Security

How to hack an election: An interview with security expert Calvin Liu

Voter fraud has been a hot topic this election cycle, but there are still two fundamental questions to be asked: Can widescale election fraud happen and if so will hackers be the ones to pull it off?

election-fraud.jpg
Image: iStock/samiph222

It's been hard to get far in the run-up to the presidential election to avoid hearing about voter fraud. The Trump campaign has made it one of their standard rallying cries—but is it realistic?

In-person voter fraud, which Trump lambastes, is exceedingly rare. When fraud does happen it's generally in small elections at the local level—it simply doesn't happen enough to sway an election.

But technology changes everything, and it's now changing the voting fraud game: Hacking elections is entirely possible, at least according to cybercrime expert and Ventura ERM cofounder Calvin Liu. TechRepublic's Dan Patterson had the chance to dig deep with Liu on the topic of election hacking: Here's what Liu had to say.

What an election hack is

Liu cuts right to the basics by starting off with a general definition of what a hack is: "Hacking is finding weaknesses in a system to enable actions that are not otherwise allowed nor even possible."

That can mean a lot of things, and not all of them electronic. But on the election landscape, what computers do add to the equation is a matter of scale: Instead of a single (and potentially useless) act of voter fraud, a hacker could falsify thousands of votes. It all boils down to how Liu defines a hack: Finding and exploiting a weakness.

SEE: How the Obama administration plans to prevent rigged elections (TechRepublic)

Take the recent Dyn hack as an example: hackers were able to knock out a large swath of the internet and its websites using a DDoS attack. This, Liu says, is just one way "hackers [have] demonstrated their ability to wreak havoc on a massive scale."

More and more voting, vote tallying, and voter registration is being done electronically, which makes hacking an election potentially easy for a skilled group of people. Liu says there are three steps to an election hack that are made possible by electronic systems:

  1. Survey the landscape: "There are numerous ways by which surveillance can be conducted and they are often complementary," he says. Physical surveillance can be paired with port scans and IP sniffing to figure out how each polling location communicates with the larger election infrastructure.
  2. Evaluate weaknesses: Once a hacker knows how voting machines operate and communicate they only need figure out what to do with that information. Man-in-the-middle attacks, falsifying authentication, spoofing votes, and blocking communication could all be potential objectives.
  3. Exploit: With the information hackers gain they need to go larger by codifying and transmitting their hacks to locations around the country.

Four ways a hack could happen

Liu gives four methods a vote hack could be achieved—some have even been attempted before.

Voting in place of a non-participant

States used to canvass voters door-to-door to be sure they were still alive, registered at the appropriate address, and (in some cases) would be voting that year. Illinois was one such state, and in 1982 its canvass resulted in a much-disputed gubernatorial election and investigation of voter fraud.

"Some precinct captains would carefully note who actually had come to vote and compare that information against the list of legitimate voters," Liu says of the 1982 election. "The precinct captain or delegated representative would then 'vote' for the people who hadn't voted or who couldn't vote."

Election Tech

Visualizing the Russian cyberattack

Cybersecurity experts explain how the data breach happened, and Twitter chatter reveals what competing social media factions are saying about the election hack.

The discovery of publicly available voting records earlier this year makes the potential for "assisted voting" even greater. Hackers able to access that information, Liu says, could falsify absentee ballots, feed false votes directly into a tabulation system, or monetize the lists through in-person false representation.

Vote buying

Drunks and transients, Liu says, were paid to vote certain ways in the 1982 Illinois election. With the advent of the internet these kinds of schemes can be widely distributed with ease: "Bitcoin payments in the dark web, (paying) criminals who otherwise might not vote, or perhaps the creation of 'paying gigs' through on-demand workforce services" are all ways to spread vote buying far and wide.

Altering the vote count

Liu cites the 1982 election yet again: In one of the first examples of computerized election hacking, "One particularly enterprising precinct captain ran a single Democratic punch card 198 times through the voting machine, followed by six punches of a Republican card."

Modern systems make 198 votes into small change by comparison. Hackers could determine how to access machines, their channel to the tabulation server, the server itself, how to spoof voter requirements, or anything else.

Electronic voting, whether through digital machines or just electronic tabulation, opens up a variety of ways to add votes, remove votes, alter voter records, and throw off counts. Hackers could do it all without using a single false record: They only need to get ahold of registration records or canvassing results.

Blocking registration or vote counting

Hackers, Liu says, could target registration or vote tabulation in districts that lean the "wrong" way, which can have far more serious implications than for just a single election. Voters can be frustrated, turnout can be suppressed, and it can all be blamed on things like hanging chads or bad electronic records.

The threat isn't the potential of hacks: It's the scale

Liu says the greatest threat doesn't lie with machine tampering: That's nearly impossible without leaving a trace, he says, and it's surprisingly easy to find.

The risk to elections is the huge scale of fraud that the internet puts in the hands of only a few people. "Access to voting databases and detailed voter behavior from social media or other sources creates the potential for millions of otherwise undetectable fraudulent votes," all without a single dead voter, made-up name, or fudged registration.

SEE: How to track and report polling place problems on Election Day (TechRepublic)

Since it's legitimately registered non-voting people who are the targets of fraud, low turnout is a huge risk catalyst. "If valid voter turnout is 90%, only 10% of the entire population is potentially eligible for fraud," Liu says. That wouldn't have much impact overall.

"With 50% turnout, however, half the population represents a comparatively huge pool of potentially fraudulent votes." Far more than enough to sway an election.

Prevention is possible

The digital tools to prevent fraud already exist, Liu says. The rollout of such tools would require a reevaluation of how we treat elections, however, and there's no time for transforming our system by tomorrow.

In all reality the likelihood of large-scale voter fraud is next to impossible, but for the individual voter there's only one way to take action: get yourself to the polls tomorrow, November eighth, and make sure that a potential hacker can't vote for you.

The 3 big takeaways for TechRepublic readers

  1. Voter fraud in the modern age won't be done by individuals standing in line: It will be hackers manipulating computer systems.
  2. The biggest target isn't voting machines—it's registration records. With the right information hackers could determine who does and doesn't vote, compare it to records, and insert false votes for legitimately registered voters.
  3. Low voter turnout makes these kinds of hacks more probable and more effective.

Also see

About Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.

Editor's Picks