American Democracy depends on the sanctity of the vote. In the wake of the 2016 election, that inviolability is increasingly in question, but given that there are 66 weeks until midterm elections, and 14 weeks until local 2017 elections, there’s plenty of time to fix the poor state of voting technology, right? Wrong. To secure voting infrastructure in the US in time for even the next presidential election, government agencies must start now. At Def Con 2017 in Las Vegas, one of the largest hacker conferences in the world, Carsten Schurmann (coauthor of this article) demonstrated that US election equipment suffers from serious vulnerabilities. It took him only a few minutes to get remote control of a WINVote machine used in several states in elections between 2004 and 2015. Using a well-known exploit from 2003 called MS03-026, he gained access to the vote databases stored on the machine. This kind of attack is not rocket science and can be executed by almost anyone. All you need is basic knowledge of the Metasploit tool.
Had Schurmann hacked the WINVote during an election, he could have changed the vote totals stored on the machine, observed voters while they were voting or simply have turned off the machine during voting day to cause havoc. This is not exactly the kind of news that increases public trust in election results. But the really bad news is that since the WINVote voting machine does not provide a paper trail, the manipulations of database would not have been detectable. The same goes for many of the voting machines still in use, which prevent auditors from checking that the votes reflect voter intent.
All of this proses a threat against the heart of US democracy. The people responsible for maintaining and updating these outdated and vulnerable devices are obliged to take steps to rectify the shortcomings and to minimize the risk of disruption through cyber-attacks. Reiterating that everything is secure and safe enough will not do.