As new reports emerge about Russian-backed attempts to hack state and local election systems, U.S. officials are increasingly worried about how vulnerable American elections really are. While the officials say they see no evidence that any votes were tampered with, no one knows for sure. Voters were assured repeatedly last year that foreign hackers couldn’t manipulate votes because, with few exceptions, voting machines are not connected to the Internet. “So how do you hack something in cyberspace, when it’s not in cyberspace?” Louisiana Secretary of State Tom Schedler said shortly before the 2016 election. But even if most voting machines aren’t connected to the Internet, says cybersecurity expert Jeremy Epstein, “they are connected to something that’s connected to something that’s connected to the Internet.” … While it’s unclear if any of the recipients took the bait in the email attack, University of Michigan computer scientist Alex Halderman says it’s just the kind of phishing campaign someone would launch if they wanted to manipulate votes.
“That’s because before every election, the voting machines have to be programmed with the design of the ballots — what are the races, who are the candidates,” says Halderman.
He notes that the programming is usually done on a computer in a central election office or by an outside vendor. The ballot program is then installed on individual voting machines with a removable memory card.
“So as a remote attacker, I can target an election management system, one of these ballot programming computers. If I can infect it with malicious software, I can have that malicious software spread to the individual machines on the memory cards, and then change votes on Election Day,” says Halderman.