Experts say 30 state voting systems are hackable
LAS VEGAS — Top computer researchers gave a startling presentation recently about how to intercept and switch votes on emailed ballots, but officials in the 30 or so states said the ease with which votes could be changed wouldn’t alter their plans to continue offering electronic voting in some fashion.
Two states — Washington and Alaska — have ended their statewide online voting systems.
The developments, amid mounting fears that Russians or others will try to hack the 2018 midterm elections, could heighten pressure on officials on other U.S. states to reconsider their commitment to online voting despite repeated admonitions from cybersecurity experts.
But a McClatchy survey of election officials in states that permit military and overseas voters to send in ballots by email or fax — including Alabama, Kansas, Missouri, North Carolina, South Carolina and Texas — produced no immediate signs that any will budge on the issue. Some chief election officers are handcuffed from making changes, even in the name of security, by state laws permitting email and fax voting.
At the world’s largest and longestrunning hacker convention, two researchers from a Portland, Ore., nonpartisan group that studies election security showed how, in about two hours, they could set up a sham server and program it to intercept and alter ballots attached to emails.
“Ballots sent over email are not secure,” said Lyell Read, one of the researchers from the group Free & Fair. “As long as people have a chance to vote another way, that’s probably a good decision.”
Read and Daniel M. Zimmerman, who earned credentials as a computer scientist at CalTech, said the hacking at the annual DefCon conference in Las Vegas required nothing more than commonly available programming tools.
Read said he set up an “impostor server” to mimic a real one that would normally route emails containing attached ballots. On the rogue server, he inserted 30 or so lines of computer code, known as Bash shell script, to alter voters’ choices on ballots attached to emails in transit and to replace them with Read’s preferred candidates.
Among those attending the conference were more than 20 officials from the U.S. Department of Homeland Security. Several of them observed the email vote switcheroo, said a department official who spoke on condition of anonymity.
DHS officials have stepped up their consultations with states about election security since Russian operatives hacked a voting vendor in 2016 and tried through so-called spearphishing attacks to penetrate 21 state voter registration systems, succeeding only in Illinois. The agency rarely discusses its advice to state and local officials, whom the Constitution gives nearly total authority over the nation’s elections.
However, at an election security conference in Washington in March 2016, DHS cybersecurity official Neil Jenkins said the agency believes online voting “introduces great risk into the election system” at any level of government, providing “an avenue for malicious actors to manipulate the voting results.”