Outdated Voting Machines and Hacking

There is just so much in this article (Every Voting Machine at This Hacking Conference Got Totally Pwned) that makes me extremely angry.

Some personal background: I am not a programmer. I am not an IT security specialist. I have, however, worked in the IT sector since roughly 1995, and have been employed at various levels from front-line technical support for internet service providers, to internal office support for a large, high pressure financial institution, to network administrator for some small startups. While my employment has not been continuous in that sector (I don’t find it interesting *at all*), it would be fair to say that I have 15 years experience and exposure to changing technologies, and have needed to keep up with them (and a lot of their vulnerabilities) since I started.

While I am not a programmer, by any stretch, I am familiar with a number of programming languages and am familiar with the thinking involved in conceptualising algorithms and how technology works.

With all that in mind, I’d like to draw attention to a few statements made by the people involved with these voting machines, and why the US voting system is currently fucked.

Franklin said that even though the Election Assistance Commission’s most recent election security standards were released in 2015, most state’s machines are only compliant with standards from 2002 because of the prohibitive costs of updates.

Allow me to explain: there is effectively no security on these machines. When someone calls me with software from 2002, my official policy (and the policy of most organisations where I’ve worked) is “sorry, we don’t support your archaic software. Go update your everything and try again”.

In the early 2000s, I laughed my way out of a job interview because they wanted applicants to be familiar with an archaic and outmoded piece of software, that virtually no-one used anymore.

If I were offered a position as IT manager of these voting machines, I would only take the job under the proviso that they be updated to the current software release within a (short) set timeframe, or I walk. There’s no way I’m taking responsibility for the viability of those machines unless I can do some basic maintenance.

“The reality is, we’ve known about issues with voting machines for a long time,” Stanionis told Gizmodo. Since purchasing brand new systems is out of the question, Stanionis said most states do their best to protect the systems they have, walling them off from the internet and storing them securely when they’re not being used.

This is not security. The people at this event hacked new-to-them machines over a weekend (that was the *slowest*).

Locking these boxes away and not updating them gives a motivated group of programmers 15 years to figure out how to efficiently break into them, and devise a plan. This is not security. This is bullshit.

The rat king of decentralized state vendors and machines might actually be a good defense during a general election—it would force hackers to successfully target many disparate systems. “It would be really hard in most jurisdictions to do anything to affect the voting machines,” Stanionis said.

This is frighteningly naive. ‘The fact that we are crap is actually a good thing’ is never anything but a rationalisation.

Here is a plausible scenario that anyone with a passing knowledge of information technology would come up with. Anyone claiming that I’m giving away secrets, or planning to overturn the US government, is just declaring how little they know of this topic….

During a local election, a person (or a few people) can scout each voting location. They simply make a note of the make and model of each voting machine that they can see. They do not need to scout every single machine, just scouting as little as 10 or 20% is more than sufficient. In this particular election period, that is all that they do.

They then start working on hacking those models, at a leisurely pace, over the next year or two. Corporations and government agencies tend to purchase their equipment in bulk: if you see one voting machine of a particular make and model, odds are there’s 3-10 more of the same type in use. This is why you only need to scout a small number of the machines.

You spend that year crafting your programs to do whatever it is you want to do (erase votes, replace votes, crash the machines, enable wifi on the devices, whatever), and you create a stockpile of those programs in an online repository (i.e. dropbox, google drive, iCloud, whatever), and you spend a chunk of time recruiting a moderate sized group of people from different couties/states who are technologically savvy (not programmers, but not people who are afraid of computers).

In the next mid-term election, lets say, you disburse access to that software to everyone in your group (each person has a separate online storage account so that if one gets compromised, everyone else still has access to their software). Every gets a handful of USB sticks, or handheld infrared adapters, or whatever is needed to physically access the devices. And they upload whatever software package matches the machine they’re voting on.


There is no way, no way, that “we have a mix of machines” is any kind of adequate security for any kind of semi-organised threat. Any manager (IT or otherwise) with that mindset needs to be fired post haste.

“If you pull aside any campaign manager and say, ‘Do you want to get hacked?’ they’d say no,” Mook told DEF CON attendees. “If you asked them, ‘Have you done everything you can?’ they’d say, ‘No, but I don’t really know.’”

You. Don’t. Really. Know.

I’m doing my best not to swear in this article, but comments like this are really testing my patience.

Look, pre-1995 “I don’t really know” would kinda, sorta be an ok statement to make. Post 2001, with the introduction of wifi at the consumer level? With the ubiquity of internet access? With the wide availability of customisable hardware?

Fired. Done. Any campaign manager with the “I don’t really know” approach to technology is a dinosaur and obsolete. Either get them off the campaign, or make room in your campaign for someone with IT knowledge, who is parrallel in authority to the campaign manager. (as someone who has worked under people with zero knowledge of IT, let me assure you: it doesn’t work. People can’t supervise or evaluate work that they don’t understand)

Campaigns, along with voter registration databases, are softer targets for hackers—the events of the last year demonstrate that. And as exciting as it is to tear a voting machine apart, the goal of securing elections might be reached faster through educating election officials about cybersecurity best practices.

I can appreciate that Kate Conger’s approach here is likely a ‘let’s look at both sides’ sort of thing, but:

Why not both?

In a country that is routinely setting billions of dollars on fire on military technology that is never going to be used, the money necessary to secure the campaign communication and maintain the security of the electronic voting machines is a percent of a percent of military wastage.

So look, I get why Americans are routinely dubious of the effectiveness of government in general: clearly the US government is grossly incompetent in nearly every regard. But the solution isn’t to ignore the problem, and hope that they go away. The longer that these real security concerns are ignored, the more devastating their exploitation will be (as opposed to the wholly imagined security concerns regarding immigrants of colour).

If you’re *really* concerned about cost overruns, do you know what amazing technology has zero of these security concerns, and is used with great success is many, many countries worldwide?

Fucking pen and paper.

Just sayin’.

[Update Aug 3rd: Gizmodo have released a new article that make my concerns seem almost naive in comparison. There’s no point to locking machines away if other counties are selling them off for nothing with the voter registration information still in them.]

Follow Brian on Twitter



Leave a Reply

Your email address will not be published. Required fields are marked *