The Hacker Mind Podcast: Hacking Voting Systems
While digital voting systems are more secure today, what about the larger ecosystem, starting from the moment you register until your vote is counted? Who’s keeping those systems secure?
In this episode of The Hacker Mind, Dr. Jared DeMott of VDA Labs talks about his work securing voter registration tablets and also about the prospects for downloadable, safe voting applications on your preferred mobile device in the future.
Listen to EP 08: Hacking Voting Systems
Vamosi: Back in 2007 the California Secretary of State, Debra Bowen, did the unthinkable: she decertified all the digital voting systems in the state. That meant, no one could use any of the digital systems until they had all been pen tested. In 2010, she was interviewed by O'Reilly Media.
Bowen: After commissioning a top-to-bottom review of the voting systems that we use in California and having programmers and security experts from around the country, private and public sector, look at what we had and what we were doing it became very clear that we have a lot of software that did not [and] was not coded with security in mind just wasn't there and that a lot of the security is based on a concept called security by obscurity, which means that as long as the code is secret or the key is kept secret that the system is secure.
Vamosi: Bowen’s public inquiry revealed findings of multiple buffer overflows, software updates without authentication, and inadequate randomization of the ballots so that valid secrecy can be compromised -- among other vulnerabilities. Clearly having individual vendors provide the security wasn’t working, so the state moved toward adopting open source software. It also lead to even more testing of election system devices in other states. One of the premiere security researchers that Bowen invited to California was J. Alex Halderman, a professor who was then with the University of Michigan. He went on to review other voting systems, such as a new one being developed in the nation’s capital.
Halderman: In 2010, Washington D.C. held a pilot of a new Internet voting system. They invited us and other members of the public to try to hack it. Within 48 hours at the start of the test, we had complete control over their voting servers and were able to change all the votes. We even rigged the system to play the Michigan Fight Song every time somebody voted. And as a result, Washington D.C. decided not to use it in its upcoming election.
Vamosi: So, open source software and more testing. These might begin to solve problems with individual voting machines, but what about the larger problem? I’m talking about the totality of the voting system. The confidentiality, integrity, and availability of it all -- you know, the classic CIA triad in infosec. In 2016, Logan Lamb, a former Oak Ridge National Laboratory researcher, found over 6 million voter registration files exposed on a state-sponsored server at Kennesaw State college in Georgia. He responsibly reported this to the Georgia Secretary of State, but the issue wasn’t really addressed until after the 2016 election. And Lamb later found evidence that the election-related files he found were all deleted from the server on March 2, 2017. Very strange, right? That didn’t keep him quiet. Here’s Lamb on Samatha Bee’s Full Frontal talking about his findings.
Lamb: All of the voting machines in the state of Georgia are managed by a search for election systems at Kennesaw State. I did a quick little Google search and I ran across a really weird link. At that point I wrote a little bit of code to download everything that I could from that website. There were PDFs of Election Day passwords that supervisors use to start in elections.
Bee: Can you tell me what the password was?
Lamb: A four digit PIN
Bee: I have to put in 16 letters and digits to get into my FreshDirect account. Are you kidding me?
Lamb: But it gets worse.
Lamb: There were voter registration databases, which had full names, date of births, addresses, so hacker could login to online voter registration and change people's information. Changing the registration for citizens so they are unable to vote, that's probably the worst case scenario.
Vamosi: It turns out, Georgia wasn’t alone. More individual states’ voting systems were exposed and also addressable from the internet. In the summer of 2018 during Rootz, a program to teach kids hacking during the annual DEF CON conference in Las Vegas, Nevada, an eleven-year-old hacker exploited an online imitation of the State of Florida’s Election Site in a matter of minutes. And he wasn’t alone.
Narrator: In Las Vegas, land of luck and legend, a bunch of hackers rolled the dice to see if they could expose weaknesses in our elections. And they did. Some while playing a winning hand, a hand with yellow fingernails, cartoons, and stuffed animals. "I am 11 years old, I'm 11 years old seven years old, 11 years old" These kids managed to manipulate replicas of election night results pages in key battleground states from 2016, pages built organizers say using actual vulnerabilities previously reported.
Vamosi: So, finding registration files and election systems exposed online, this, this after a decade of warnings from security experts, from hackers and state governments warning -- where does that leave us today? Fortunately, we are in a much better place today, yes. Unfortunately, there’s still a lot of gaps. For example, by only focusing on the machine that captures your vote -- that’s only a part of the picture. Remember the six million voter records from Georgia just hanging out there on the internet? Or the imitation websites that the kids from DEF CON were able to get into? There’s a much wider voting ecosystem that really starts the moment you first register to vote and continues well after you leave the polling booth. What happens if any of that information gets compromised? And who is responsible for protecting that?
Welcome to The Hacker Mind, an original podcast from ForAllSecure. It's about challenging our expectations about the people who hack for a living.
I’m Robert Vamosi and in this episode I’m here to tell you to vote -- you definitely should vote -- but also I do want to explore the many levels of complexities involved in securing that right, how we need to think beyond just securing the ballot box, and how we may yet come to have digital voting in the future.
Bowen: We could create a digital voting system, if we were willing to spend enough money to do it. When I look at nuclear submarines and the software that runs them, it has to be zero defect, because lives are at risk. But the cost is phenomenal and each line of code gets signed off by three different people, that it takes a very long time so it's not very flexible.
Vamosi: Secretary Bowen is addressing an oft asked question: If elections are so critical, why don’t state governments simply invest in a full-blown digital voting system? Among the many reasons, money, and with state budgets tight, she suggested back in 2010 that such an expense could be better spent to secure more of the voting process.
Bowen: I always wonder whether there are other things we should be focusing on first, I'd rather see us focus on a voter registration system that has information goes from the Department of Motor Vehicles, or wherever the first time a citizen has contact with the government, then that information goes into the voter registration database. If they're not yet 18 then registered automatically at 18.
Vamosi: Voter registration, which, if you think about it, is just as critical. From the moment you register up through and beyond when you actually cast your ballot -- that all has to be secure.
DeMott: It's more difficult than one might think in terms of what are we trying to defend. We're trying to defend democracy at large right? The whole process needs to be defended to be sure that someone can't unduly alter the outcome of election.
Vamosi: This is Dr. Jared DeMott. His company, VDALabs, a pen testing service, has looked at tablet based voter registration systems. To do so, they had to consider the threat model and what might be included.
DeMott: Yeah, there are threat models that are appropriate, so when you think about what those might be, you think about the technical controls. And then there's obviously the other types of controls, policy, anti tampering, you know, all of those kinds of things that go into the whole of the election that aren't just technical in nature. So in terms of technical controls, you'd have things like following best practices. Don't make it easy for the attackers, be sure that you've hardened and all of those kinds of things.
Vamosi: So, technical controls. This includes best practices. You want to make sure the devices used are hardened, they don’t have unnecessary outside access, that they are kept up-to-date with their software, firmware, etc. But there’s more. I’m thinking right off the top that PII would be a major concern. There’s a fair amount of personal information collected when registering to vote. Name. Address. A driver’s licence.
DeMott: You know, that's certainly part of it, although I think, we always think about yourself but we thought about this whole thing from an end to end process, right? Because if, for example, you could check in but then remove that you had checked in from that device and come and vote again. I mean there's a lot of problems associated with anything across this whole experience. From the voting system, as far as, you know, voter anonymity and the correctness and you know, did your vote make it in, did it get counted, did you check in right, how many people voted, that that whole process. It's a part of that entire workflow.
Vamosi: Let’s drill down on that workflow a bit. On the one hand, the process, as a whole, is much more complicated. At the polls, you have to verify that the person is eligible to vote, but on the other hand, you have to make sure that the vote itself is anonymous. So you somehow have to know and not know who the voter is at the same time.
DeMott: It's interesting because it's a fairly simple thing right? You just want to go in, cast your vote, make sure it counted, make sure it didn't get changed, and make sure that your anonymity is retained throughout that process. So like in theory, it doesn't seem like it should be rocket science but in reality because of the distributed nature and all of the different pieces of that, the decentralization of different counties, collecting votes in different ways and the size and the scope of a national election for example.
Vamosi: Right. So Logan Lamb found that someone could potentially alter someone’s registration data so that they couldn’t vote, and the kids at DEFCON’s Rootz found that they could potentially go online and influence individual states’ election results using common cross-site scripting attacks. There’s layers and layers to the voting process itself.
DeMott: The whole thing is is complicated, right? So if you're talking about electronic voting system, even with just the check in tablet or the actual voting app itself, whether it's a mobile app or if it's a paper system or whatever it might be. Somehow you have to be able to verify who people are in the same way that if you're familiar with public key cryptography, the idea behind how PKI works is not super complicated, but the getting and distributing and revoking keys and, you know, verifying who someone is to have a key. And it's that process that's sort of similarly complicated.
Vamosi: PKI, or Public Key Infrastructure, works with two keys: a public key, which may be available on a website, and a private key, which is known only between a client and a server, and unless those two keys match, there’s no encryption or decryption. It’s the basis for a lot of our internet transactions, it underpins our e-commerce, and yet it is not always included in our voting systems. That secures the integrity of the system -- that the data isn’t altered. What about confidentiality?
DeMott: There's problems more than just in the technical. Again, there's problems all across that decentralized nature of verifying somebody's image on a registered driver's license credential, or whatever it may be, but in terms of their technical controls, to get into that, we could talk about that a little bit in terms of these platforms right? So whether it's a voter checking thing on a tablet, like let's say it's a Windows 10 Surface or it's the actual voting app, maybe that's on your mobile phone. There's lots of different ways, maybe it's an old paper counter. There's lots of different ways any of this could be done. But in terms of just one system, there's the actual operating system security of platform security itself. Does the operating system opt in to best practices as laid out by a number of standards? You can go and look at like, do they use BitLocker? TPM? Like, what if that voter registration tablet was lost? Does that mean somebody can just open it up and get access to all the voters in that district? There's all these sort of physical device and platform security concerns, and then there's at least a number of other concerns.
Vamosi: So, we can talk a lot about securing the software, but what if it’s running on an insecure operating system? That’s security 101. That still creates at least the possibility of some form of compromise. BitLocker and Trusted Platform Modules (TPMs) are industry attempts to keep the software code on a device secure. But what if the device leaks the data in other ways? What if it uses Bluetooth or WiFi to share its data with a central election server, how’s that secure?
DeMott: There's the network concerns, which you alluded to when you just mentioned WiFi. Things like network encryption, certificate pinning - is this device domain joined or not? There's lots of different things. On the network side, we can audit from a security, Red Team auditing type perspective. And then thirdly, there's the app sec portion and the actual app that's created. Does it have some of the well known OWASP top 10 vulnerabilities? How are credentials handled? Account security is a big thing, like the poll worker has one set of credentials on a check in device where the district admin or a technician account, there's different accounts for different types of people that may need to be part of that whole process.
Vamosi: So in addition to authenticating the registered voter at the polls, there’s the authentication of individual poll workers. There’s someone who logs in to use the device, and there’s the admin who supercedes that access. There are thousands of polls sites, and all those access controls have to be unique and secure.
DeMott: There's so many different things that we could go through in terms of best practices around the platform, but certainly keeping the device up to date, keeping the application up to date. How are those credentials handed out? Like hopefully, it's not just hard coded, like every poll worker in the nation would get the same set of creds or that whole distribution is a whole process in and of itself.
Vamosi: Complicating things is this concept of individual mobile apps-- these are personal voting apps that don’t require you to physically go to the polls that you could potentially download from the AppStore and then run on your mobile device. How might that work?
DeMott: If somebody is gonna download this voting app on their phone and they're going to say, "Okay, I'm Frank Smith," how did they do that? They just take a picture of a license or they take a selfie of themselves, or how does that actually work? How do we verify and how do we make sure that individual, if it really is them, is going to be privately protected as they cast their vote and they can't vote more than once and there's some way to in a safe way go back and retroactively verifying how they voted if there's a need to promote fraud prevention. So that whole process is sort of a little outside the normal scope of normal cybersecurity, when we think about just application hacking and platform, you know, operating system hacking and network hacking, and all those things are well understood. But there's a level of process on top of this. That's, you know, a process of processes.
Vamosi: So, has anyone done a decent investigation of these digital apps?
Demott: Yeah, I mean, the best example of that is the research done by MIT and Trail of Bits as they looked at the Voatz system. That research was well done and demonstrates the types of vulnerabilities that can exist against the voting application, as well as highlights some of the things that the voting system is using. Things like newer technologies like botching as well as biometrics. Not that biometrics is newer, but it's still really not broadly used in the security field because of any concerns that people do have.
Vamosi: Voatz Mobile Voting systems is just one example, and it is kind of an all-in-one voting system. Here’s how Lit News described the system in 2018.
Lit News: In order to register to vote, you have to take a picture of your government issued ID, and then upload that along with a video style selfie of your face. Then Voatz's software, their facial recognition software, will then match the identification and then give you a token to allow you to vote. It will then anonymize your vote as it assigns that token to the person that you voted for. Those tokens are then stored on an internal database. They're calling it a blockchain. I think it's an effort to gain attention. It's not a true blockchain. A blockchain being a distributed ledger, where not one particular party owns the system. In this case Voatz owns the entire system. It's a single user blockchain, whatever you want to call it, an internal database
Vamosi: Okay, so photograph your driver’s license, take a selfie, and then it uses a token to capture and transmit your vote using an internal blockchain or database. That all sounded good enough for the Secretary of State in West Virginia to try it out in the 2018 elections. A local West Virginia TV station had this to say.
Narrator: Researchers at the Massachusetts Institute of Technology, better known as MIT, say they have found security vulnerabilities with a cell phone voting app called Voatz. This is the app used in West Virginia that allowed overseas military personnel to vote on the 2018 election. The Mountain State was the first in the nation to offer this ballot casting option. Now, however, the MIT researchers say quote, we find that Voatz has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user's vote and can potentially recover a user's secret ballot. The MIT report says votes could be changed or even erased.
Vamosi: Fortunately, the worst case scenario didn’t happen. The West Virginia Secretary of State, Mack Warner, told the local TV station that no votes were changed in an audit of the system.
Warner: Absolutely in everything matched in the 2018 election, both in the primary and in the general. There were no hacks or no changes of votes or anything like that so I'm very confident in the system. But there are other systems out there as well.
Vamosi: What happened in West Virginia does remind us that elections in the United States are dependent on a massively distributed systems. Each state and territory in the US gets to choose how they handle the election process, and not all of these get updated once they're in the field. J. Alex Halderman again:
Halderman: There have been independent studies, many, many different kinds of US voting machines. In every single case, the reviews concluded that there were vulnerabilities that could be used by attackers to spread malicious code into the machines, often via the removable media and compromise votes. So the fact is across the US, something like 41 states use election equipment that's more than 20 years old. Some states still use voting machines that were designed in the 1980s. These machines are often not receiving security updates, they're often not benefiting from the latest technologies and the only safe assumption is that all of them have exploitable vulnerabilities. And is that all of them have exploitable vulnerabilities.
Vamosi: That speaks to management. How do you successfully manage what you have. But there’s another problem: How do you successfully roll out a new digital voting system across, say, all 254 counties in Texas?
DeMott: So we see kind of a hybrid system, although, you know, appearing and approaching over time, which is probably what I would say is likely to continue to happen over the next number of elections. Where you have kind of a staged rollout where there's some counties are still may be using older technologies, some are opting into newer technologies, there's probably going to be hybrid model of different technologies going on for major elections is probably my guess on that. Because of this need to continuously audit, to your point.
Vamosi: All the while the security landscape keeps changing. I mean, think about all the updates you get on your laptop and your mobile device. If you’re not good at updating your device or your app, then can you really trust that app with your vote?
DeMott: Well, yeah, so voting apps like any other digital app or system, again, as you say, it's always new threats coming out. There's new technologies coming out. There's new ways of doing things. So yes, these apps do suffer from the same types of vulnerabilities that any other app or the system would suffer from. And that could be things like you said, like unpatched platforms where somebody could get on a device, or maybe even supply chain concerns where the vendor is hacked and there's malware preloaded on these devices. Or an app has a different type of vulnerability where, you know, a vote can be shown to you, you can figure out who made what vote or change your vote. I mean, there's all kinds of different things that could happen, that need to be continuously audited.
Vamosi: So that gets us back to what Secretary of State Debra Bowen suggested at the top of the episode. Does moving to open source make sense? Does it reduce the attack surface?
DeMott: Yeah, that's a great question. And it's really a question of the ages that across other industries as well, not just in voting where we we sort of wonder about that same thing. You know, should commercial companies be open sourcing things? Would that make them more secure? And I would say there's kind of mixed reviews and results on that. I don't know that we've seen, you know, for example, there were well known published bugs like Heartbleed, that were in open source systems that didn't get caught right away. And so open sourcing doesn't necessarily make something totally more secure compared to commercial. Companies maybe would argue they have a right to keep their intellectual property secret and safe. But for a system like voting, I think it probably makes more sense than other industries to, if not open source, have more public scrutiny around the whole process so that the whole, you know, process of voting can have more rigor than perhaps, you know, normal gaming app or something like that. Your voting app should certainly be created with a much higher level of integrity considering the threat model of nation state actors that would have, you know, been showing interest in tampering elections. Certainly there is a higher level of risk compared to any other type of normal app.
Vamosi: Bowen is also on record saying that gaming systems in Nevada are more rigorously tested and validated than most voting systems in the United States. The difference? Money. Casinos don’t want to be scammed so the gaming commission is constantly auditing systems. But don’t we want free and fair elections? Shouldn’t we be constantly auditing these voting systems, and not just in election years?
DeMott: it's still such a bleeding edge field that yeah, there's going to be a continuing need to audit the system because they could have any of the regular software security vulnerabilities. They could have any other you know, platform vulnerabilities. You know, if somebody can pop your phone or your pop up, meaning exploit your box, or your Windows 10, tablet or your phone, whatever it is, your iPad, whatever the system may be working on, could they get in and look at your vote or change your vote or cast the party? All of those kinds of concerns are going to be ongoing concerns and it's again, it's not to say that we have to get it perfect. I don't think that any security practitioner ever has that expectation or a system would be 100% bulletproof but at least knowing what the threat model is, get rid of all the current vulnerabilities, make sure they opt into all of the best practices from a platform perspective, making sure that everything that can be done is being done sort of the trust and then verify making sure that we are verifying what's going on in real time, making sure that we do have whether it's paper backups, or some type of way to audit the system in an ongoing real time as well as retroactive to be sure that if there is some suspicion about fraud, we can see what happened.
Vamosi: Another complication. Apart from the technology, there’s the policy. Perhaps that might be as critical as the technical controls. I mean, what is the Nirvana state we’re looking for in an election system? Ideally, how should we be voting?
DeMott: Yeah, so that's kind of in the policy realm, right? Right. First figure out what's the ideal voting system look like? And then try to figure out how do we work toward that? Right? So we have certain goals about what is the perfect system? It's easy to use, it's accurate, it's resistant to damage, because it's tampering, there's fraud. If not fraud prevention, at least, you know, fraud reduction to an acceptable level, you know, kind of figure out what's what's ideal, and what can we work with, and then kind of work backwards from that to figure out what should the policies be, if we have, you know, counties and states, you know, and other types of areas that maybe aren't using a practice that's considered best practice anymore for voting. I think there's, you know, likely to be some level of disagreement around folks, as far as what that should be for this current, you know, for the 2020 presidential election, I think, you know, more of this sort of paper based and that type of voting is probably a little bit more appropriate because these systems have not really been totally proved out yet. I don't think they've had a sufficient level of rollout and testing us to really be a fully digital fully voting situation yet, but it's, you know, we could get there, we could, it's just going to take a little bit of work as it always does.
Vamosi: So there’s the hanging chad problem of paper ballots used in the 2000 Presidential Election in Florida and then there’s the possibility of a nation states remotely changing votes electronically in 2016. In 2020, we’re stuck in the middle of these two extremes right now. We’ll need to find a way forward for this to work.
DeMott: There's challenges either way, right with, you know, showing up personally maybe and having a paper record that type of thing. You know, or even if there's a paper record with a mail-in and maybe that's not a perfect process, if somebody could forge a license. So you get to this question where, you know, what's really the best practice and what's an acceptable level of reliability in the system to make sure an election wasn't unduly changed? So it's interesting. I'll say this about cybersecurity. We can demonstrate provably with an exploit if a system is insecure, but we can never truly prove that a system is secure because we can't find or think of a way to currently exploit something. And that's not even the case.
Vamosi: I do think we will have an electronic means of voting, and it might be as simple as downloading an official app onto our mobile device. We’ll even come to think of it as being normal -- some day. For now, at least, we’re starting to ask the right questions around confidentiality, integrity and availability -- and that’s great. We’re already seeing improvements in the methods we have available -- and that’s very important. But when will voting systems be secure enough? I don’t think anyone knows for sure. However, I do keep thinking of that famous infosec quote from Futurama, season 4, episode 8: “When you do things right, people won't be sure you've done anything at all.”
For The Hacker Mind, I’m “less Bender and more Fry” Robert Vamosi.