How to Hack an Election

There is a voting machine in J. Alex Halderman's office, not a particularly large one, just an oversize computer tablet set into a plastic frame balanced on tubular legs. But Halderman's office isn't especially large, either, so the machine takes up an inordinate, almost clumsy, amount of space.

The machine is a Diebold AccuVote-TSX. In the jargon of election machinery, it is a DRE, which is short for direct recording electronic: Voters touch the screen to make their choices, which are then logged in the AccuVote's memory. This is not exotic technology. DREs have been used in American elections for three decades, and the AccuVote and similar machines are being used in some 30 states this fall, when voters are determining, among other things, which party will control one or both houses of the United States Congress and whether there will be any reasonable checks on the current administration.

Halderman got his AccuVote-TSX on eBay. It cost him $94.90 from a seller in North Canton, Ohio, who by last spring had sold at least 40 other used AccuVote-TSXs and had at least 10 more for sale (by the last week of October, he either had sold out or gone out of business, as his listing was gone). Because Halderman is a computer scientist at the University of Michigan, he programmed his AccuVote to tally a two-candidate election for "greatest university" between Michigan and, of course, Ohio State.

I'd been talking to Halderman since shorty after the 2016 election, when Donald Trump—to the surprise of everyone, including himself—was apparently elected president. Back then, Halderman explained in somewhat horrifying detail how relatively easy it is to hack an election and, maddeningly, how easy it would be to audit suspect vote tallies if there was the political will to do so. Last spring, by which time that political will still had not materialized, he showed me how easily votes can be rigged. In his little office, he demonstrated how a poll worker would set up an AccuVote-TSX to make sure it is properly calibrated to accurately record votes for a real-world election. Once that was done, we commenced with our pretend election. Halderman voted first, for Michigan. I cast the second ballot, also for Michigan, because it seemed polite and because I knew this was a parlor trick. Then Halderman ran the protocol to officially end our short election—he faithfully followed all the correct steps—and printed out the results: Michigan 0, Ohio State 2, the opposite of the votes we cast.

He didn't rewrite the AccuVote's software. Rather, he wrote a vote-stealing virus, with which he infected the machine in the same way that a vote-stealing hacker would. It took him six weeks to get the code right, which isn't too bad for a professor on sabbatical without, say, the resources of a foreign intelligence service.

"Now, with more votes, the margin would be smaller and harder to detect," he said. Indeed, when he later re-enacted the election with 239 true-blue Michigan students, Ohio State won by a mere 23 votes, 131 to 108. "But it's scary to see it in front of you, right? It's even scarier to do it," he said. "I don't want to be able to control an election. And I don't want Vladimir Putin or Kim Jong-un to be able to, either."

And yet here we are.

The Gold Standard

We've been working our way here for a very long time, of course. There was never an age when elections were pristine and unassailable. The greedy and the corrupt have always tried to tamper with the mechanics of voting, with who does it and how often, with which ballots are counted and how many times. Generations of inventors, both civic-minded and profit-driven, have designed contraptions promising top-shelf security, many of which eventually would be thwarted by the clever and the determined.

As Douglas W. Jones and Barbara Simons point out in the introduction to their book Broken Ballots: Will Your Vote Count?, one of "America's most cherished myths [is] that our democracy sets the gold standard against which all other nations can be measured." They quote a scholar named Joseph Harris, who offered this critique in 1934: "There is probably no other phase of public administration in the United States which is so badly managed as the conduct of elections. Every investigation or election contest brings to light glaring irregularities, errors, misconduct on the part of election officers, disregard of election laws and instructions, slipshod practices, and downright frauds."

For the first 200 years or so of the United States, vote rigging was limited by technology. Stuffing ballot boxes or sabotaging the gears of a mechanical machine required physical labor, people to do the stuffing and the sabotaging. Fabricating vote totals in a ward or a precinct or a district was one thing—but tossing a whole state was exponentially more difficult, and would require an unwieldy legion of criminal allies and corrupt officials to pull off. Or so it was assumed.

The 2000 election, with Florida's dimpled, pregnant, and hanging chads, demonstrated that vote counting was potentially confusing enough—or able to be confused enough—for the White House to be decided by the Supreme Court. From that debacle came the Help America Vote Act, in 2002, in which the federal government established standards for voting equipment, albeit voluntary ones, and provided states money to purchase new machines.

"So what we had was an enormous pile of money and a race to market," says Marian K. Schneider, a former voting-rights lawyer and Pennsylvania elections official who is now the president of a nonprofit clearinghouse and lobbying organization called Verified Voting. And the election-equipment market, a low-margin niche to begin with, in the early aughts was dominated by electronic machines—computers, basically. "Computer scientists saw and understood early on," Schneider says, "that this was going to be a problem."

Simply put, computer code can be corrupted, and in ways that are not readily, if ever, apparent. And most anything connected to the Internet can be hacked ("I can't wait for people to find out they can be hacked through their refrigerators," Schneider says), and that hacking can be done from a safe, anonymous remove. Nor does it necessarily matter if the voting machines themselves are offline: Unless the isolation is absolute and perpetual, clever attackers can figure out how to jump the air gap. And because it's physically easier to infect a fleet of computers with a spreading virus than it is to break the counting gears of 10,000 mechanical machines, fraud can be scaled up, and dramatically.

Schneider is not unreasonably pessimistic, though. "This is a risk, not a certainty," she says. "We face risks every day that don't materialize." And some risks in some places have been mitigated since the last election: Virginia has gotten rid of all its paperless DREs, for example, and Arkansas has switched almost entirely to paper ballots. "The good news is so many government officials—federal, state, even at the local election boards—are much more aware of what can happen," she says. "There's a growing chorus of voices saying the same thing."

As a practical matter, though, not much else has improved since 2016. Yet also as a practical matter, hijacking the entirety of the national election machinery is unlikely. The system in the United States is wildly fragmented, atomized into 10,000 jurisdictions and 178,000 election precincts. It generally is not standardized at any level: The ballots are designed to a variety of specifications, and votes are cast and tabulated on dozens of different types of machines. And there is an enormous amount of data involved, input from a potential 250 million voters.

At the same time, though, that diffusion makes protecting every database and polling station functionally impossible. Ten thousand jurisdictions would all need invincible digital and physical security, which as a matter of statistical probability and human fallibility is never going to happen. And no one needs to steal all of the votes to steal an election.

Tweak a couple of precincts, for instance, and a congressional seat can flip.

Or tinker with a few counties in two or three states, do it carefully and precisely, like a lumberjack notching a tree, and the entire Electoral College can be felled in one direction or another.

Or just muddy the water. Have a bunch of machines, whether by design or by careless accident, flip votes for Democrat Beto O'Rourke in Texas to incumbent Republican senator Ted Cruz, and vice-versa, as was widely reported during early voting in Texas. Maybe it won't change the outcome, but it won't matter because we won't know.

The 2016 Election

I first met Halderman at the beginning of 2017, nine days before Donald Trump was sworn in as the 45th president of the United States. It's easy to forget, now that we've been simmering in his administration for almost two years, how disorienting that period was, from late 2016 into early 2017. Trump lost the popular vote but won the presidency because 80,000 people—too few to even sell out a Michigan football game—spread across three states tipped the wobbly Electoral College. It seemed reasonable, then, to recount those states, which were Michigan, Wisconsin, and Pennsylvania. Lawsuits were involved. Halderman was an expert witness for the plaintiffs, which is why I went to see him in Ann Arbor. The recounts had come to naught, but I thought maybe he'd sniffed out something to explain the inexplicable.

We met at a table in the back of a coffee shop on North Main Street. Halderman is thin and boyish and smiles a lot, as if he knows a secret that will totally blow your mind, which he probably does. Election security is a sideline to his primary job, which is computer and Internet security: His office on the Michigan campus overlooks a glass-walled room of enormous computers that poke every single thing with a public Internet address—yes, every public Internet address—several times each day probing for exploitable weaknesses. "When you go to a website with the lock icon," he said by way of a generous layman's explanation, "we're keeping the lock icon locked." It's an intellectual game of "adversarial cleverness" and "rational paranoia," and he is very good at it. "You play the role of the bad guy," he told me, "and hope that you're better, faster, quicker, than the real bad guy."

One of the first things he told me that morning was that the recounts, incomplete as they were, had not detected any evidence that a foreign intelligence service, or anyone else, had altered the outcome of the election. That was not necessarily comforting, however. Eleven years earlier, when he was a doctoral student at Princeton, Halderman and some colleagues hacked an AccuVote-TS, an earlier version of the machine he has in his Michigan office. They wrote a whole paper on it and even posted a video on YouTube to dumb down their research: "A criminal who can inject malicious software into this voting machine can control how the votes are tallied," the narrator explains in a slow monotone. "His malicious software can steal votes, and it can cover its tracks so that the theft cannot be detected."

So Halderman clarified: The recounts "increased the confidence" that the 2016 results were legitimate, which seems wholly a matter of one's baseline confidence.

He spent the rest of the morning explaining various ways voting machines can be hacked and voter rolls jumbled and data corrupted, how the basic functioning of democracy could be thrown, quite easily, into chaos. None of it inspired confidence.

Curiously, and somewhat depressingly, the public didn't seem to need the tutorial to be suspicious. In a Gallup poll released shortly before the 2016 election, only about a third of all voters—and less than a fifth of Republicans—were "very confident" that their ballots would be properly counted. (Another third were "somewhat confident," which seems a sadly mushy standard for representational self-governance.) Worse, when Gallup asked people if, yes or no, they had faith in the "honesty of elections" in the United States, only 30 percent said yes. Surely Trump's persistent bleating—both before and after an election he won—about the vote being rigged contributed at least a bit to those numbers. Still, a full seven out of ten Americans didn't have faith in their ability to elect their own leaders.

Billions of dollars were spent on the 2016 campaigns, but Clinton did not, in the end, opt to spend a few million on recounts to make sure the result was legit. That task was undertaken instead by Green Party candidate Jill Stein. American intelligence agencies were certain Russia had meddled in an election that defied all odds, and the strongest pushback was dismissed as a gadfly spectacle.

"It's all more depressing than I thought," Halderman said. "It will become an existential threat, if it hasn't already."

Of that he was certain. Hacking the vote would not be difficult. "Really, I think it might be a pretty good undergraduate course project, if it weren't against the law," he told me, brightening a bit at the academic challenge. "I don't think it would be hard."

He paused briefly. "It's easier than I thought."

Another short pause, and an odd smile.

"It's totally terrifying."

Hail to the Victors

Halderman hacked his first voting machine in 2006, when he was still a Ph.D. student at Princeton and a professor recruited him to study a DRE he'd bought online. It took months to reverse-engineer the machine and probe its vulnerabilities, but after that, the actual hacking required only a few minutes. In 2010, working with a colleague and a few of his students, he built a circuit board that could be swapped in for the original in the DREs then being used in India, the world's largest democracy. For a more clandestine and less hardware-intensive approach, he also built a small device that could be attached to one of the DRE's chips with an alligator clip and change all the votes.

Halderman, in fact, has found vulnerabilities in every machine he's studied. There are two main types—DREs and optical scanners, which collect data from marked ballots fed into them—and they're all vulnerable. Moreover, none of the machines need to be opened up: All of them can be corrupted with code slipped in via a memory card or other portable media.

On the other hand, that's old school in its limitations, too. How many machines is one hoodlum going to open? How many USB ports can a hacking network poke? Going after individual machines is the modern version of wrenching open the back of one of those big mechanical counters.

No, better is to go after the system, attack from the outside, spread mayhem from a single point of entry.

The most obvious example of what can go wrong, how badly, and how quickly was an experiment with Internet voting in Washington, D.C. In 2010, officials there thought it might be more efficient if absentee residents could vote online, rather than mailing or faxing paper ballots from wherever they happened to be. So they designed a system they believed was secure. Rather than turn it loose in the wilds of cyberspace untested, however, they set up a mock election, published all the code online, and invited the public to have at it. "Since it's not every day you're invited to hack into government computers without going to jail," Halderman said, "my students and I couldn't resist."

He gathered two grad students and a member of the university IT staff to work with him. They combed through the code, thousands of lines. The programmers "did a lot of things right," he said. "They used the latest web technologies, firewalls, intrusion-detection systems and all that—but it still wasn't enough."

Buried in the code was a spot where the programmer used double quotation marks that should have been single quotes, the coding equivalent of a typo. That was the way in, the key to unlock everything. Halderman and his students changed all the candidates' names to fictional robots and artificial-intelligence systems, HAL 9000 and Skynet and Futurama's Bender. They detected other teams trying to break in from the Middle East and China and India—though who knows if that's where the hackers actually were located—and blocked them. They even tapped into the security cameras monitoring the server room.

"From several states away, just sitting in my office, we were able to change every vote, just a couple of guys right out of college and me," Halderman said. "We had complete control of the system." Doing so took them all of 36 hours. "And they wouldn't have detected it until they started counting the votes, except we left them a calling card: We rigged the system so that every time a voter voted, the computer would start playing 'The Victors,' the Michigan fight song."

This is why Internet voting is a terrible idea. It would need to be invulnerable, a standard that is impossible to meet. "This is what all of security is about, that we don't know how to make perfect computer software and hardware," Halderman said. That's why your computer and phone are constantly getting security updates, and why you're only on the hook for $50 if your credit card gets jacked. New flaws are always being discovered and patched, even in state-of-the-art systems. The typical suite of election software, meanwhile, contains about a million lines of code. "There is no million-line software package ever written," Halderman said, "that does not have security problems." Worse, machines in dozens of states use software so old that developers stopped dispensing security updates years ago.

That said, voting machines generally aren't connected to the Internet, nor is their software offered for public inspection (eBay's equipment sales notwithstanding). They're usually not connected to anything. That's a basic security protocol. Yet it doesn't necessarily matter.

The Administrative Assistant

Just after Christmas 2016, not long before I met him, Halderman was at a conference in Hamburg, Germany, with one of his graduate students, explaining precisely how a moderately sophisticated and sufficiently motivated hacker might go about tinkering with an American election.

The first step would be to monitor the polls and figure out which states were expected to be close, within a percentage point or so. "Step two," Halderman told the audience, "target some large counties or their service providers and compromise their election-management-system computers." Projected behind him was a large slide illustrating each step under the highlighted banner EASIER THAN YOU THOUGHT! "I'll leave it as an exercise to the attacker to find out how to compromise the election-management system"—he pivoted toward the slide, pointed—"by, say, starting by e-mailing" an administrative assistant.

The audience, all savvy techies, laughed. The assistant's picture was on the slide, a partial screen-grab from the website of the company she works for, a small outfit that supplies voting equipment and services in three states. And that makes her company a potential portal (there is no evidence it has been an actual portal) into voting booths.

The Hamburg audience laughed because e-mailing that assistant would indeed be a way in. Her picture was taken from a page on the company website that has the pictures and names and e-mail addresses of every employee. Her picture is next to that of her boss. A moderately talented hacker, to say nothing of one in the employ of, say, Russian spooks, could spoof an e-mail from the boss to his assistant, asking that she immediately open whatever mundane, and infected, file was attached. It's a basic spear-phishing attack, the same sort used, for example, to pillage John Podesta's e-mails during the 2016 campaign. And once the malicious code is in her computer, it conceivably could worm its way into the specific files, and then on to the necessary machines required to monkey-wrench the vote.

How? Here's one way. Ballots need to be designed and coded so that DREs can display them and optical scanners can read them. That should be done on a computer unconnected to the Internet or any other network—air-gapped—and the finished product should be delivered on uncorrupted physical memory cards or thumb drives. But what if the files are moved to the administrative assistant's computer, or any computer she's connected to, that's been infected by a military-grade virus? Once it's tainted with a bug, the infection can easily migrate through USB drives and memory cards. A hacker just needs to figure out the injection site to spread a disruptive fever into the electoral process.

Companies that deal in election systems have security protocols in place, of course. So do elections boards all over the country. But that hardly matters. "We know that Google, Facebook, Twitter, the Pentagon, the White House have all been successfully attacked and compromised," Halderman told me later in Ann Arbor. "What are the odds that Washtenaw County, Michigan, where we're sitting now, is not going to have their computers compromised if the same people are trying? Zero percent. The odds are zero."

And that administrative assistant's company is not Facebook or Google, and almost certainly doesn't have the same elaborate security, which likely would make it an even softer target. Attackers would "pick applications that are written by relatively unknown, small companies that are not the sexy places to work if you're a programmer, that are probably not maintained actively by further development and testing," he said. "These are not our A Team cyber-conscious companies."

They are, however, the link between an otherwise fragmented and decentralized electoral system. There may be 178,000 precincts, but there are only a few dozen companies that service them.

Or what if it's not so remote? What if a nice vendor tells that administrative assistant he needs her to copy a few files, and here's a thumb drive to make it easier? Or how about a not-nice guy with a vaguely foreign accent who knows where she lives and, you know, accidents happen? Is it really a good idea to have democracy dependent on administrative assistants and USB drives?

2018

I met Halderman again, at that same table in the same coffee shop, on a morning in March 2018 a little more than a year after we first met. He looked the same, a year older at 37 but still thin and boyish, still more like a grad student than a professor, and a chipper one at that. He smiled often and laughed quickly, even when discussing dreadful things such as, say, the potential and perhaps inevitable downfall of American democracy.

Still nagging me was something he'd told me the year before: "Six months from now, we're going to completely forget, as a country, about the election-technology issue—until about six months before the 2020 election, when it's too late to do anything about it." Back then, in March, there was still plenty of time to fix things, even if nothing in election security had appreciably changed since we last met.

There still was no evidence that that 2016 election outcome had been fiddled with, a point the National Association of Secretaries of State had made aggressively clear in a five-point briefing paper. (Point 1: "The November 2016 election was NOT HACKED." There's no evidence like all-caps evidence.) Days before our conversation, Congress had appropriated $380 million for states to swap out old machines and upgrade security, but it wasn't enough, and it was going to be shared by all 50 states rather than distributed to the places with the most pressing needs. According to Verified Voting, five counties in Pennsylvania are using machines with software from 1987, for instance, and 30 percent of voters nationally in the 2018 midterms will be casting ballots on paperless DREs. In five states, including New Jersey and Georgia, only paperless DREs are used.

But that's the sum total of the hardening of defenses. Consequently, the ever-present threats are still enormous. "In the fullness of time, a major election will be stolen by a nation-state cyber attack unless we improve the technology," Halderman said flatly and with disturbing certainty. "It's just too tempting a target, and too easy to get away with." He knows, obviously, that the technology almost certainly won't ever be improved to the point of impenetrability, let alone uniformly so across 10,000 election-administration jurisdictions, and even if it is, there's still going to be an army of hackers methodically picking it apart and eventually succeeding. And messing with vote totals is hardly the only concern. According to the Department of Homeland Security, attackers poked around the election systems of 21 states in 2016—imagine, for example, if they'd scrambled the addresses of a few million registered voters or changed the first letter of the last names of a few million more. Sam Jones of 123 Main Street would have a hell of a time voting when the closest thing the volunteers at his precinct had in their database was Sam Bones of 122 Main Street.

That, however, is almost beside the point. The real problem, at least where elections are concerned, is not knowing if there's been mischief. Mass tampering of voter rolls would be obvious enough from the polling-day chaos. Not so with vote totals. Did the Russians throw the White House to Trump? Did John Kerry really lose Ohio, and thus the presidency, despite all the exit polls that said he won?

No one knows. And that is both the most insidious danger—the voting franchise is worthless if no one trusts the results—and the easiest problem to fix. Every election could be, should be, verified through a risk-limiting audit. It's not complicated. After every election, a few random jurisdictions—the number would be statistically determined by how close the vote is—would be recounted by hand and the result compared to the number on the machines. If the tallies match, terrific. If they're off, pick a few more precincts. "So it's a partial and possibly growing recount," Halderman said, "until you reach a statistical level of confidence, 99 percent, let's say."

It's really no different than a coffee roaster checking a few beans now and again to make sure the whole ton isn't burned, or a quality-control worker pulling a few widgets off the factory line. It'd be cheap, too, given the stakes. Every precinct would have to switch to paper ballots, so there'd be some up-front costs. After that, though, a nationwide risk-limiting audit likely could be accomplished for pennies per voter.

That was the one possibility that had Halderman in what could pass as a bouncy mood. He was on sabbatical from Michigan but had spent part of it working as a technology fellow with Verified Voting to push for changes. He'd testified before Congress. He filmed a video on his AccuVote hack for The New York Times. Reporters wanted to talk to him long before the next election. And Donald Trump, of all people, appeared to agree with him on this one narrow issue.

"He has said both as a candidate and a president that he thinks paper ballots are a good solution to the problem of election hacking," Halderman says. "And he's right."

Risk-limiting audits won't solve every problem. Voter rolls can still be hacked. Districts will still be gerrymandered, ID laws will come and go, voter rolls will be purged, machines can be sabotaged, a president might repeatedly insist that results are illegitimate if they're not in his favor. But audits will establish a baseline of confidence, which is critical.

"Probably the worst case is a silent attack," Halderman said between sips of coffee. "A silent attack is where the election outcome is changed but nobody notices. And then after the fact, a foreign government has the ability to prove it and uses that as leverage against the people in power."

He let that hang for a moment, took another sip, set his cup down.

"That is the worst case."

He chuckles at that.

"It's an amazing form of blackmail," he says. "I mean, if I were evil, that's what I'd be doing."

Which he's not. But it's a big, scary world. And we've been warned.

Sean Flynn is a GQ correspondent.