Malware Uploads On Air-Gapped Systems

Even though voting machines are almost never directly connected to the internet they still need to be able to receive electronic files that tell it which candidates are on the ballot. Typically, election officials do this by preparing the so-called ballot definition files on a separate election management system and then transferring it to the voting system via a memory card or cartridge.

Many voting machines designed in the 1990s and 2000s, and which are scheduled for use in the upcoming election, use flash memory to store and update the ballot definition file. A lot of these systems are enabled to receive software updates in the same way they receive the ballot files — via cartridge or a memory card. This opens an opportunity for an attacker to slip a malicious program into a voting machine that causes it to miscount votes, according to Andrew Appel, professor of computer science at Princeton University’s Center for Information Technology Policy.

An attacker could do this over the internet by breaking into the computer that is used to create the ballot definition files or someone with access to the computer could slip in malicious code while creating the ballot file, he said.

Such malicious code updates can be undetectable on direct record electronic voting machines that accept unsigned software updates via cartridge or memory card — and that don't have a verifiable paper audit trail as a backup, he said. New Jersey, Delaware, South Carolina, Georgia and Louisiana are scheduled to use DRE machines without any paper backup.

The threat is substantially mitigated in systems that do have a paper audit trail, however.

Image Source: Wikimedia Commons