The Atlanta Journal-Constitution
Expert hacks into voting machines
Professor warns state as he demonstrates how votes could be changed.
A rapt audience watched as professor Alex Halderman, an expert on electronic voting machines, changed votes in a hypothetical election before their eyes.
At a Georgia Tech demonstration this week, Halderman showed how to rig an election by infecting voting machines with malware that guaranteed a chosen candidate would always win.
Four people from the audience voted on the same kind of touch-screen machines used in real Georgia elections, casting ballots for either President George Washington or Benedict Arnold, the Revolutionary War general who defected to the British. Despite a 2-2 split in this election test run, the vot- ing machine’s results showed Arnold won 3-1.
Halderman’s hack is a warning to Georgia, one of five states that rely entirely on electronic voting machines without an indepen-
dent paper backup.
“Voting is not as safe as it needs to be,” Halderman, a computer science professor at the University of Michigan, said Monday. “The safest technology is to have voters vote on a piece of paper.”
The upcoming May 22 primary elections will continue to use these touch-screen machines, but state legislators are considering switching to a voting system with a paper record for accuracy, possibly in time for the 2020 presidential election.
There’s no evidence that Georgia’s election systems have been tampered with. But Halderman said it’s only a matter of time before foreign countries such as China, Iran, North Korea or Russia try to undermine elections by penetrating voting infrastructure in the United States.
Russian hackers already attempted to interfere with the 2016 presidential campaign by targeting election systems in 21 states, the U.S. Department of Home- land Security said in August 2016. Georgia wasn’t one of those states. In addition, 13 Russians were charged this year on allegations they tried to influence the election through social media propaganda.
For Halderman’s demonstration, he wrote a program to alter the results of elections recorded by Accu- Vote touch-screen voting machines. He installed that program on a rectangular memory card that fits into the side of the machine, allowing the card to infect the machine.
If a hacker penetrated the state’s computer servers, a similar malicious program could be copied to memory cards used for each of the 27,000 voting machines across the state, Halderman said. No one would ever know the results had been changed if the hacker wrote the program to erase itself after the election. woman tary said are regulations Candice addressed Halderman’s of State for Broce, and Georgia Brian by security state concerns a spokes- Kemp, Secre- pro- law, cedures. tems and internet. aren’t use State data connected election encryption to sys- the said. physical “We “There are safeguards prepared,” are logical in Broce place and for system. each aspect Halderman of the would voting be outcome unable in to Georgia’s replicate cur- this rent She security didn’t provide environment.” details about Georgia’s security practices, but Halderman said hackers could find a way. He said hackers could infect election computers by first gaining access to a state employee’s computer, possibly by tricking him or her into clicking on a danger- ous link in an email. Once the malware is on one machine, it could reach central elec- tion systems through inter- nal networks, USB devices or memory cards. Election computers could also be subverted in person, by someone like a janitor or a temporary worker, Halderman said. Individual voting machines could be tampered with if someone unlocked the latch that protects the memory card port.
State Rep. Scot Turner said Georgia’s elected officials should get rid of the state’s electronic voting machines as responsibly and as quickly as possible.
“When you see a machine flip votes, you have to admit things are vulnerable,” Turner, a Republican from Holly Springs, said after watching Halderman’s demonstration. “It might take a wide-scale effort to do what he did on a statewide basis, but it can be done. We owe it to the voters to make sure it’s not.”
More than 70 percent of U.S. voters use paper ballots, usually by filling in bubbles next to a candidate’s name and then inserting ballots into a tabulation machine.
Some jurisdictions use touch-screen machines to print ballots before they’re scanned for tabulation.
A bill that would have replaced Georgia’s electronic voting machines with a paper-backed system failed to pass this year amid disagreements over which election technology to use. A pri- marily paper-based system would cost $35 million or more, while a touch screen-and-paper system could cost well over $100 million.
Any technology can be hacked, but hand-marked paper ballots provide a way to recount and audit elec- tions to ensure they delivered fair results, said Halderman, a member of the board of directors for Verified Voting, a Philadelphia-based organization whose mission is to safeguard elections.
“We have to move to a dif- ferent way of doing things so in case anything happens, we can recover. That’s what a voter-marked paper ballot does,” said Marian Schnei- der, the president of Veri- fied Voting.
Georgia’s election system had a security lapse in the recent past, when a researcher discovered that Kennesaw State University’s Center for Election Systems had exposed the personal information of 6.7 million Georgia voters online.
The breach, which was closed in March 2017, resulted in the state ending its nearly $800,000 annual contract with KSU and bring- ing elections administration work in-house to the Secretary of State’s Office.
Technology experts had previously exposed security vulnerabilities in electronic voting machines in July during the DefCon computer hacking conference in Las Vegas.
Unlike Halderman’s work, the groups at DefCon weren’t trying to change votes. They focused on finding potential weaknesses in voting systems.
Halderman took the hacks a step further. He wrote the malware program and installed it on the memory card and touch-screen voting machine.
“Every vote in the state is potentially at risk,” Halderman said. “Usually, each voting machine will get its own individual memory card, but it all comes from the same source. If that computer is infected with malicious software, it could spread across the state.”