Can Electronic Voting Machines Be Hacked?

With the election now in just weeks and the republican nominee, Donald Trump, stating numerous times that it will be rigged, electronic voting once more takes center stage with concerns raised that electronic voting machines could be hacked.

Unlike Britain, which uses only paper ballots, USA uses electronic voting. Although paper ballots still account for around 75% of all votes in USA, five states, Georgia, Delaware, Louisiana, South Carolina and New Jersey, use only electronic machines, and, more worryingly have no paper trail thus making it impossible to audit the results.

This is worrying as voting machines are made of computer code which can and has been hacked. A Princeton professor, for example, showed how one can be hacked in seven minutes. On Apr 14 2015, the Virginia State Board of Elections decertified AVS WinVote touchscreen Direct Recording Electronic (DRE) because they could be hacked through wireless access, not even requiring physical presence at the polling station.

Moreover, it’s not just hacking. Irregularities can occur unintentionally due to hardware or software malfunctioning. There have been cases of touchscreens switching votes, of ballots disappearing as in 2006 where 18,000 votes vanished in a contest decided by only 363 votes and the case of the Arkansas mayoral candidate who was surprised to see he received 0 votes while he confirmed he had certainly voted for himself. At least the results were not negative, like in Florida in 2000 where an electronic voting machine gave Al Gore a final vote count of minus 16,022 votes.

This year’s electronic voting is further complicated by the fact that the machines are now very old, not having been replaced in a decade, with some not replaced in 15 years. Most run windows XP, which is no longer maintained, while some are on windows 2000. Some of the machine manufacturers are no longer in business, with replacement parts difficult to find. This year’s machines, therefore, may be more prone to crashing and, as old operating system vulnerabilities are unpatched, they may more easily be hacked.

According to Bruce Schneier, a renowned computer security expert, the solution is to mandate paper audit trails. Schneier states:

“DRE machines must have a voter-verifiable paper audit trails (sometimes called a voter-verified paper ballot). This is a paper ballot printed out by the voting machine, which the voter is allowed to look at and verify. He doesn’t take it home with him. Either he looks at it on the machine behind a glass screen, or he takes the paper and puts it into a ballot box. The point of this is twofold: it allows the voter to confirm that his vote was recorded in the manner he intended, and it provides the mechanism for a recount if there are problems with the machine.”

Another problem is systemic hacking or manipulation either by the manufacturer himself or others. As the code on which electronic machines run is not visible or examinable publicly, there is no way to verify results are not subtly tampered intentionally by the manufacturer who may change a few lines of code or by someone getting access to the manufacturer’s system. Considering that some states do not have paper trails at all, and others do not run paper trail audits unless the race is close and requires a recount, such systemic manipulation of electronic machines to tilt the balance a certain way could have a significant effect towards the end result.

The solution is to require the code is publicly released as open source so that all can look and see how it works. Why this has not been done already is not clear, save for perhaps lack of public pressure considering the rarity of elections and the argument of manufacturers that the code has trade secrets. However, except for who voted for what, elections require full transparency if they are to attract the confidence of the public. This applies more in this election than ever considering some clear and overt biased by the media and much of the establishment against Trump.

Nonetheless, if there are any irregularities they are likely to be limited in number, thus affecting perhaps a very close race, but probably not an election where one candidate is clearly the preferred choice.

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.