Researchers: 11-year-old flaw in vote scanner still unfixed

An uncorrected security flaw in a vote-counting machine used in 23 U.S states leaves it vulnerable to hacking 11 years after the manufacturer was alerted to it, security researchers say.

The M650 high-speed ballot scanner is made by Election Systems & Software, the nation's leading elections equipment vendor. The vulnerability was the most serious noted in voting equipment in a report Thursday that summarized the findings of security researchers at the September DefCon hacking convention's "Voting Village " in Las Vegas, which highlighted a number of vulnerabilities in election equipment.

"This counts the ballots for an entire county," said Jake Braun, one of the organizers and a University of Chicago cybersecurity expert said of the M650. If successfully hacked by someone intent on changing vote totals in a swing-state county, "it could flip the Electoral College," he said.

"One infected disk can take over the entire election system," said Harri Hursti, another "Voting Village" organizer and the researcher who initially detected the flaw in a 2007 report done for the Ohio secretary of state .

Braun said it is both surprising and a reflection of the state of the nation's voting equipment industry that ES&S has continued to support and service the M650 — and that many election officials have not retired it.

Cybersecurity experts have long complained that the nation's antiquated elections infrastructure is highly vulnerable to tampering — now a critical concern given documented Russian attempts to influence the 2016 presidential election. Those activities included probes of elections systems in at least 21 states, a hack into the Illinois voter-registration database and attempts to hack a Florida maker of electronic poll books.

A National Academies of Sciences report in September urged essential reforms by 2020 including sustained federal funding, since elections are administered by the states and security is typically shortchanged. Other recommendations included retiring electronic machines that lack a "human-readable" paper trail and making reliable post-election audits mandatory. The GOP leadership in Congress has recently stymied efforts to pass election-reform legislation.

The M650 scans paper ballots — it can process more than 300 per minute. ES&S said in a statement Thursday that it discontinued manufacture of the machines in 2008 but that 270 are in active use today. It said the machine has "a solid, proven track record when used in a real election environment with proper physical controls," although it has been replaced by more secure models.

"We believe that the security protections on the M650 are strong enough to make it extraordinarily difficult to hack in a real-world environment and, therefore, safe and secure to use in an election," the company said.

Proper physical controls would prevent access to the machines by unauthorized outsiders who might introduce a vote count-altering virus. Hursti, however, said he's spoken to elections officials who program the M650 program with removable Zip drive disks that could transmit malware. It's also possible to infect the machine via a built-in network port.

ES&S did not respond when asked by the Associated Press why it had not corrected the Zip drive vulnerability despite knowing about it for more than a decade. It also did not say whether it continues to sell the M650, which was listed on its website product offerings as recently as last month.

The DefCon village, now in its second year, was attended by more than 100 elections officials from across the nation. Senior officials from the National Security Agency and the Department of Homeland Security endorsed its organizers' assertion that the best way to secure elections equipment is to let friendly hackers attack it.

ES&S disagreed. It complained in an Aug. 24 letter to a group of U.S. senators that "exposing technology in these kinds of environments makes hacking elections easier, not harder, and we suspect that our adversaries are paying very close attention."

Organizers of the Voting Village obtained more than 30 pieces of voting equipment and other machines for security testing, but were significantly limited in what they could test, mostly because vendors refused to make proprietary equipment available. Researchers did not test any election management or voter registration systems.