Vulnerable to Hackers and Bugs
The wide examples here show that hacks and bugs can be reduced but not prevented. The only protection is to detect errors and recover, which means independently checking the counts.
A. ELECTION MACHINE ERRORS
B. ELECTION HACKING, WITH UNKNOWN RESULTS
1. As of 2019, researchers have found security flaws in all election computers, which let voters, staff members or outsiders disrupt or change results, often without detection.
2. In July 2018 the FBI told Maryland officials that a local web hosting company they used for voter registration, candidacy, online ballot delivery, and election results had been owned since 2015 (or 2011) by a company financed by Vladimir Potanin, a Russian oligarch close to Putin. The manager is a Russian millionaire, Guerman Aliev, who took an American name, Gerald T. Banks. Maryland's Senate President said the FBI "weren't really anxious for us to come forward" to tell the public (quote is at 6:54 in video). FBI also told state officials in 2017 not to tell the public about foreign intrusion attempts (pages 146-151 of court filing).
3. In March 2018 the security site CSO found on the dark web over 100 emails of workers at one of the largest companies making and programming election machines, ES&S, and smaller numbers at smaller voting machine companies. They also found passwords for the accounts, though the companies said these passwords did not meet their current standards, so would have been changed. Nevertheless with valid emails, attackers can spray password variations until they log in on at least one of the accounts and install malware. Hackers share tips on the dark web.
5. In August 2017 the biggest manufacturer of voting machines, Election Systems & Software, created a public file on Amazon Web Services with "encrypted versions of passwords for ES&S employee accounts. The encryption was strong enough to keep out a casual hacker but by no means impenetrable...The worse-case scenario is that they could be completely infiltrated right now".
6. In May 2019 the FBI told Florida officials 2 counties' voter registration systems had been penetrated by Russia in 2016. The FBI could not say if the Russians changed the files, and only revealed anything because the Mueller Report did. The counties were Washington and one other.
7. In 2016, "We can assume that the majority of states were probably a target... I want to make clear today on the record, it's likely that all 50 states were likely affected... Every organization is scanned a lot, sometimes thousands of times a day. What we were trying to differentiate between: we saw very concerning activity from known suspicious servers in this case... They were targeting to look for vulnerabilities... Probably tried all the states. These are the states we could see they were trying. That's right." ~US Department of Homeland Security Senate hearing at 41 minutes.
8. They attacked "in alphabetical order by state name... voter registration and election results sites... to identify and exploit SQL database vulnerabilities in webservers and databases. The FBI and DHS... noted that they had no information on how many of those attempts were successful, aside from two instances"
9. August 24, 2016, hackers sent phishing emails to seven workers at VR Systems, which provides voter registration systems and election-night reporting. "At least one of the employee accounts was likely compromised." Then on October 27 they used VR Systems credentials to send phishing emails to 122 local election officials. If they opened it, it installed malware which opened a persistent back door into the computer. At least 10 computers were harmed (¶77b). The government has not said and may not know what the hackers did with their back door. Mueller's indictment July 13, 2018 confirms these events (¶73-77) and adds that the hackers targeted more than one election company (¶69). 2 years after the election, the press revealed that VR Systems had a common practice of remotely accessing county election systems, to troubleshoot them, up to the day before the election.
10. Also in 2016 hackers sent emails pretending to be from another election vendor, offering "election-related products and services." The same hackers sent emails to election workers in American Samoa "mimicking a legitimate absentee ballot-related service provider." NSA does not know what they accomplished with any of these attacks.
11. In 2016 Georgia, Indiana and Idaho said the US Dept. of Homeland Security tried to bypass firewalls in election systems without permission. Kentucky and West Virginia said DHS probes of their systems were not malicious.
12. Ukraine's 2014 election results were hacked, but officials removed a virus and believe they had correct totals. South Africa's 1994 election was hacked, and officials hand-compiled the counts, as noted at right.
13. A 2007 study for the Ohio Secretary of State reported on election software from ES&S, Premier and Hart. Besides specific problems it found, it noted that all "election systems rely heavily on third party software that implement interfaces to the operating systems, local databases, and devices such as optical scanners... the construction and features of this software is unknown, and may contain undisclosed vulnerabilities such trojan horses or other malware."
C. BEST-DEFENDED INDUSTRIES
This list shows that election machines will never be hack-proof, since even the best-defended industries get hacked. Hacks (and bugs) can be reduced but not prevented. The only protection is to detect errors and recover, which means independently checking the counts.
1. Domain registrars for entire countries in 2018-19, letting hackers spy on and change emails and web results throughout the country. The registrars succumbed to phishing.
2. Phone calls for several years up to 2019
3. Homeland Security in 2019, through a contractor
4. Attacks rising in 2018
6. Chinese hacked most of the biggest providers of cloud computing in 2010-2017, including IBM, 224 systems at Hewlett Packard Enterprise, Computer Sciences Corp, Fujitsu, Tata Consultancy, NTT Data, and many other firms through them, including the US Navy's biggest shipbuilder (incl. nuclear submarines), Sabre reservations for thousands of hotels and hundreds of airlines (so they could surveil all traveling executives), Ericsson telecoms, biotech firm Syngenta, which was then bought by Chinese. Hacks continued to succeed even after they were noticed and defenses mounted. They gathered hundreds of login credentials. Many hacked companies were not told, and if told they denied they lost anything.
7. Amazon, Apple, and almost 30 other companies probably had extra Chinese chips placed on servers 2015-2018, giving backdoor access to the Chinese. Reviewers say backdoors can be hidden better inside chips which are supposed to be there.
11. CIA in 2011-15 had "A major concern... that the Russians were collecting information from a breach of computers not connected to the Internet... The CIA had already figured out how to perform similar operations themselves."
12. "Deloitte in 2017
13. FBI in 2011-2016 radio encryption decrypted by Russia
14. DoD in 2007, Jan and June 2015, 2016, so DoD pays bug bounties. In 2018, GAO staff "were able to take control of [DOD weapons] systems relatively easily and operate largely undetected." Alarms went off so often the operators ignored them.
15. Securities and Exchange Commission in 2016
17. Mozilla in 2015
18. General Electric/Safran aircraft engine designs hacked by China 2010-2015
19. Boeing (jet fighters) in 2008-2014
20. 1,000 oil and gas companies in 84 countries, 2012-2014
21. Nuclear and other companies in 2006-2014
25. Symantec in 2012
D. FUTURE HACKS