Breach podcast: Step 4, election hacking -- Counting the vote
DefCon Voting Village report (Click for PDF)
Once you leave the polling place, an intricate dance of technology takes place. Perhaps the machine you used creates a local tally and prints out an end-of-day receipt, which is later added to tallies from other machines in that precinct, in that county, and that state. The counts themselves must be accurate, but perhaps more important, the transmission of the counts must be secure. Many experts see this as a vulnerable step.
Just click play above, or listen to the podcast on Stitcher
or on iTunes
"If we're able to modify the transmission of vote tallies back and forth across these systems, we could potentially influence the vote," said Mark Kuhr, a security expert with Synack Inc.
The votes might be sent over the Internet. They might be sent via "sneaker net," with a courier driving memory cards to a central location. In some states, vote tallies are transmitted wirelessly. And that introduces more potential problems. States that do this claim the data is encrypted, but experts worry about vulnerabilities – such as so-called man-in-the-middle attacks. Devices like Stingray machines – often usually by police to intercept smartphone transmissions -- can pose as cellular network towers and download all information sent towards those towers.
PARTIAL TRANSCRIPT
MARK: So when you look at, you know, going to a polling station and putting your vote in, a lot of times that's an electronic machine, but then at the end of the day that gets transmitted back to uh, a central place to for the vote to be counted. ALIA: This is Mark Kuhr from Synack again. MARK: And that's where vulnerabilities can come into this — this system as well is — is on the network side. If we're able to modify the transmission of vote tallies back and forth across these systems, we could potentially influence the vote. ALIA: Of course, my vote needs to be sent somewhere. It doesn't just get counted at my precinct. It has to actually go somewhere to be counted. This just actually never occurred to me. BOB: And right now in Florida, Illinois, Michigan, and Wisconsin, they all send their votes wirelessly over cellular networks to be tabulated. And now the states will make claims to say that the voting machines themselves aren't connected to the Internet, and when the data is being transmitted, it's encrypted and authenticated. So they believe that this is safe, but not everybody does. ALIA: So states that use wireless cellular networks, can those be hacked?
HARRI: So the answer is absolutely.