Election machines used in more than half of U.S. states carry a flaw disclosed more than a decade ago that makes them vulnerable to a cyberattack, according to a report to be delivered Thursday on Capitol Hill. The issue was found in the widely used Model 650 high-speed ballot-counting machine made by Election Systems & Software LLC, the nation’s leading manufacturer of election equipment. It is one of about seven security problems in several models of voting equipment described in the report, which is based on research conducted last month at the Def Con hacker conference. The flaw in the ES&S machine stood out because it was detailed in a security report commissioned by Ohio’s secretary of state in 2007, said Harri Hursti, an election-security researcher who co-wrote both the Ohio and Def Con reports. “There has been more than plenty of time to fix it,” he said.
While the Model 650 is still being sold on the ES&S website, a company spokeswoman said it stopped manufacturing the systems in 2008. The machine doesn’t have the advanced security features of more-modern systems, but ES&S believes “the security protections on the M650 are strong enough to make it extraordinarily difficult to hack in a real world environment,” the spokeswoman said via email. The machines process paper ballots and can therefore be reliably audited, she said.
… To leverage the 11-year-old flaw, hackers need to save malicious files on a storage drive that is then plugged into a machine. Mr. Hursti said he believes that because the removable devices used by these machines are no longer manufactured and commonly bought on sites such as eBay , it is possible for a hacker to sell an infected disk.
Model 650 vote counts could also be modified remotely via a networking bug, the report says.
In a close race, vote tampering could be devastating, Mr. Hursti said. “If you make a small modification in a small number of counties, that’s enough to swing the state,” he said.