No, you can't hack vote tallies with a pen
There'd an important problem needing to be fixed, but it's more complicated than that
In recent news, a cyber-elections expert (Dr. J. Alex Halderman) demonstrated hacking a voting machine in a court room. The incident is wildly misunderstood. People saw magic happening that they didn’t understand. This post explains the magic.
The takeaways are this:
the Georgia Secretary of State Raffensperger is grossly negligent, ignoring important problems
while important, they aren’t catastrophic, and don’t necessarily mean the election can easily be hacked
The situation is like asking your neighbor if they can store your family heirloom in their closet safe. Your neighbor agrees, but because they are lazy, they leave the safe door unlocked.
There is a clear flaw here that needs to be fixed, it’s intolerable that you’d store something in an unlocked safe. But on the other hand, it doesn’t mean there is some imminent threat to your heirlooms.
The same is going on with Georgia election machines. It’s obviously gross incompetence on the part of Raffensperger not to fix problems, but at the same time, it doesn’t mean the election is under imminent threat of being hacked.
It’s up to the judge to determine how important this is, whether to go forward with Georgia election systems as is, or whether to require paper ballots instead, for the 2024 election.
There are many reasonable people on both sides of this issue. The plaintiffs in this case wanting paper ballots are quite reasonable. I point this out because Raffensperger calls them some sort of conspiracy-theorist.
Personally, I think the computers are safe enough, that any attempt to hack the election would be detected, and there’s no particular reason to take the drastic step in disrupting the next election. On the other hand, Raffensperger has already had two years to fix the problem and has chosen instead to ignore it, so I want the judge to rule against him as a punitive measure, rather than a safety measure.
Ballot marking devices
Crazy Trumpists claim claim that the demonstration changed vote totals on the tabulator using just a pen. This is false. It’s not the tabulator or vote totals being changed, but Ballot Marketing Devices. Something like a pen is needed to restart the device, but the essence of the hack uses a memory card and/or USB drive, as the AJC article describes.
That AJC article describes how one of the hacks allows printing off many ballots. This is not an interesting threat because you can do this without hacking the computers. Simply take a picture with your phone when voting, print out a bunch at home, then have your friend go vote and deliver the printed ballots. Precincts already guard against this. For example, they make sure the voter submits only a single ballot, and at the end of the day, the number of ballots must match the number of voters.
Another one of the demonstrated hacks is changing the printed votes. The machines being hacked are Ballot Marking Devices or BMDs. Instead of having a paper ballot at the precinct, machines are used. They do this because voters are stupid and can’t reliably fill out a ballot on their own. They often mark multiple boxes for a single race. This causes arbitration when counting the votes, as election workers have to figure out the voter’s “true intent”. It’s not only prone to error or corruption, as arbiters choose ambiguous votes as being for their preferred candidate. Machine counting of ballots is thus unreliable without some human intervention.
Human counting is also inherently unreliable. They’ll accidentally miscount a high percentage of votes.
BMDs exist to solve this problem. They make sure that ballots are filled out correctly without requiring adjudication or human interpretation, so that machines can easily count them.
In Georgia, after the voter has voted, the printer spits out the ballot. At this point, it’s the voter’s responsibility to verify that what’s printed on the ballot reflects their choice.
One of the hacks changes the vote, so that if a voter selected Trump, it actually prints Biden. This hack works by hoping the voter won’t notice.
It’s at this point voting experts disagree. A number of studies show that voters won’t notice such changes to ballots. That’s true, but the studies changed things like the local water commissioner. It’s not likely hackers will go through this level of effort to hack the vote for the local water commissioner. Such hacks would target only the major races, and the voter is much more likely to notice if the major race was hacked. One can expect voters to check the top line vote for president.
Moreover, it’s the voter’s responsibility to check. It’s the printed ballot they hand in that’s the record of their votes. If they choose to hand in something different than what they selected on screen, then that’s still their choice. Many experts reject this argument, though, because they believe in a system where voters have no agency, even though voter agency is what elections are all about.
In any case, this hole can’t be exploited enough not to be noticed if exploited widely. While many voters won’t check their ballots, enough will for election workers to detect a problem.
There’s an additional problem: the BMDs print both the names in human readable text and a computer-readable QRcode. After voting and collecting the printed ballot, the voter hands the ballot to an election worker, who immediately feeds it into a precinct tabulator to scan and count the vote. That scanner reads the QRcode and not the human readable names.
Legally, it’s the human readable names that are the actual vote. When there is a hand recount for a race (such as in the 2020 Presidential election in Georgia), it’s the human readable name that’s counted. If the two differ, it’s the human readable version that takes precedence.
But such hand recounts are rare. The hackers could be hoping there isn’t one, and successfully change a lot of QRcodes.
In Georgia, though, there’s an extra wrinkle on this wrinkle: the ballot images are public records. if hacking of QRcodes is suspected, it’s easy for activists to grab the ballot images and use optical-character-recognition to see if the QRcode differs from the names.
For example, Douglas County in Georgia has posted the images to the county website. You can download them yourself and write a program to verify the QRcode matches the printed text.
If you are especially concerned about whether your own personal ballot was correctly counted, then it’s easy to verify. Write in a candidate for one of the races you don’t care about, like local water commissioner, with a distinctive name, like Donald Duck or Mace Windu. Then, download the images for your count, search for the ballot with that write-in candidate, and verify the QRcode correctly matches your vote.
By the way, many people are upset with the Georgia court ruling that ballot images are such public records, because it partially breaks the “secret ballot” principle. Somebody can now intimidate you or bribe you to vote the way they want, and then use this method to verify you complied. I doubt this feature is going to last for long, but while it does, it allows us to study election results.
Finally, a single BMD is used by only a few hundred voters. Thus, if you walk into a voting precinct and hack a BMD, you are only going to be able to switch a couple hundred votes. And since the BMD’s ID is on the ballot, they’ll notice when suddenly it starts spitting out votes for only one candidate. The ability of lone actors to change elections is limited — it requires large conspiracies.
But among the threats is election workers. They have the power to easily change all the BMDs in a county without anybody noticing, to change a preprogrammed number of votes, like changing only 10% of them. But such hostile election workers have other opportunities to change votes, even if no computers are used.
Halderman report
The things recently demonstrated in the court room are already public in a report by Halderman. There are actually no new hacks presented in the courtroom.
This report was disclosed to Raffensperger back in July, 2021. By the time of the 2024 election, he’ll have had more than 3 years to fix the problems.
Georgia commissioned independent consultants (MITRE) to review the Halderman report, who came back with a paper claiming there was no risk.
Raffensperger characterizes Halderman’s hacking as: “The risks outlined in the researcher's report are theoretical and imaginary, our security measures are real and mitigate all of them."
A bunch of cybersecurity experts, including myself, have repudiated that MITRE report. While I agree things are more complicated than the simple demonstration in the courtroom, as I describe above, I disagree with the MITRE conclusions. The risks are not theoretical or imaginary. They are quite real, and the mitigations only partial.
Raffensperger published this letter to the Georgia legislature lumping together these legitimate concerns with Trump’s unsubstantiated claims of election fraud. This is an unfair ad hominem trying to deflect from the fact that he’s incompetent and untrustworthy.
Conclusion
Just because you see a magic hacking demonstration doesn’t mean that you’ve understood all the complexity. Just because you see somebody hacking a machine with a pen that it was actually that easy.
In this case, there are many more steps involved. It requires some pretty talented hackers to develop the software to hack these machines. It requires more than a pen to deliver that software.
The purpose of such demonstrations is not to prove how easy they are, but how real they are. It disproves Raffensperger’s claim the attacks are “theoretical and imaginary”.
They need to be fixed. Experts will disagree on the urgency of the fix, whether the current BMDs (ballot marking devices) are safe enough for the upcoming 2024 presidential election. I’m on the fence. But that’s what courts are for, to rule on this.
Regardless, they fact that we’ve had 3 years to fix these before 2024 proves that Raffensperger is incompetent at managing elections. There’s simply no excuse for this. He’s spent more effort denying the problem than fixing it.
Update
One comment to this story is “You seem mad at Raffensperger”.
Well, no, he’s a goddamn hero for standing up to Trump’s attempts to steal the election.
Instead, these comments about Raffensperger reflect the same comments I’ve had for 35 years about vulnerability disclosure. There’s a constant conflict between hackers who discover ways to hack systems, and those who claim those vulnerabilities are merely theoretical or imaginary, and that those disclosing the vulnerabilities are acting in bad faith.
Raffensperger is simply following the same pattern as vendors have followed for decades.
The reason you frequently have to patch your browser, Windows, or iPhone is because leading tech companies have gotten past that. Instead of trying to deny the impact of discovered vulnerabilities, they simply roll up their sleeves and fix them. They respond to most such bugs within about 90 days.
While leading tech companies do the right things, trailing companies are still stuck decades in the past. This describes Dominion Voting Systems and their customers with political investments in their products like Raffensperger. He put a lot of his political capital at stake in choosing Dominion back around 2018.
In much the same way you patch your desktop/phone/browser every month or two, it should be expected that election computers will need to be patched before every election. The fact that this isn’t done, that we’ll go through 4 years of elections before patching the computers, is anathema. It’s gross incompetence and offensive.
But I’m still going to vote for him next election for Secretary of State. Standing up to attempts to steal the election, such as the pressure Trump put on Raffensperger, is still far more important than these vulnerabilities. Incompetence at dealing with this issue is still less important than the outright corruption that other Republicans seem to have being willing to give into Trump’s demands.
I first read ":patch your desktop/phone" as "patch your desktop phone" and thought "Rob's living in an alternate world"
But Raffensperger/Dominion are legit industry behavior, and the problem is when companies do fix vulnerabilities less intelligent people like to claim they are always insecure and can't be trusted.
Has anyone approached Dominion about getting their systems patched ?