May 26, 2018

Are voting-machine modems truly divorced from the Internet?

(This article is written jointly with my colleague Kyle Jamieson, who specializes in wireless networks.)

[See also: The myth of the hacker-proof voting machine]

The ES&S model DS200 optical-scan voting machine has a cell-phone modem that it uses to upload election-night results from the voting machine to the “county central” canvassing computer.  We know it’s a bad idea to connect voting machines (and canvassing computers) to the Internet, because this allows their vulnerabilities to be exploited by hackers anywhere in the world.  (In fact, a judge in New Jersey ruled in 2009 that the state must not connect its voting machines and canvassing computers to the internet, for that very reason.)  So the question is, does DS200’s cell-phone modem, in effect, connect the voting machine to the Internet?

The vendor (ES&S) and the counties that bought the machine say, “no, it’s an analog modem.”  That’s not true; it appears to be a Multitech MTSMC-C2-N3-R.1 (Verizon C2 series modem), a fairly complex digital device.  But maybe what they mean is “it’s just a phone call, not really the Internet.”  So let’s review how phone calls work:

The voting machine calls the county-central computer using its cell-phone modem to the nearest tower; this connects through Verizon’s “Autonomous System” (AS), part of the packet-switched Internet, to a cell tower (or land-line station) near the canvassing computer.

Verizon attempts to control access to the routers internal to its own AS, using firewall rules on the border routers.  Each border router runs (probably) millions of lines of software; as such it is subject to bugs and vulnerabilities.  If a hacker finds one of these vulnerabilities, he can modify messages as they transit the AS network:

Do border routers actually have vulnerabilities in practice?  Of course they do!  US-CERT has highlighted this as an issue of importance.  It would surprising if the Russian mafia or the FBI were not equipped to exploit such vulnerabilities.

Even easier than hacking through router bugs is just setting up an imposter cell-phone “tower” near the voting machine; one commonly used brand of these, used by many police departments, is called “Stingray.”

I’ve labelled the hacker as “MitM” for “man-in-the-middle.”  He is well positioned to alter vote totals as they are uploaded.  Of course, he will do better to put his Stingray near the county-central canvassing computer, so he can hack all the voting machines in the county, not just one near his Stingray:

So, in summary: phone calls are not unconnected to the Internet; the hacking of phone calls is easy (police departments with Stingray devices do it all the time); and even between the cell-towers (or land-line stations), your calls go over parts of the Internet.  If your state laws, or a court with jurisdiction, say not to connect your voting machines to the Internet, then you probably shouldn’t use telephone modems either.

My testimony before the House Subcommittee on IT

I was invited to testify yesterday before the U.S. House of Representatives Subcommittee on Information Technology, at a hearing entitled “Cybersecurity: Ensuring the Integrity of the Ballot Box.”  My written testimony is available here.  My 5-minute opening statement went as follows:

My name is Andrew Appel.  I am Professor of Computer Science at Princeton University.   In this testimony I do not represent my employer. I’m here to give my own professional opinions as a scientist, but also as an American citizen who cares deeply about protecting our democracy.

My research is in software verification, computer security, technology policy, and election machinery.  As I will explain, I strongly recommend that, at a minimum, the Congress seek to ensure the elimination of Direct-Recording Electronic voting machines (sometimes called “touchscreen” machines), immediately after this November’s election; and that it require that all elections be subject to sensible auditing after every election to ensure that systems are functioning properly and to prove to the American people that their votes are counted as cast.

There are cybersecurity issues in all parts of our election system:  before the election, voter-registration databases; during the election, voting machines; after the election, vote-tabulation / canvassing / precinct-aggregation computers.  In my opening statement I’ll focus on voting machines.  The other topics are addressed in a recent report I have co-authored entitled “Ten Things Election Officials Can Do to Help Secure and Inspire Confidence in This Fall’s Elections.”

In the U.S. we use two kinds of voting machines: optical scanners that count paper ballots, and “touchscreen” voting machines, also called “Direct-Recording Electronic.”  Each voting machine is a computer, running a computer program.  Whether that computer counts the votes accurately, or makes mistakes, or cheats by shifting votes from one candidate to another, depends on what software is installed in the computer.  We all use computers, and we’ve all had occasion to install new software.  Sometimes it’s an app we purchase and install on purpose, sometimes it’s a software upgrade sent by the company that made our operating system.  Installing new software in a voting machine is not really much different from installing new software in any other kind of computer.

Installing new software is how you hack a voting machine to cheat. In 2009, in the courtroom of the Superior Court of New Jersey,  I demonstrated how to hack a voting machine.  I wrote a vote-stealing computer program that shifts votes from one candidate to another.   Installing that vote-stealing program in a voting machine takes 7 minutes, per machine, with a screwdriver.  I did this in a secure facility and I’m confident my program has not leaked out to affect real elections, but really the software I built was not rocket science — any computer programmer could write the same code.  Once it’s installed, it could steal elections without detection for years to come.

Voting machines are often delivered to polling places several days before the election—to elementary schools, churches, firehouses.  In these locations anyone could gain access to a voting machine for 10 minutes.  Between elections the machines are routinely opened up for maintenance by county employees or private contractors.  Let’s assume they have the utmost integrity, but still, in the U.S. we try to run our elections so that we can trust the election results without relying on any one individual.

Other computer scientists have demonstrated similar hacks on many models of machine. This is not just one glitch in one manufacturer’s machine, it’s the very nature of computers.

So how can we trust our elections when it’s so easy to make the computers cheat?  Forty states already know the answer:  vote on optical-scan paper ballots.  (My written testimony clarifies this statement.)  The voter fills in the bubble next to the name of their preferred candidate, then takes this paper ballot to the scanner—right there in the precinct—and feeds it in.  That opscan voting machine has a computer in it, and we can’t 100% prevent the computer from being hacked, but that very paper ballot marked by the voter drops into a sealed ballot box under the opscan machine.  Those ballots can be recounted by hand, in a way we can trust.

Unfortunately, there are still about 10 states that primarily use paperless touchscreen voting computers.  There’s no paper ballot to recount.  After the voter touches the screen, we have to rely on the computer—that is, we have to rely on whatever program is installed in the computer that day—to print out the true totals when the polls close.

So what must we do?  In the near term, we must not connect the voting machines to the Internet.  The same goes for those computers used to prepare the electronic ballot definition files before each election, that are used to program the voting machines—that is, we must not connect the voting machines even indirectly to the Internet.  Many able and competent election administrators already follow this “best practice.”  I hope that all 9000 counties and states that run elections follow this practice, and other security best practices, but it’s hard to tell whether they all do.

These and other best practices can help protect against hacking of voting machines by people in other countries through the Internet.  But they can’t protect us from mistakes, software bugs, miscalibration, insider hacking, or against local criminals with access to the machines before or after elections.  So what we must do as soon as possible after November is to adopt nationwide what 40 states have already done: paper ballots, marked by the voter, countable by computer but recountable by hand.

In 2000 we all saw what a disastrously unreliable technology those punch-card ballots were.  So in 2002 the Congress outlawed punch-card ballots, and that was very appropriate.  I strongly recommend that the Congress seek to ensure the elimination of paperless “touchscreen” voting machines, immediately after this November’s election.

Which voting machines can be hacked through the Internet?

Over 9000 jurisdictions (counties and states) in the U.S. run elections with a variety of voting machines: optical scanners for paper ballots, and direct-recording “touchscreen” machines.  Which ones of them can be hacked to make them cheat, to transfer votes from one candidate to another?

The answer:  all of them.  An attacker with physical access to a voting machine can install fraudulent vote-miscounting software.  I’ve demonstrated this on one kind of machine, others have demonstrated it on other machines.  It’s a general principle about computers: they run whatever software is installed at the moment.

So let’s ask:

  1. Which voting machines can be hacked from anywhere in the world, through the Internet?  
  2. Which voting machines have other safeguards, so we can audit or recount the election to get the correct result even if the machine is hacked?

The answers, in summary:

  1. Older machines (Shouptronic, AVC Advantage, AccuVote OS, Optech-III Eagle) can be hacked by anyone with physical access; newer machines (almost anything else in use today) can be hacked by anyone with physical access, and are vulnerable to attacks from the Internet.
  2. Optical scan machines, even though they can be hacked, allow audits and recounts of the paper ballots marked by the voters.  This is a very important safeguard.  Paperless touchscreen machines have no such protection.  “DRE with VVPAT” machines, i.e. touchscreens that print on paper (that the voter can inspect under glass while casting the ballot) are “in between” regarding this safeguard.

The most widely used machine that fails #1 and #2 is the AccuVote TS, used throughout the state of Georgia, and in some counties in other states.

[Read more…]