Election Security: Electronic and Online Voting

The Demystifying Tech Podcast invited me back as a guest, and during the conversation the security of elections was discussed. It was given only a few minutes between other items which is a real shame, so I thought I’d expand on some of the points I made here and give a little bit of an introduction to the prior art of election hacking.

Hacking an Election

Firstly, the important thing to raise for those who haven’t looked-into election hacking previously, is the range of potential attacks may be bigger than you’d expect. People often jump to “Can a foreign nation state change the result of an election?” and that certainly is a risk to consider, however it’s not the only type of attack.

For example, an attacker may try to cause distrust in the election result – perhaps by making it obvious that an attack had taken place but not what had been tampered with.

Alternatively, consider data theft – the voting registration system includes personal information about registered voters, which itself could be a target.

Online Voting is Old News

It’s common to think of online voting as a new idea, however the British Government cancelled plans to use online voting systems…back in 2007. Which shows that the idea has been around for quite a long time.

There have also been programs that are considered by many to be successful. Such as the fact that Estonia held online elections back in 2005! So how can they pull it off but other countries can’t? Well one of the differences between he UK and Estonia is national identity cards (however that only addresses one small part of operating secure online voting).

The popularity of Estonia’s online voting has also been increasing – it was reported that 80% of Estonians could vote online in the 2005 election, but less than 1% did. In 2019, 43% of votes were cast online.

It’s Happened Before

With all of this talk of hackers potentially being able to hack election systems, how likely is it to ever actually happen? Well it already has, there was a hugely publicised report about it which you may have heard of – the “Mueller Report“.

By at least the summer of 2016, GRU officers sought access to state and local computer networks by exploiting known software vulnerabilities on websites of state and local governmental entities. GRU officers, for example, targeted state and local databases of registered voters using a technique known as ‘SQL injection, […]’ In one instance in approximately June 2016, the GRU compromised the computer network of the Illinois State Board of Elections by exploiting a vulnerability in the SBOE’s website. The GRU then gained access to a database containing information on millions of registered Illinois voters, and extracted data related to thousands of U.S. voters before the malicious activity was identified.”Report On The Investigation Into Russian Interference In The 2016 Presidential Election

So in 2016, the GRU targeted systems using a vulnerability called SQL Injection. In 2015 I wrote an article called “SQL Injection: Basics and Defence”, but I certainly wasn’t the first person to do so– that was likely Rain Forest Puppy who wrote about it back in 1998.

Electronic Voting and Hacking Voting Machines

The security issues of electronic voting aren’t all centred around online voting systems, though – it’s well established that electronic voting machines that are often deployed in polling stations can also be hacked. For example, in September 2017 the Hacking Conference DefCon published a report titled “Report on Cyber Vulnerabilities in U.S. Election Equipment, Databases, and Infrastructure

The report details of the vulnerabilities found in several voting machines, such as compromising an AVS WinVote remotely over WiFi using a vulnerability from 2003. Interestingly though, they also managed to extract 650,000 voter records from Shelby County from an ExpressPoll device, which had not been correctly decommissioned.

One key area of these systems mentioned in both the Mueller report and the Defcon report, is the supply chain risk of these systems. With Mueller mentioning an attacker’s ability to target vendors themselves:

GRU officers targeted employees of [redacted], a voting technology company that developed software used by numerous U.S. counties to manage voter rolls, and installed malware on the company network.” — Report On The Investigation Into Russian Interference In The 2016 Presidential Election

Whereas the DefCon report mentioned the problem of much of the hardware being “foreign-made” posing a risk to election security, and specifically pointed out that some of the hardware was developed in China.

Bug Bounties and Online Election Hacking

In February of 2019, the Swiss Government announced that it will allow a “public intrusion test” of its future online voting system, offering a bug bounty style rewards program for people who disclose vulnerabilities, with payouts as high as $50,000.

As part of the test, the source code was made available to participants only, however this was leaked to the wider internet. The source code was analysed by many people online and that analysis didn’t look so good, however other issues were raised too such as how analysis of these systems is often restricted (such as being placed under non-disclosure agreement) preventing researchers publishing their findings openly.

In the case of the Swiss system however, due to the source code being leaked many researchers did talk publicly about their findings, which caused backlash from Scytl on February 22nd, as information about vulnerabilities came to light.

“These criticisms are mainly based on misunderstandings related to the cryptographic mechanisms, which have already been clarified and solved in the official repository. The cryptographic protocols and mechanisms implemented in the code are very advanced and not commonly found in other software. This may make the analysis more complex for some of the individuals evaluating and posting public comments, who, in turn, foster misunderstandings and may generate confusions.”

However by March 12, another statement was released:

” We are thankful to those researchers who helped us identify this issue and support us in building the future of secure online voting.”

Many issues were found however key issues were discovered that could allow an attacker to alter votes without and bypass the verification.

The Benefits of Online Voting

There are upsides to online voting systems however, Matt Blaze pointed out an interesting case for New Jersey where due to Hurricane Sandy many displaced citizens may have struggled to cast their votes at their normal polling station. One potential response to this was to allow email voting. This was laid out in a Directive titled “Directive Regarding Email Voting and Mail-in Ballots for Displaced Voters”, which set out a method for allowing voting via email or fax to ensure the election could take place. To be clear, Matt highlighted many challenges with this potential approach, such as the insecure nature of email, the difficulty of setting up new processes with such little time to prepare, and the challenges of setting up a system of this nature at scale.

Additionally, there has been many times where the idea of online voting increasing voter turnout has been raised. Nicole Goodman points out that the increased accessibility and convenience may help somewhat, and Jinhai Yu published a piece which states that online voter registration can also increase voter turnout.

There’s also long lines and broken voting machines to consider, with reports of voting machines being delivered without power cords or breaking on the day.

Paper isn’t Perfect

Whilst paper based voting systems aren’t perfect, one of the major features they allow that many electronic systems do not is an paper-trail which can be audited. However, falling back to an audit of ballots is not a trivial thing in itself, for an example of that take a look at the 2000 Florida recount and the problem of “Hanging Chads”.

The issue there being with hole-punch ballots and what actually counted. The problem being that if you use the “Lenient Standard” where any modification to the perforated holes (called “chads”) counts as a vote then Bush won by 1,665 votes. If the “strict Standard” where only a clean punch counted is applied to undervotes, then Gore won by 3 votes.

Although a recount isn’t easy, some people worry about it not being possible at all to audit some voting machines in this way.