Hackers were able to use a screwdriver to get inside a ballot-scanning machine similar to what will soon be used across Georgia, allowing them to replace a memory card and effectively take control of the machine that counts votes.
That was one of the vulnerabilities found in the Dominion ImageCast Precinct ballot scanners, according to a report Thursday from the DEF CON Voting Machine Hacking Village, a conference in Las Vegas where hackers tinkered last month with voting equipment to expose weaknesses.
Georgia Secretary of State Brad Raffensperger said the hackers examined an "old, outdated system" that didn't match the ballot scanners that will be rolled out statewide starting with the March 24 presidential primary. He also said the hacks didn't account for real-life election security protocols.
The report on the problems of voting technology across the country, which found weaknesses in every system tested, highlights some of the ways that computerized election equipment could be manipulated if hackers were able to subvert security precautions.
Georgia's new voting system will include a printed-out paper ballot, which election officials say will be audited to verify computerized vote counts.
The DEF CON report said hackers opened the ballot scanner’s “security screws” by buying a bit set for less than $28 at an electronics store. Then they were able to switch the machine’s memory card with one they had brought, allowing them to run their own operating system on the machine.
“If you would have a real nation-state actor, a real criminal, the next step would be to take that exploit and weaponize it,” said Harri Hursti, a co-founder of the DEF CON Voting Village. “Once you know where the weakness is, now you can start to think about mitigation strategies.”
For this vulnerability to be exploited in an election, someone would have to physically gain access to the optical scanner without being caught. But Hursti said that could happen anytime before an election if officials aren’t careful about their security practices.
Raffensperger said the DEF CON report is “partisan, misinformed and intellectually dishonest.”
“While the DEF CON staff were offered an opportunity to test the updated Dominion systems in a real-world setting, they unfortunately refused and continued to inspect a dressed-down, defunct system in controlled conditions that do not resemble the established protocols set forth by our Georgia elections professionals,” Raffensperger said in a statement. “As our office continues to strive toward safe, fair and accurate elections, this type of activist propaganda represents the dangerous agenda of liberals to incite fear into Georgia voters.”
The report also said that locks on ballot boxes could be picked, allowing paper ballots to be stolen.
In addition, the scanning machine that was tested ran a version of software that has 20 known medium- to high-level vulnerabilities, according to the report. Raffensperger’s statement didn’t address whether Georgia’s voting system will use the same software.
Jeremy Epstein, an election security expert with the Association for Computing Machinery, said the DEF CON report highlights the need for strong audits of paper ballots, as well as physical security of voting equipment. Georgia election officials are currently developing audit procedures.
Because any computerized system could potentially be hacked, poll workers need to be well-trained to reduce the possibility of interference in elections, he said.
“Election officials should be setting a higher bar than we historically have for our voting machines,” Epstein said. “The good thing about the paper ballots, unlike the touchscreen machines historically used in Georgia, is in the worst case the paper ballots are in a box” that can be used to check the accuracy of results.