And fixing the hardware would be really hard.
Image: Joseph Cox/Motherboard
After partial vote recounts in certain states, US election officials found no evidence that votes had been manipulated by a cyberattack on voting machines, security researchers told an audience at the Chaos Communication Congress hacking festival on Wednesday. But, the researchers called for a vast overhaul in voting machine security and related legislation, warning that an attack is still possible in a future election.
"We need this because even if the 2016 election wasn't hacked, the 2020 election might well be," said J. Alex Halderman, a professor of computer science at the University of Michigan, during a presentation with Matt Bernhard, a computer science PhD student.
"Developing an attack for one of these machines is not terribly difficult."
Halderman's and other security experts' concerns made headlines in November when he participated in a call with the Clinton campaign about a potential recount in some states. Green Party candidate Jill Stein subsequently held a crowdfunding campaign to finance the recounts.
"Developing an attack for one of these machines is not terribly difficult; I and others have done it again and again in the laboratory. All you need to do is buy one government surplus on eBay to test it out," Halderman, who has extensively researched voting machine security, said during the talk.
According to the researchers, the partially completed recounts provided no evidence of a cyberattack in Wisconsin or Michigan. (Campaigners also pushed for a recount in Pennsylvania, but that was ultimately blocked by legal challenges).
"Honestly we were all kind of surprised we didn't find anything," Bernhard told Motherboard in an interview.
During the talk Halderman laid out a series of previously disclosed issues with voting machines, including those that can end up in a piece of malware changing votes to a desired winner.
With that in mind, the pair made a call for dramatic improvements to voting systems and corresponding laws. Bernhard told Motherboard he wanted vulnerabilities to be fixed, but also new cryptographic mechanisms for verifying the authenticity of a vote.
Fixing existing systems will be a serious challenge though, because distributing patches is tricky when each different version of a voting machine comes with its own idiosyncrasies. Another issue is that many voting machine companies have gone broke or are otherwise out of business, Bernhard explained.
"The infrastructure to even push a patch may not even be around anymore because it died with the company that originally built the machine," he said.
"We're hoping that there will now be public pressure to increase election integrity."
In some ways, the law around elections has not kept up with voting technology either.
"Computerized voting wasn't around even thirty years ago," Bernhard said. Forcing states to only deploy machines that used a decent level of encryption or to carry out source code review of the machines could be improvements.
Of course, reform will only come about when there is the will to put in the work, said than done, and it's not totally clear where that pressure would actually come from.
Bernhard pointed to the STAR Vote project in Travis County as an election system in the US actually being improved. In this case, county officials decided they wanted to buy new voting machines, realized the machines were insecure, and called up security experts to help build their own, Bernhard explained.
"I think county clerks and election administrators are probably one of the better sources where the pressure can come from, especially since they have the knowledge of the specific constraints," Bernhard said.
But the pressure almost certainly won't be coming from the top down. That's in part because of the US election's decentralised nature, but also that those at the top—namely, the winner of the election—is unlikely to push for reform.
"We're hoping that there will now be public pressure to increase election integrity," Bernhard said.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.