Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Ari Singer
Ari Singer
Connect Directly
E-Mail vvv

5 Measures to Harden Election Technology

Voting machinery needs hardware-level security. The stakes are the ultimate, and the attackers among the world's most capable.

Part 2 of a two-part series.

The Iowa caucus isn't the first time that election technology failed spectacularly. As the New York Times reported, a November 2019 election in Northampton County, Pennsylvania, made history by being so lopsided that nobody believed the results. The actual winner (after a count of the paper ballots) was initially credited with just 164 out of 55,000-odd votes in the electronic tally. It's still unclear whether the cause was a defect in voting hardware or software, or the result of a hack.

In Part 1 of this series, we looked at common vulnerabilities of voting machines, scanners, and the overall voting system. In Part 2, we examine five concrete measures to make our election technology a harder target.

Measure 1: Use single-purpose systems. Less complexity means better security. Voting machines should be purpose-built, capable of filling out ballots, but nothing else. They should support two key functions: voting, and secure device management. They should employ a secure boot process, either loading an OS and voting application or loading an environment that allows secure, verified updates. All commercial off-the-shelf operating systems and software should be locked down, to prevent access to physical interfaces (e.g., USB), network connections, and other interfaces.

Measure 2: Build in defense-in-depth. Manufacturers — of all endpoints, not just voting devices — now recognize that redundancy and multiple layers of security are needed. So-called defense in depth helps make security infrastructure much more difficult to attack because it removes single points of failure.

Measure 3: Limit privileges. A critical, often overlooked security tool is to minimize privileges. This includes system users, software developers, and hardware vendors. Election officials should be able to verify the entire system and ensure that no vendors, employees, or contractors can subvert elections.

Measure 4: Use multiple counting systems and cross-checks. Election officials and voters need multiple ways to verify the election. Election equipment should provide both digital audit trails and a physical, human-verifiable paper ballot. If, for instance, the voting machine reports its own total vote tally, the voter is given a paper ballot to check before submitting to the tallying system and the tallying system reports the totals from each voting machine, the election administrator could compare three independent pieces of data (from the physical ballots, the voting machine, and the tally system). Having the user double-check the physical ballot helps to ensure the votes are counted as the voters intended.

Graphic by Ives Brant, TrustiPhi
Graphic by Ives Brant, TrustiPhi

Measure 5: Layered Security Measures for Election Devices
To achieve secure voting, layer in security against tampering, rogue software, and devices that could insert fake voting results. Require clearly printed paper ballots and ask every voter to check their ballot carefully before scanning its code. These measures are not foolproof, but they're difficult to hack through.

Election Hardware Security Basics
Strong hardware-based security — with four foundational capabilities — in election machines should underpin the above-described solutions.

  • Authentication
  • Authorization
  • Attestation
  • Resiliency

The good news: These requirements for secure interdevice communication apply generally to all connected devices — and technologies exist now to provide these capabilities.

Authentication: Are you the device you claim to be?    
Each election device should provide strong (cryptographic) evidence to confirm its identify as the correct source of its data. Any machine providing critical data such as ballot designs, completed ballots or tabulated results should be authenticated to verify it is not an imposter.

Authorization: Does your device have privileges to talk to me?
Only authorized users should be permitted to manage election equipment — that's a given. In addition, each device should have a defined role in the overall system. A currently authorized voting machine generally is allowed to provide data to a scanner, but only at the same physical polling place. The central tabulator should accept data from scanners but not directly from voting machines.

Attestation: How do I know you are not compromised?
Attestation of device integrity is a verification that the sending device has not been compromised. If an election machine has been hacked at the hardware level, or targeted with malware, it should "turn itself in" — or be unable to attest that it is still safe to use.

Hardware resiliency: How quickly can a device recover from attacks?
Resiliency is an important new method for tackling security issues for election equipment and across the Internet of Things. It's of great importance that devices can recover quickly from attacks. If an infiltrator compromises a device, such as a voting machine or scanner, the machine must rebound quickly — or continue to operate in a "safe mode" despite the breach.

An election outcome could be changed merely by knocking a scanner or a few voting machines out of service on the big day. When voters are kept waiting, they might just give up and go home. The election device must return to its functional state quickly. There is no perfect security, so resilience is essential.

Where Hostile Nations Would Attack
Election administrators need to take this seriously. An attack against election hardware such as voter registration systems, or anywhere along the vote and tally chain, could upend an election. Professor Steve Bellovin of Columbia University, an authority on election security, has emphasized the threat of supply chain attacks, noting that "nation-state attackers have the resources to infiltrate manufacturers of election technology and compromise the tabulating machines. Such attacks would scale the best."

Bellovin is specifically concerned about critical vote-tallying software, which transmits results from each precinct to the county's election board, and may have links to the news media. "This software is networked and hence subject to attack," he says. He also worries about the ballot design software, which "sits on the election supervisors' PCs." Counterfeit software can create ballots that favor one candidate, confuse voters, and make the printed ballot difficult to read and verify.

Voting machinery needs hardware-level security. The stakes are the ultimate, and the attackers among the world's most capable. Authorization, authentication, and attestation at the hardware level, along with built-in cyber resilience, will make most attacks too difficult to pull off successfully. Independent cross-checks, solid procedures, and third-party software and ballot verification, enable even higher confidence — and it's urgently needed. The Pennsylvania election and Iowa caucus showed the need to mitigate election technology shortcomings before a catastrophic compromise occurs.

Read Part 1: "How Can We Make Election Technology Secure?"

Related Content: 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "C-Level & Studying for the CISSP."

Ari Singer, CTO at TrustiPhi and long-time security architect with over 20 years in the trusted computing space, is former chair of the IEEE P1363 working group and acted as security editor/author of IEEE 802.15.3, IEEE 802.15.4, and EESS #1. He chaired the Trusted Computing ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
2/11/2020 | 10:48:05 AM
Re: Not all states have polls...
Thanks very much for your question.  As you mention, states such as Oregon, Washington and Colorado conduct their elections completely by mail.  This changes the specifics of some of the potential vulnerabilities, but the security principles and many protection measures remain the same.  In particular, once the mailed ballots are received and collated, the scanning and tabulating systems are similar to other election systems.   These systems should be single-purpose, disconnected when possible and access should be carefully restricted to authorized users with minimal privileges.  Public information from the Oregon Secretary of State indicates that several measures were implemented to protect internal systems and to secure election data transfers.  This kind of hardening is essential, but election integrity is still tenuous without eliminating single points of failure.  Implementing redundant counting systems and cross-checks and utilizing hardware-based security on each system component will continue to improve these systems.
User Rank: Strategist
2/10/2020 | 11:11:43 AM
Not all states have polls...
Thanks for the 2 part articles. Can you please address "Vote by Mail" states such as Oregon in your article?

 Info about Oregon election process: https://sos.oregon.gov/voting-elections/Pages/default.aspx

FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...