Vote Tampering

I’m a vulnerability researcher by trade. Many people refer to this as ‘white hat’ hacking. What this means is that people pay me to try to compromise their computer systems through whatever channels they’re concerned about. It also means that I am pretty familiar with the ways to break into computer systems, networks, applications, and embedded systems.

This has led to a number of conversations lately around the topic of voter fraud, election tampering, and compromising voting systems. I can sum up my beliefs pretty succinctly:

I don’t believe there is such a thing as a secure computer system.

Within the last few weeks, lots of people have been talking about Dominion and how they were used in the Venezuela election, and how that election was grossly manipulated. Within the last few days, people have alleged that they were able to gain access to voting machines in Georgia, and are present on the systems and actuating 2-way comms while voting is taking place. In 2019, DefCon hosted a hack the vote event, and those machines fell over like my cardboard fort from pre-k.

In an age of cyber espionage and nation states warring silently over the interwebs, I’m not confident at all in our nation’s ability to host a secure and reliable election via any connected electronic means. If a system has the hardware to connect to a network, someone can control it, manipulate it, and exfiltrate data from it.

A Thought Experiment

I will perform a thought experiment. This will begin with a handful of assumptions:

1. An electronic vote tallying machine exists
2. The vote tallying machine uses software to tabulate votes
3. The software can be accessed via a user interface
4. The software is periodically managed by the manufacturer or user
5. The manufacturer uses the internet
6. A nation state exists that wants to compromise these machines

All of these are pretty reasonable assumptions, and I would speculate that all of these (and more that actually make the job easier) are true for every voting machine in use. Given these things, let’s discuss how someone could subvert this machine.

If an electronic machine exists that runs software, a dedicated individual or group can obtain that software. Ideally, they would be able to break into the company itself and steal its source code. This isn’t nearly as hard as you might think if the company uses the internet. From here there are generally two paths:

1. Compromise the supply chain
2. Compromise the software/firmware/hardware

Compromise the Supply Chain

If the manufacturer maintains their software/firmware/hardware, then they keep that information somewhere. If they use the internet, then that information can almost certainly be accessed through any number of avenues from anywhere in the world. I’ve linked to several examples earlier in this piece, but here are a few more. The easiest method here would be to exfiltrate the source code, add in whatever new features you want the software to have, and then replace the production/distribution version on the manufacturer’s servers.

The hard parts here are the initial compromise of the target network, and getting around any kind of certification/signing system the company has in place. Once the first one is established, the second kind of falls in your lap. The first one can happen with an email that says “Please review these account numbers” and has a malicious Excel spreadsheet attached. Boom, compromised.

From there, you move laterally through the network until you find what you’re looking for. Sometimes that’s hard, sometimes it’s easy, but it’s basically never impossible. People become multi-millionaires on tools and techniques to accomplish this. It’s a big business.

Find the code, change the code, compile and sign the code from inside their own development environment.

When the time comes to update the machines, your software will be installed instead of the one the manufacturer intended, and votes will be randomly given to Mickey Mouse and Peter Pan instead of Biden or Trump.

Game Over.

Compromise the Component

This one is harder. This one assumes you can’t get to the manufacturer’s supply chain for one reason or another. Let’s say that the manufacturer doesn’t keep their software on an internet facing server. Let’s say that you don’t want to leave behind evidence on their servers. Let’s say that the manufacturer doesn’t perform regular updates anymore. Lets say that the manufacturer went out of business.

No problem. We’re a nation state. We can do this.

One of our assumptions was that at least one extra machine exists. This doesn’t even mean that the machine isn’t going to be missed if it disappears. This just means that there’s one sitting around unused, like a spare in case one breaks. Every major government in the world has an intelligence service that specializes in gaining access to systems like this. They pay someone to turn their back, or maybe one of them falls off a truck somewhere. However it happens, someone who is well-informed and well-prepared can pull the entire contents of a hard drive or flash storage in a matter of minutes, even from something that doesn’t look like a computer. All they need is a little time and nobody paying too much attention.

This path means a little bit of extra work reverse engineering the binary data on the machine, but for someone dedicated to undermining the validity of democracy, that’s not that big of a deal. There are tons of people who do that kind of thing for a living, and many are willing to sell their services to the highest bidder. Finding 0-days, also known as Common Vulnerabilities and Exposures (CVE), is what they live for.

Once a vulnerability is found (and it will be found, there are thousands of 0-days found in trusted software every year), they will create a piece of malware to exploit that vuln.

Please note that none of our assumptions actually include network connection or the ability to have 2-way communications with the device. This isn’t really necessary. There are plenty of pieces of software out there that do everything they need to do and never connect to the internet.

“But how in the world will you manage to get your malware onto that voting machine?” you might ask. “Social engineering” would be my go-to answer. That’s the way pretty much all malware gets onto a system (aside from remote exploitation, but that requires network connectivity). One of these ways would be to pay a legitimate employee to install a compromised update to the system. Or perhaps the nation state in question manages to get an operative hired on at the company and that operative installs the malware as they go about their normal maintenance tasks. Both of these scenarios happen often enough to have a term in the business: “Insider threat,” a la Edward Snowden. Or, since we know there’s a user interface to the voting machine (because you have to, you know, cast a vote) perhaps an operative compromises the system through that interface while in the booth.

Finding a vulnerability in a simple user interface is all-too-common. If there’s a place for a user to input data, there’s a possible attack surface. Once that’s found, it’s lights out.

Concluding Thoughts

I say all of that in order to say this:

Don’t trust anything that happens in a computer, especially if it’s important. It is so much harder to fake physical ballots than electronic ones. At least physical ballots have to exist to be counted, which means there’s some measure of accountability and a requirement for evidence.

The most recent SolarWinds breaches, which include dozens of governmental departments, should be a clear warning. Oh yeah, did I mention that Dominion used SolarWinds?

We’re making it too easy for them.

Stay ready. Stay safe. Stay free.

-Hodo