After partial vote recounts in certain states, US election officials found no evidence that votes had been manipulated by a cyberattack on voting machines, security researchers told an audience at the Chaos Communication Congress hacking festival on Wednesday. But, the researchers called for a vast overhaul in voting machine security and related legislation, warning that an attack is still possible in a future election. “We need this because even if the 2016 election wasn’t hacked, the 2020 election might well be,” said J. Alex Halderman, a professor of computer science at the University of Michigan, during a presentation with Matt Bernhard, a computer science PhD student. Halderman’s and other security experts’ concerns made headlines in November when he participated in a call with the Clinton campaign about a potential recount in some states. Green Party candidate Jill Stein subsequently held a crowdfunding campaign to finance the recounts. “Developing an attack for one of these machines is not terribly difficult; I and others have done it again and again in the laboratory. All you need to do is buy one government surplus on eBay to test it out,” Halderman, who has extensively researched voting machine security, said during the talk.
According to the researchers, the partially completed recounts provided no evidence of a cyberattack in Wisconsin or Michigan. (Campaigners also pushed for a recount in Pennsylvania, but that was ultimately blocked by legal challenges). “Honestly we were all kind of surprised we didn’t find anything,” Bernhard told Motherboard in an interview.
During the talk Halderman laid out a series of previously disclosed issues with voting machines, including those that can end up in a piece of malware changing votes to a desired winner. With that in mind, the pair made a call for dramatic improvements to voting systems and corresponding laws. Bernhard told Motherboard he wanted vulnerabilities to be fixed, but also new cryptographic mechanisms for verifying the authenticity of a vote.
Fixing existing systems will be a serious challenge though, because distributing patches is tricky when each different version of a voting machine comes with its own idiosyncrasies. Another issue is that many voting machine companies have gone broke or are otherwise out of business, Bernhard explained.
“The infrastructure to even push a patch may not even be around anymore because it died with the company that originally built the machine,” he said.