in Big Tech’s Ad-Fraud Defenses (The Wall Street Journal)


— Cybersecurity news from abroad:

Forex firm Travelex says ransomware behind last week's cyberattack (Reuters)


Coming up:

  • The Committee on House Administration will hold a hearing entitled “2020 Election Security - Perspectives from Voting System Vendors and Experts” at 10 a.m. on Thursday.
  • The U.S. Election Assistance Commission (EAC) will host an all-day summit on Jan. 14 addressing preparations for the 2020 elections at the National Press Club.