The list of electronic voting machines in use is long, in part because they stay in service for many years and models vary by purchase dates. Although researchers may pick a certain touch-screen system for testing, the sharpest criticisms are directed at a particular class of machine -- those without a voter-verified paper record.
There are about 10 states that use Direct Voting by Electronics (DRE) without Voter Verified Paper Audit Trail (VVPAT). The list is approximate because county systems may vary. Some of the states with at least some electronic-only systems include New Jersey, South Carolina, Georgia, Louisiana, Pennsylvania, Virginia, Kentucky, Indiana, Texas, Delaware, according to Verified Voting.
State officials insist their systems are secure. Getting at voting machines, in particular, may require a physical attack. But computer security threats follow an evolving pattern that may start with physical access and move on from there.
At the same time Pennsylvania voters filed their lawsuit in 2006 challenging the electronic system, computer scientists at Princeton University were demonstrating how to hack touch-screen voting machines. The scientists physically hacked into a machine, replaced the original memory card with an infected card, rebooted, and returned the original memory card. The machine was now infected. Researchers even used a minibar-type key to open the electronic machine.
Whether the Princeton attack was fair demonstration or not may not be as important as understanding the process in computer security.
Progression of a hack
"Things go through a sequence that looks like: Theoretically possible, proof of concept, weaponized," said Eckhardt.
Scientists work to understand the threats coming down the road. The same process has been applied to viruses, rootkits, BIOS rootkits, and now ransomware, which is arguably the next stage after something is weaponized, and that's commercialization, said Eckhardt.
State-level actors are weaponizing things, said Eckhardt, and they "have the money and they are good."
The IT and security practices around voting, aggregation and registration systems may vary considerably from state to state and county to county. This gives attackers options and opportunity.
"Hypothetically, what if endpoint protections, or the lack thereof, allowed ransomware to execute?" said Zach Lanier, director of research at security firm Cylance. The message to election officials might be: " 'You can't have an election until you pay $1 million to unlock all your machines.' "
The attackers may not care who wins.
The goal instead may be "to create a mistrust in the 'system,' " said Samir Kapuria, the senior vice president and general manager of Symantec's Cyber Security Services business unit. "You don't want people to lose faith in the outcome of the election."
The risk "is less about throwing an election, as opposed to creating a lack of confidence in the results," said Kennet Westby, president of Coalfire Systems, an IT audit and compliance firm.
Sign up for CIO Asia eNewsletters.