December 4, 2016

The problem with E-voting machines

Electronic Frontier Foundation - Voting machines, especially those that have digital components, are intrinsically susceptible to being hacked. The main protection against hacking is for voting machines to provide an auditable paper trail. However, if that paper trail is never audited, it's useless.

EFF worked hard, alongside many others, to ensure that paper trails were available in many places across the nation. While there are still places without them, we have made great strides. Yet this election was a forceful reminder of how vulnerable all computer systems are.

There is precedent for hackers attempting to influence elections by tampering with voting infrastructure: Ukraine's 2014 election came under attack from pro-Russian hackers, and this spring Bloomberg reported on how a team of hackers targeted elections throughout Latin America. There was also plenty of hacking related to the 2016 US election, with two separate major dumps of political emails and several reports of attempted attacks on election systems. These attacks tell us that hacking groups, some of whom may be nation states, were particularly interested in affecting this election's outcome.

Most e-voting machines are not connected to the Internet, but disconnection isn't a sufficient defense against hacking. Malware can be engineered to cross a so-called air gap by riding on removable storage media like thumb drives and SD cards. The Stuxnet worm is a remarkable example of this in action. It was designed to infect internet-connected workstations and then copy itself over whenever a thumb drive was plugged into those workstations. Once an infected thumb drive was plugged into an air-gapped system, the worm would install itself and begin its work. The voting machines used in America are updated using removable storage that is at some point plugged into a regular computer in a government office. Hackers need only compromise that computer, and they can use that toehold to copy a Stuxnet-like worm onto all removable storage that comes into contact with it and matches a certain profile. Once plugged into a voting machine, that worm could alter the machine's software to subtly change the vote. A particularly well-written worm would automatically reverse those changes after the election to cover its tracks.

There's a defense against the possibility of hacked voting machines: good, old-fashioned paper.  But, like a seat belt, these paper records only work if you use them. Currently, U.S. states need far more buckling up.

Counting the paper ballots isn't just good for increasing voter confidence in this year's election, it's good electoral hygiene and a basic safety measure. We hope that audits this year can serve as a guiding example for states to improve their election systems for future years: by replacing paperless voting machines with optical scan systems and adopting inexpensive risk-limiting audits as a routine matter.

No comments: