Security researchers have announced the discovery of several election systems across the country connected to the internet that are vulnerable to hacking.
As a security policy, voting machines and election systems are supposed to remain disconnected from the internet, or “air-gapped,” unless they are transmitting data. This is to prevent the possibility of hackers connecting to them and subverting the results. Despite assurances to the contrary from Election Systems & Software, the largest voting machine vendor in the country, researchers identified 35 election systems with persistent internet connections.
The systems were identified in ten states, including swing states Wisconsin, Michigan and Florida and in some cases had been connected to the internet for years.
“Not only should ballot tallying systems not be connected to the internet, they shouldn’t be anywhere near the internet,” said Senator Ron Wyden regarding the findings. Wyden has been a long-term advocate of election security and has proposed legislation banning connections to, and transmissions via the internet in voting machines.
Adding to the potential dangers of exposure to hackers is the finding that many of the identified voting systems are running out-of-date software, or have yet to implement security patches and upgrades. Many districts require any new software to be vetted and certified by state and-or federal authorities before being applied to voting machines. While this is ostensibly done for security purposes, it effectively means that any internet-connected voting machine is vulnerable to known methods of hacking or cyberattack, sometimes for months at a time.
“What you are describing is a bad behavior amplified by sloppiness and complete negligence of security,” said election security expert Harri Hursti.
See the Motherboard article describing the findings here.