LAS VEGAS — Before the hacker touched a single key on the electronic voting booth, he already had three or four ideas in mind for how he could manipulate the results.
“Just based on the fact that many of these voting machines have been around for years, just based on that I could tell you old vulnerabilities that exist in the system,” Tim Monroe told BuzzFeed News. Monroe, 26, is an independent cybersecurity consultant based in Boston, who says that calling himself a hacker sounds a lot better than his actual title. “Elections are full of opportunities for hackers, and those opportunities just keep getting better as more systems go online. I look at this machine and think, 'here’s a thing to play with and take apart.'”
Monroe wasn't looking at a machine in a polling station somewhere in the United States, but one set up at Black Hat, an annual conference for the world’s foremost cybersecurity companies to show off their research and remind each other just how vulnerable all online systems are. This year, as an alleged Russian hack infiltrating the emails of top Democratic Party officials dominated news coverage in the weeks ahead of the conference, the question of hackers meddling in the upcoming US election was a constant source of speculation.
In that spirit, one of the participating companies, Symantec, set up a fully-functioning voting station and encouraged attendees to have at it. As if this election season hadn’t already thrown enough curveballs, the cybersecurity experts want the public to know just how vulnerable electronic voting systems are to hackers.
“People got a taste of it last month, with the Wikileaks emails and all those people saying Russia was trying to mess with our elections,” said Monroe. “But if people knew how easy it was, how really easy, to mess with elections they would be really scared.”
Intercepting electronic ballots, either during or after an election, or more wide-scale meddling in the national voting system has long been a concern. In the 2016 elections, there will be more than 9,000 jurisdictions that collect and tally votes electronically throughout the U.S., and each jurisdiction has its own standards and best practices guidelines for how those electronic systems should be secured.
While some officials, including Homeland Security Secretary Jeh Johnson, have suggested that the entire election process should be classified as “critical infrastructure,” a status that would give the Department of Homeland Security the ability to secure the system against cyber attacks, others argue that the slow pace of government would mean that critical changes needed to secure electronic voting systems could take months, if not years, to be implemented.
Brian Varner, a researcher for Symantec's cybersecurity firm, bought the parts for the electronic voting system under assault at Black Hat from previously used systems he found on eBay. When asked why a system from the 2012 or 2008 elections would currently be on sale to the highest bidder, Varner shrugged and smiled: “Government excess.”
He wiped the machines (but not before he found old voter data on some of them), and re-assembled them to create a system that closely resembles the electronic voting stations found across the United States.
With access to a "smart card" — a card with a chip embedded storing data — like the ones used in electronic voting booths across the US, a hacker could try and tamper with the chip or just duplicate the card to create multiple identities. The system itself could also potentially be breached during the vote, to boost numbers for a particular candidate, or after, when a hacker could try to intercept the final results and alter numbers before they get reported back into the system.
Thomas Hicks, chair of the Election Assistance Commission (EAC), on Friday issued a statement seeking to assuage worries about the security of voting systems. Hicks said that electronic voting systems "have been vigorously tested against security standards," adding that "voting systems certified by the EAC are not connected to the Internet."
“If it were up to me, I would remove every single electronic voting machine in America,” said one CEO of a major cybersecurity company. He spoke to BuzzFeed news on the condition of anonymity, as he preferred not to be identified by his company's government clients. “We work from everyone, from the government to the military, and I tell them all the time, if I was a betting man, I would bet on someone messing with these elections.”
Whether these elections are tampered with or not, he added, the vulnerability of the US voting system to hackers will wreak havoc.
“Let’s say Trump wins, well... a lot of people will be wondering if some hackers, maybe from Mother Russia, didn’t help him. Let’s say Hilary wins, well… Trump has already said these elections are going to be rigged,” said the CEO. “Either way, I’m saying we have a mess on our hands in November.”
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Got a confidential tip? Submit it here.