Hursti hacks, DEF CON villages, and the Dubious state of electronic voting
Harri Hursti is one of the most knowledgeable hackers of election technology. He’s most known for the eponymous hack in 2005 that exposed the near-complete lack of security on electronic voting machines. Over the course of several events, Harri and others easily bypassed passwords and changed voting tallies, sometimes in totally undetectable ways.
Since exposing those vulnerabilities, Harri has become one of the world’s leading authorities on election voting security, and conducted the EVEREST study to assess the security of electronic voting systems in Ohio, which found numerous critical failures in various voting systems. When he’s not protecting our democracy’s future, Harri is a founding partner at Nordic Innovation Labs, a global technology security company.
We asked Harri how he got into hacking, about his work to improve the current (and dismal) state of electronic voting security, and for his views on what, if anything, could be done to improve election security. Here’s what he had to say.
How did you initially get interested in technology, hacking, and security?
My primary interest was astronomy, and with strong math skills I was given access to computers. Programming started with math, simulation systems, graphics and databases. Microcomputers were simply not powerful enough in those days, and many of the tasks required ‘big iron’, mainframe computers. That naturally brought in early modems and telecommunication.
Acoustic modems at that time were commonly either 110 bits/s or 300 bit/s. Due to frequently recurring problems, many of us learned to whistle important control characters like Control-Q, Control-Z, and Control-C to escape from deadlocks.
The early computer crimes were really simple. Many larger legacy programs were still on punch cards in those days, which were shipped to the computer center to be executed, and after execution were left in open rooms for pickup. Commonly the second or third card in the box had username and password in clear text for anyone to see. The systems really had no security mechanisms whatsoever, and the users had no mechanisms to protect their monthly resource quotas. I started looking into ways to develop tools for users to protect their accounts.
This lead to starting the development of the first publicly available commercial email and electronic bulletin board system, which naturally become immediately a desirable target for early hackers, and therefore there was an internal need to develop ways to protect the system and detect attempts to breach it.
What prompted your interest in the security of electronic voting systems?
I was not interested at all. I had retired after developing and selling two companies in a row. In 2004, while on an around-the-world trip, I was asked if I would be interested in studying US election machines. I was absolutely not.
My information was sent to the UK and I was asked repeatedly if I would reconsider. To get rid of that I decided to set some rules I thought to be impossible to meet. Eventually I got an invitation in April 2005 from Ion Sancho, election supervisor of Leon County, Tallahassee, Florida to review the system he was using. After a few calls I decided to accept.
The lack of security was shocking – but it was not only security. It became very quickly apparent that these machines are cobbled together. They had a level of quality you would expect from early proof-of-concept prototype demonstrations. It was very hard to understand that there is a whole industry going to market by mass producing their prototype designs instead of doing any real engineering – and yet operating in a business which is a critical piece of national security.
You were involved in the EVEREST study, which found an incredible number of critical security issues in electronic voting systems. From the perspective of the voting system developers and vendors, why do you think they had such lax security practices?
The voting machine ‘gold rush’ was created by the Help America Vote Act of 2002 creating massive federal funding for jurisdictions to buy new voting systems. At the time, there were no security standards for voting machines and the designs being sold were already old, designed cheaply to meet the needs of a very small market, and without observing any best practices. Many of the designs seem to have been older systems designed for completely different purposes and partially re-purposed to be used in elections.
Not only did the systems have non-existent security, but also clear evidence of a lack of any software development methodologies used. The software had no evidence of being the product of a professional software development effort.
Your “Hursti Hacks” of the Diebold systems showed that there were essentially zero security roadblocks to you altering the voting results. What changes have resulted from your research and what do you recommend companies like Diebold do to improve security?
Security cannot be an after-thought and it cannot be added later, it has to be part of the very DNA of the end product from the beginning, and a fundamental part of the design specifications. The current products are most likely unsalvageable and the best approach is to start over.
That being said, there will be no such thing as an unhackable voting system – and starting from scratch would make a better system, but not an unhackable one. Voting systems have a unique set of requirements coming from the need for a secret ballot and auditability. The false analogy of banking often comes to people’s minds – but banking is not secure, fraud happens all the time but it can be corrected because the transactions are not private from the bank. With elections, 0.01% or less of the votes can be the deciding factor, and therefore the results have to be accurate and correct on the first try.
The most important feature of the system is not the security of the system itself, but the how the system is making independent auditing of the results as easy as possible. This calls for paper ballot systems, open standards and open data formats for primary voting systems to assist any type of independent audits the jurisdiction chooses to implement now or in future. Auditing is important for public trust, therefore is should be an automatic part of the process, regardless of who won, or how large was the margin of victory.
Let’s say the security issues of the voting machines themselves is solved. What happens to the vote data after a citizen casts their ballot? Are there downstream security issues that you’ve found or that have yet to be investigated?
The voting environment consists of myriad IT systems handling various task, aspects and functions of the election cycle and election process. When it comes to the downstream information flows, many aspects of that are derived from statutes and regulations whose principles were set a long time before the digital world and big data. Many downstream issues can only be resolved by a reevaluation of what sensible statutes would look like for the modern world.
That being said, there seems to be a chronic lack of data hygiene across the board. Pre-election data is casually aggregated in staging areas placed on the public cloud without proper security measures, and processes for proper zeroization of media is often non-existent.
The U.S. seems to be trailing other countries on electronic voting technology and security. Can you review some success stories of which countries are doing it right?
There has always been fraud on paper based systems, but paper based systems have literally been around over 3,000 years and we have gotten very good at managing and defending the integrity of manual systems. The natural property of a paper based system is that it is reasonable and easy to implement physical security measures that are sufficient to prevent the possibility of being a one-stop-shop for wholesale fraud.
Many western countries have in their constitution a requirement that the voting system has to be understandable by any citizen, and any citizen has to be able to participate in auditing the results with no special tools or training required. That alone forces the systems to be manual and simple. And complexity is always the enemy of security.
Two part question: What do you see as the future of electronic voting systems? And what’s your “nirvana” - what would you like to see happen to improve the security of our voting process?
Paper ballot voting, and the ballots being processed with two independent methodologies, a primary system to produce the results and a secondary system to verify the results. Preferably both systems would be based on open source and open standards. Not because it would make them easier to scrutinize, but to break vendor locks and eliminate any artificial arguments derived from claims of copyrights, proprietary systems, or trade secrets.
Automatic audits for all races and every time. And use technology to empower citizen engagement and participation into the verification process.
Elections are people’s expression of their will and the process has to be open and transparent in every way. There is no place for patents, copyrights, trademarks and secrets.
What advice do you have for those that want to get involved in advocacy or research? Any advice for how to better work local, state, and federal lawmakers on this important topic?
There are many areas of elections which have been under-researched. As shocking as it may sound, even research in how to make ballots easier to understand by voters is a recent thing. The Verified Voting Foundation is a wonderful resource for the cross-discipline research community to meet and exchange information. Unfortunately, there are quite a few phony organizations with official sounding names and even home people with names on their websites – many of these organizations claim to be focusing into technology approaches. Research before getting involved.
On the side of lawmakers, it is important to find the facts and understand the issues. U.S. elections are too complex to run without technology, the question is responsible deployment of the technologies chosen. And because all systems are hackable, the key is not to audit the systems, it is to audit the results. Various methods for risk-limiting audits are low cost way to implement safeguards that results are correct, and those safeguards should be mandatory. In order to have audits, the voter’s intent has to be recorded on permanent media, and today or in the foreseeable future there are no alternatives for paper ballot on that. Internet voting, blockchains and other pie in the sky ideas offer not even a pieces of a solution. We do not have even algorithm theory how to solve the new challenges Internet voting would bring.
And, for example, blockchain maybe could be one of the building blocks to solve the easiest of the problems around, but it could never be used to solve any of the dozen or so hard problems. But blockchain would also create number of new issues to be solved and therefore it would always have net negative impact as technology.
You may also be interested in the DEF CON 25 Voting Machine Hacking Village recap, and Electronic Voting In 2018: Threat Or Menace, a talk by Matt Blaze at ShmooCon 2018. Let us know your thoughts on Twitter.