How hard is it to hack the US election?

How easy is it to hack into voting machines?

Different states use different voting machines. This means the whole system can’t be hacked at once, but it also means hackers can find the states with the weakest cybersecurity and strike there. If they succeed, they could sway election results to one side or the other. But what do these “weak links” look like?

To understand this, we first need to know the type of machines used for the voting. There are two – optical voting machines and direct recording electronic (DRE) machines. The former uses paper ballots that you fill in and the machine scans and tabulates. The paper ballot is kept in case the vote needs to be verified or an audit needs to be conducted. DRE machines record your vote electronically. Some provide a paper trail, some don’t.

Now, though counting the votes might be annoying, 22 states have chosen to use paper ballots only for security reasons. Their machines may be hackable, but they have paper ballots to compare their results with. The remaining states use either both Optical and DRE machines or only DRE machines.

Most of these machines are more than 10 years old. They were designed at a time when no one considered the need for internet connectivity, firewalls, or cybersecurity. They are so outdated that their software providers, including Microsoft, stopped issuing software updates a long time ago. It’s no surprise that they present many vulnerabilities.

Using a mixture of Optical and DRE machines leaves more than half of the country vulnerable. To make matters worse, there are 5 states (Delaware, Georgia, Louisiana, New Jersey, South Carolina) that use DRE machines only.

So what can hackers do with the voting machines?

• Physically tamper with the device’s hardware. This hack is probably the least likely to happen as it may be difficult to physically access the device without anyone noticing. It would also be hard to infect enough machines to sway an election.

  However, this is far from impossible. Voting machines have been thoroughly studied and exploited at hacking events such as DEFCON. They are also easily accessible to pretty much anyone – you can buy them on Ebay. Hackers have a good idea of what hides behind these outdated voting machines’ covers.

• Design multiple-use election cards for DRE machines. Normally, one election card equals one vote. However, hackers can create fake ones that could be used an infinite amount of times (as long as the election observers don’t notice anything).

  This hack is possible and isn’t too difficult to implement. The hardest part would be to mobilize enough people and resources to actually have any major impact.

• Remotely access the machines. This may not be feasible as most machines are not connected to the internet for security reasons or simply because they were not designed that way. However, some are. And it doesn’t help if the voting machine maker left remote-access software on it. These machines can easily be exploited by inserting malicious code to alter the results.
• Connect to the same Wi-Fi network and access the machines. We’ve said many times that public Wi-Fi isn’t safe. That applies to the election too. Most voting machines have no firewalls or security measures in place. It would be enough for a hacker to sit in the same room, connect to the same network, and run a targeted attack to take over the device.

Hacking voting machines is possible, but that would require a lot of resources and might not be practical. To have a national effect, hackers have to think big. That means using various techniques to infect the voting process before voters even reach the voting booth. But how?

How to target the voting process

This is what hackers might try to do to achieve a sufficient scale to sway an election. The scary thing is that none of the hacks below are out of the ordinary or impossible to achieve.

1. Use baiting to install malicious ballot program. Voting machines need to be set up for the election with a special ballot program. Most of the machines that are not connected to the internet will need an external device like a memory stick with a pre-loaded program. A hacker could easily use baiting techniques or replace legitimate devices with the hacker’s infected device.
2. Infect an election official’s device and tamper with election programs. Many election officials’ details are easily accessible on the internet. The hacker could use a phishing technique to infect an official’s device, gain remote access, and change election program code without anyone noticing. This would have an even bigger effect than baiting as this ballot program could now be installed all over the county or a state without anyone having a clue.
3. Create fake election management systems that are already infected or are set up to vote for the hacker’s preferred candidate. It’s not uncommon for states/counties to hire small companies to provide them with election management systems. They might think they are buying a legitimate service, but how do they know that the service or software providers aren’t hackers or haven’t been breached themselves?
4. Hack into voter registration systems and send phishing emails to voters. A hacker could also send false emails informing voters about long queues, a change in their voting center, or that their voting center is closed. This could result in people simply not showing up to vote.
5. There are no federal laws that would make state and local governments share information if 2020 election is hacked. In addition, a federal policy promises to shield the identity of cyber crime victims. This means that if one of election offices is hacked they are not obligated to share this information with other offices or states, not even voters themselves. Not sharing such information means that other states might be targeted in the same way and instead of putting the necessary measures in place, they will be sitting in the dark.

Can they hack your brain?

Hacking a voter’s brain is the worst hack of them all. Changing someone’s perception about the matter without them noticing is scary, immoral and insidious.

The Cambridge Analytica scandal that some say influenced the 2016 election showed us the powerful new tools being used to shape public opinion without accountability. Even without concrete evidence on how many votes may have been swayed, it still planted a seed of doubt – “Is my vote worth a thing?”

Americans are proud of their freedom of choice, so they rely heavily on media to gather information and form their opinions. Hackers or organizations can turn that against them by hacking social media with fake ads, fake profiles and disinformation. They could also flood other media channels with fake news.

Such attacks are particularly dangerous as they can be governmental or state sponsored. This means a foreign government could try to interfere with the US election. They would also have sufficient funds to reach bigger audiences and perform more intricate attacks that require more resources.

Can the 2020 election be hacked?

Many of the hacks above could be prevented by employing simple cybersecurity measures, replacing old voting machines with newer and more secure ones, using paper ballots, or conducting security audits. However, most of these changes cannot be made without extra funding or new legislation, which does not seem to be forthcoming in the US. This leaves the 2020 election vulnerable to interference and hacking.

Update: 3 September 2020. Only two months before the US presidential election, the personal information of millions of voters from Michigan, Arkansas, Connecticut, Florida, and North Carolina was made available on the Russian dark web.

Reports indicate that the data included names, dates of birth, gender, physical addresses, emails, voter registration numbers, date of registration, and polling stations.

US authorities claim that public voter information is available through FOIA (Freedom of Information Act) requests and no cyber attacks on election databases have occurred. However, the leaked info does include private and privileged information. While it depends on the state how much information you can get upon FOIA request, political parties typically have the widest access. If there were indeed no attacks on government databases, hackers may have targeted party databases instead.

While the origins of the leak are unclear, it is clear that voter information, and by extension many voters, remain extremely vulnerable.