Rapid advances in the development of cyberweapons and malicious software mean that electronic-voting machines used in the 2012 election could be hacked, potentially tipping the presidential election or a number of other races.
Since the machines are not connected to the Internet, any hack would not be a matter of someone sneaking through cyberspace to change ballots. Rather, the concern is that an individual hacker, a partisan group, or even a nation state could infect voting machines by gaining physical access to them or by targeting the companies that service them.
The 2010 discovery of the Stuxnet cyberweapon, which used a thumb drive to attack Iran's nuclear facilities and spread among its computers, illustrated how one type of attack could work. Most at risk are paperless e-voting machines, which don’t print out any record of votes, meaning the electronically stored results could be altered without anyone knowing they had been changed.
In a tight election, the result could be the difference between winning and losing. A Monitor analysis shows that four swing states – Pennsylvania, Virginia, Colorado, and Florida – rely to varying degrees on paperless machines.
"The risk of cyber manipulation of these machines is quite real," says Barbara Simons, a computer researcher and author of "Broken Ballots," a book documenting e-voting vulnerabilities. "Most people don't understand that these computer-based voting machines can have software bugs or even election-rigging malicious software in them."
There are plenty of software vulnerabilities to exploit, says Matt Blaze, a computer scientist at the University of Pennsylvania in Philadelphia. In 2007, he was on a team investigating touch-screen and other voting systems for California and Ohio. The resulting study concluded "virtually every important software security mechanism is vulnerable."
The paperless machines, however, stand out as particularly vulnerable.
"If there's no paper trail, you can have the corrupted software display on the voting-machine screen whatever you want to display – and then after the voter leaves, record something completely different inside," says Richard Kemmerer, a computer scientist who heads the University of California, Santa Barbara, Computer Security Group.
Voting for Pac-Man
For example, Alex Halderman, a researcher at the University of Michigan, and a colleague at Princeton University hacked into a paperless touch-screen voting machine in 2010 and installed the video game Pac-Man. That lab exercise took three afternoons but did not break any tamper-proof seals and left no traces.
Similarly, he and Princeton researchers in 2006 demonstrated that if someone could get a few minutes’ unattended access to a paperless machine, that person could install a software virus that could spread to other machines and switch those machines’ votes before deleting all traces of itself.
In fact, Dr. Halderman quips, he has a paperless e-voting machine in his office now. It plays the University of Michigan fight song “on command because I hacked it," he says.
Such exploits have not gone unnoticed. States rushed to adopt e-voting machines after the contentious 2000 presidential vote recount in Florida, but now they are backpedaling. All but 17 have already mandated a return to paper ballots or paper verification for e-voting, including electronic optical scan or other equipment. Other states, like Florida, have gotten rid of most, but not quite all, paperless voting machines. Yet other battleground states, like Pennsylvania and Virginia, continue to use the vulnerable machines widely.
Some of the security improvements states are taking are obvious. In past years, poll workers were sometimes sent home with voting machines they were to set up the next day. But because access to a machine for even a minute can be enough to modify software, these "sleepover" practices have been largely abandoned, voting machine experts say.
Moreover, machines once sitting unmonitored in school gymnasium closets are today stored in locked rooms with surveillance equipment watching them, say officials in some states. Local officials also conduct pre- and postelection audits to check the accuracy of machines.
Colorado, which still uses paperless e-voting machines in Jefferson County, is among the states stepping up its protocols to make sure all its machines remain secure.
"Our machines are not connected to networks," says Andrew Cole, a spokesman for the Colorado Secretary of State's office. "They're sealed. The logs are sealed. There's a chain of custody requirement. We know when our office or county clerk installed the software, when it was sealed, and these machines are kept in places where they're monitored by video. Without those rules you could say they would be vulnerable. But we have safeguards in place to eliminate those vulnerabilities."
Manufacturers, too, see big security improvements.
"There's been a lot of improvement in the new equipment, and local jurisdictions and states are doing a lot more to ensure our machines are accurate," says Chris Riggall, a spokesman for Domnion Voting Systems in Denver. "We still provide maintenance and support for a lot of this equipment. We can't ever say that security is a thing of the past with election technology. It's an area where continuous improvement is essential."
At this point, e-voting machine errors appear to be simple mistakes instead of nefarious plots, says Michael Shamos, a computer scientist at Carnegie Mellon University in Pittsburgh.
"So often e-voting machine vote flipping appears to be deliberate, but it's not," he says. "Someone thinks someone has tampered with this machine, but it’s just the screen calibration that's at fault and not anything malicious…. That's the major thing wrong with touch-screen voting machines today. They get out of calibration – or local officials don't go through calibration at the beginning of the day."
Some early voters in North Carolina’s Guilford County reported vote-flipping this week when electronic voting machines changed the votes they cast for Mitt Romney to Barack Obama instead. Local election official, George Gilbert reassured them, "it's not a conspiracy, it's just a machine that needs to be corrected."
Still prone to tampering?
Despite this, among the 23 states that use touch-screen Direct-Recording Electronic (DREs) machines as a primary voting system in at least some precincts, only California, Indiana, and Ohio were rated excellent in a national report this summer by Verified Voting, a Carlsbad, Calif., nonprofit that tracks voting machine use.
The updated physical security measures are not enough, security researchers add. For example, seals that cover sensitive areas of the equipment have been repeatedly shown to be ineffective. Some don't even seal the right things.
Physically securing machines with seals is a two-edged sword, too, security experts say. If a poll worker finds a seal broken, what can be done? Votes can be recounted if the machines use paper. But if they don't, counting the votes anyway means including results that may be invalid. Not counting the votes opens the door to an even simpler way to tamper with an election: just go to places where people vote against your candidate and tamper with those machines’ seals, Penn's Dr. Blaze says.
"I'm not at all sanguine about the physical security improvements," he says. "The basic findings are still valid: These machines are prone to tampering if people that can get unattended access. Certain software changes make the attacks needed more elaborate, but the bottom line is that these machines still are subject to tampering and don't keep paper records, only electronic records that can be changed."
How a hack might happen
Rigging a national election by cyber means would require a lot of money, hacker talent, and sophistication. But it could happen in a number of ways, experts say.
For a savvy hacker, the time and access needed to infect a machine is so small that it could be done while in a voting booth. Alternately, someone wanting to alter election results could get access through a corrupt poll worker. The Stuxnet attack, reportedly a joint US-Israeli project, provides yet another – albeit more ambitious – blueprint.
That attack is believed to have first infected the computer networks of Russian or Irnaian technicians through the Internet. Then, the Stuxnet worm gained access to the Iranian nuclear program when the technicians serviced those computers with their own infected equipment. From there, it spread throughout the Iranian network. Similarly, a hacker could in theory use the Internet to target an e-voting machine company, which would then unknowingly infect its own machines when it serviced them.
Such malicious software makes it appear to users that the system is working fine when it is not – a so-called "man in the middle" attack because the rogue software sits between the user and the machine response, working various software levers unbeknownst to the user. A Stuxnet-like attack could spread via voter memory card to many machines, no Internet or human help needed.
"If you're considering a malicious attack, then you're dealing with an adversary that's strategic about where they're going to act," says Edward Felten, a Princeton professor who also has analyzed cybersecurity and other e-voting machine weaknesses state by state. "An attacker might look at the odds of getting away with an attack in a particular place. Where he attacks might also depend on being able to get access to a machine through a corrupt election official or in a state where defenses are weaker."
It's impossible to know if newer machines and software are really secure because their source code is largely unavailable for analysis, Dr. Felten and others say. Voting-equipment makers frequently say their software is a trade secret. But some security experts say that needs to change.
"Our goal should be an election so open and transparent, including the software,” says author Ms. Simon. "It's not so much for the winners that we need it. It's for the rest of the electorate – convincing the losers and their supporters they really did lose. That's why it's important."