Now You Can Vote Harder

The security of voting has always been a joke. The people counting the votes could always manipulate the results, boxes of ballots could disappear, voters could vote more than once pretty easily, etc. Electronic voting machines could have solved many of these issues. Instead they are merely continuing the tradition of terrible security:

A 29-year-old former cybersecurity researcher with the federal government’s Oak Ridge National Laboratory in Tennessee, Lamb, who now works for a private internet security firm in Georgia, wanted to assess the security of the state’s voting systems. When he learned that Kennesaw State University’s Center for Election Systems tests and programs voting machines for the entire state of Georgia, he searched the center’s website.

“I was just looking for PDFs or documents,” he recalls, hoping to find anything that might give him a little more sense of the center’s work. But his curiosity turned to alarm when he encountered a number of files, arranged by county, that looked like they could be used to hack an election. Lamb wrote an automated script to scrape the site and see what was there, then went off to lunch while the program did its work. When he returned, he discovered that the script had downloaded 15 gigabytes of data.

[…]

Within the mother lode Lamb found on the center’s website was a database containing registration records for the state’s 6.7 million voters; multiple PDFs with instructions and passwords for election workers to sign in to a central server on Election Day; and software files for the state’s ExpressPoll pollbooks — electronic devices used by pollworkers to verify that a voter is registered before allowing them to cast a ballot. There also appeared to be databases for the so-called GEMS servers. These Global Election Management Systems are used to prepare paper and electronic ballots, tabulate votes and produce summaries of vote totals.

The files were supposed to be behind a password-protected firewall, but the center had misconfigured its server so they were accessible to anyone, according to Lamb. “You could just go to the root of where they were hosting all the files and just download everything without logging in,” Lamb says.

Login passwords posted where they’re publicly accessible? That sounds like fun. Oh, and the site is running an old version of Drupal, which means it has plenty of vulnerabilities for malicious individuals to exploit. With this information in hand it might be possible for a malicious hacker to actually vote hard enough to change the results of an election.

What lessons can be taken away from this? The most obvious lesson is that the Georgia government doesn’t give a shit about security. With how important statists claim voting is you would think that hiring a few security researchers to verify the security of purchased voting machines and the systems they rely on would have been at the top of Georgia’s list. Apparently it wasn’t on the list at all. The second lesson that one could take away from this is that voting is meaningless. Not only are you more likely to die on your way to your polling place than to change the election with your vote but the security of the voting process is so terrible that there’s every reason to believe that your vote won’t be counted or will be counted incorrectly.