Disclaimer: vote tampering of any kind is a felony. Accessing computer systems without proper authorization is a felony. This post was not written with intent to enable election tampering, and I expressly condemn any activity to that end. Some technical details are omitted for both brevity and to prevent this from being a literal election-stealing guide. Rest assured, our adversaries already know it all.
Last week saw a federal court hearing in Curling v. Kemp, a lawsuit aimed to get paperless DRE voting machines out of use in the state of Georgia. The hearing had many surreal moments, which are well documented here, here, and here, among other places. The record of the hearing can be found here. The testimony was chilling, but there were two clear standouts: the testimony of Michael Barnes (of the Secretary of State’s office, in charge of all Georgia voting systems) and Rick Barron (Fulton County’s Election Director). Both provided deep technical insight into how Georgia’s election system is run, and also made public several vectors by which votes can be stolen in Georgia. Nevertheless, the defense insisted that the system is secure, and that nothing is wrong.
This post comes in three parts: an overview of how Georgia runs elections, how adversaries can attack it, and what we can do about it. All of this information is as of now completely public, and I guarantee that any serious threat to our elections has known it for years.
Georgia’s Election System
Michael Barnes’s testimony gives us a relatively full picture of how Georgia’s election system works. There are three servers at the Secretary of State’s office: a public facing website, a ballot building server likely running GEMS (the program that allows election workers to manage ballots and program voting machines), and an ExpressPoll data server (the voter registration database). The public facing website was the one indexed by Google that Logan Lamb accessed, and contained a complete voter database file as well as GEMS database files (though Barnes claims these were just for training). According to Barnes, this server is not networked to the two servers that actually put data on voting machines and ExpressPoll units.
The other two servers are connected to a private (i.e. “air-gapped”, tightly controlled and not exposed to outside connections) network within the Secretary of State’s office, and data entry into these networks is done only via keyboard. However, there is at least one notable exception: Barnes’s office must distribute proof ballot files to the county election officials, so they can ensure all races and candidates are accounted for, spelled correctly, etc. To do this, he transfers PDF representations of the ballots from the GEMS “air-gapped” network to his personal, Internet connected work computer, and from there uploads them to a file-transfer (FTP) server so that the counties can retrieve them.
According to Barnes’s testimony, the USB drive he uses to transfer the ballot proofs has a write-lock (that Barnes refers to as a “lock position”) that in theory could prevent someone from writing data to the USB drive when they shouldn’t be able to. He also claims to format it after every use. He states that this is the only removable media device (excluding compact flash memory cards) ever connected to the “air-gapped” network.
Barnes states that from the supposedly air-gapped network, election data and voter databases are loaded onto encrypted CD’s and compact flash cards, respectively, and then hand-delivered to the counties by SoS staff. The CD’s with the ballot data can only be decrypted with a password contained by the SoS’s office, and counties must call with a verification code to get the password over the phone and decrypt the CD and download the election data to their own GEMS servers. From there, the counties’ GEMS servers are physically connected to one voting machine, and compact flash cards are loaded into this machine and programmed by the server. Then they are put into the voting machines to be used in each polling place, and each voting machine is dropped off at a polling place. A similar procedure is presumably followed for the electronic poll books, though Barnes’s testimony did not go into details about them.
At the end of each election, the election results are “accumulated” in each polling place by taking one compact flash card and plugging it into each voting machine in the polling place, aggregating the results. If you imagine each voting machine as its own ballot box, this is akin to putting all the ballots in one box. From there the results card is physically taken to the county office where it is combined with the rest of the county data in a manner similar to the polling place-level accumulation, and then election results are announced and transmitted to the SoS office.
As a brief aside, the one exception to this is Fulton county, where results cards and individual electronic ballots are taken to annexes and then transmitted to the county office via dial-up. Rick Barron, the Fulton County Election Director, insists his voting machines are never connected to the Internet, assuming that analog phone lines can’t be hacked. For reference, Apple Computers got started because its founders built “blue boxes” which let them hack the phone network into giving them unlimited long-distance calling, among other things. A Fulton County poll worker has even said that the phone lines in Fulton County’s election preparation center get telemarketing calls. The very same lines over which election results are transmitted.
Hacking Georgia’s election: top down
Based on this layout, there are several points of entry that can give attackers full access to the state’s entire system. The most obvious one is Barnes’s computer: an attacker from anywhere in the world could send Barnes an email with a virus attached that could then spread to the USB drive, the ballot programming network, the county’s ballot CDs or voter registration cards, and then into every voting machine and voter registration tablet.
I can speak from personal experience that email is a particularly effective vector of attack. Impersonating someone via email is not hard, and in fact we teach undergraduates to do it at the University of Michigan. Phishing attacks, where a bad actor sends an email to someone to gain some sort of access, like stealing their password, are notoriously hard to defend. This was exactly the kind of attack that gave Russians access to John Podesta’s email account in 2016, so we know that at least one adversary is already more than competent of executing this attack.
Once the email has been sent to Barnes, the next step is building a virus that, once downloaded, will try to infect every USB device connected to the computer. There are numerous ways to do this that are publicly known, and almost certainly even more that are known to hackers and intelligence agencies like NSA and GRU. It should be pretty easy to defeat the read-only setting that Barnes has on his USB stick, and if the malware manages to overwrite the firmware on the thumb drive, it could even be resilient to formatting. Hackers could just overwrite the code that tells the USB stick how to talk to whatever computer it’s plugged into with code that instead downloads files from a foreign server that will then get put on the “air-gapped” machines as soon as its plugged in to them. Attacks like these are how the U.S. and Israel (allegedly) carried out the Stuxnet attack on Iranian nuclear centrifuges, and also how Russia has jumped air-gaps and gotten into U.S. industrial control systems that aren’t connected to the Internet in recent months.
This line of reasoning applies to any USB that’s connected to the private network. If another employee ever sticks a USB drive into the network, the chance of bad guys getting in is just as high as if Barnes gets phished. It is nearly impossible to police employees to ensure they aren’t doing this, as NSA has learned with leaks like Snowden and Reality Winner, so I’m fairly confident this is just as viable an attack vector. Moreover, an attacker could craft a fake email from Barnes or another higher up instructing an employee to insert a thumb drive into the private network.
Once the malware is on the ballot building network, it would simply have to replicate itself onto some or all of the CDs burned and sent to county election offices. From there, it could exploit known vulnerabilities in either Windows XP drivers or in the Diebold GEMS software to gain control of the targeted county computers. Then once elections are programmed on memory cards, it could finally make the jump onto each and every voting machine in Georgia, or just ones targeted to achieve the desired outcome. Malware that steals votes and spreads in this manner has already been created by academics; it’s no stretch of the imagination that such malware has also been built by our nation’s adversaries.
Hacking Georgia’s Election: bottom up
This is only one vector of attack. Rather than going top-down, a hacker could insert a bogus memory card into a voting machine that would install malware on that machine, much like the demo that Alex Halderman did during last week’s hearing (a similar demo can be seen here). Access to voting machine around the voting period is pretty easy to get. Voting machines are often left completely unattended for days at a time, relying on bicycle locks and cheap plastic seals to keep bad guys out. These seals are easy to beat; I can do it in about 6 seconds and it only took me a few minutes to learn.
Once a bad guy has physically broken into the machine, it’s easy to swap out the memory card and install a virus like the one developed at Princeton in 2006, which targeted Georgia’s exact model of voting machine. When polls closed and results are aggregated, the virus can spread to the accumulator card, and from their to the county’s central server. If any memory card from the county ever gets plugged in somewhere else, then the virus can spread there. It only takes one contaminated card to spread a virus to the entire election system. If the FTP server he Secretary of State’s office uses to send out ballot proofs is misconfigured, as their web server was in 2016, then the virus could upload itself there and then onto every county election management machine. Again, in this scenario, an attacker can get malware running on every Georgia voting machine and change votes at will with access to only one machine. No Internet connection, no problem.
Georgia’s voting system was already exposed to a significant period of vulnerability with their open web server that Logan Lamb accessed. There can be almost no doubt that an adversary with enough money and desire could have also accessed the system, and worse. We live in an age of advanced persistent threats (APTs), where bad guys break into systems undetected and spend months or years laying groundwork for cyberattacks before taking action.
The gross negligence of Georgia’s Secretary of State in handling the vulnerable server is exactly the kind of scenario these kinds of attackers play into. Georgia’s elections office destroyed the only evidence we might have had of an intrusion of this kind, and from Michael Barnes’s testimony last week it is clear that the state is either incompetent or willfully ignorant in its handling of the breach. It is quite possible that Georgia’s elections have already been hacked. Because the voting machines are completely unverifiable, we have zero chance to find out. No effort has been made on the part of the state of Georgia to investigate the impact of the vulnerability or to decontaminate various state voting equipment.
What do we do about it?
The only remediation for Georgia’s current predicament is an immediate switch to a paper-based voting system. Optical scan machines, deployed to count paper ballots, are just as vulnerable to hacking as the current DREs, but with proper audits there is a very high chance of catching even a small change to an election outcome by bad guys (or errors). We know how to do this, and Georgia already has the resources to do it, with $10 million from a recent federal bill.
Switching systems this close to the October 15th early voting period will be no small feat, but it is the only option to safeguard Georgia’s election. A new voting system and complete overhaul is not necessary, as Georgia already owns enough optical scanners to count the paper ballots. Paper ballots are already being printed for mail in and provisional ballots. The print orders can simply be expanded.
The question of election hacking is no longer one of spectral fears. Our elections are under attack, and for Georgia in November, it’s a question of the controlled chaos of switching to a secure voting system, or complete unmitigated chaos when the election gets hacked. Georgia voters deserve to have their votes count, and the state’s gross negligence up to this point is no longer excusable. Georgia needs paper. Now.