Skip to main content

This last-minute voting-machine hack is drawing fire from security experts

This last-minute voting-machine hack is drawing fire from security experts

Share this story

Polling Machines Are Prepared For Tuesday's Presidential Election
Photo by Drew Angerer/Getty Images

Friday afternoon, US election officials got an unpleasant surprise. The security firm Cylance released a report disclosing a new attack on the popular Sequoia AVC Edge voting machine, potentially compromising both the machine’s public vote tally and a backup known as the Protective Counter. An accompanying video showed how the attack would take place, attacking the underlying software through a firmware port on the front of the machine. In the home stretch of election season, the result was an alarming reminder of how vulnerable many voting machines still are.

Researchers have been raising concerns about the AVC Edge since 2007, but it’s still in use in over 100 counties, including in much-watched swing states like Florida and Nevada. Cylance’s attack is limited, requiring sustained physical access and a full power cycle to alter the cartridge containing the machine’s final vote tally. Still, it’s an alarming sight for anyone concerned about the integrity of the election, and leaves election boards with little time to respond.

For some security professionals, releasing the demo just four days before the election — amid frequent accusations of election tampering from the Trump campaign — crossed a line. “This disclosure seems political in nature,” says Katie Moussouris, a bug-bounty expert and founder of Luta security. “Releasing this publicly, after DHS and states have been aware of these types of attacks for years, only serves to fuel the fires of doubting the election results. This is a case of not helping security while simultaneously undermining the democratic process.” According to Reuters, 48 of 50 states have accepted help from Homeland Security in defending against such attacks.

Reached for comment by The Verge, Cylance defended the disclosure. “Voting machine vulnerabilities have been well-researched for almost a decade and have been well-reported in this election cycle, but they have yet to be fully addressed,” the company said in a statement. “In this particular case, we tested potential voting machine vulnerabilities, and once a real world exploitation was discovered, we believed it was our responsibility to inform the public, the authorities and state election officials and volunteers to allow them to improve security measures and ensure the sanctity of our elections.” The vulnerability was disclosed to Sequoia and election officials in advance of publication.

But according to Princeton researcher Andrew Appel, Cylance’s attack would be easily defeated by conventional auditing techniques. Appel demonstrated vulnerabilities in a similar Sequoia machine earlier this year, and says there are still serious concerns about the security of machines like the AVC. But crucially, the Cylance attack focuses on altering a machine’s results cartridge after the polls have closed, which means the results have already been printed out and signed by an election official. The genuine tally would also be stored in the machine’s flash memory, so it would be easy to work back to the original total after the discrepancy was discovered.

“If there’s any question about the results cartridge, it can be compared to the printout and the flash memory of the computer,” says Appel. “Now if the machine was hacked in advance of the election, it could write bad results in all three places — but that doesn’t seem like what they’ve demonstrated here.”

That leaves election officials in a tricky place. For all the controversy, Cylance really has found a flaw in Sequoia’s voting machines, and if a similar bug were found in Flash or Chrome, the company responsible would be rushing to patch it. But with no clear fix and many of the machines already in use for early voting, the best defense is rigorous auditing and protecting physical access to the machines — something most precincts were already doing.

The result takes us back to the fundamentals of election security: even with vulnerable machines, the biggest risk is simply spreading chaos. In the final days before the election, the hard question is whether announcing one more vulnerability does more harm than good.

Today’s Storystream

Feed refreshed Sep 25 Not just you

E
Twitter
Emma RothSep 25
Rihanna’s headlining the Super Bowl Halftime Show.

Apple Music’s set to sponsor the Halftime Show next February, and it’s starting out strong with a performance from Rihanna. I honestly can’t remember which company sponsored the Halftime Show before Pepsi, so it’ll be nice to see how Apple handles the show for Super Bowl LVII.


E
Twitter
Emma RothSep 25
Starlink is growing.

The Elon Musk-owned satellite internet service, which covers all seven continents including Antarctica, has now made over 1 million user terminals. Musk has big plans for the service, which he hopes to expand to cruise ships, planes, and even school buses.

Musk recently said he’ll sidestep sanctions to activate the service in Iran, where the government put restrictions on communications due to mass protests. He followed through on his promise to bring Starlink to Ukraine at the start of Russia’s invasion, so we’ll have to wait and see if he manages to bring the service to Iran as well.


E
External Link
Emma RothSep 25
We might not get another Apple event this year.

While Apple was initially expected to hold an event to launch its rumored M2-equipped Macs and iPads in October, Bloomberg’s Mark Gurman predicts Apple will announce its new devices in a series of press releases, website updates, and media briefings instead.

I know that it probably takes a lot of work to put these polished events together, but if Apple does pass on it this year, I will kind of miss vibing to the livestream’s music and seeing all the new products get presented.


E
External Link
Emma RothSep 24
California Governor Gavin Newsom vetoes the state’s “BitLicense” law.

The bill, called the Digital Financial Assets Law, would establish a regulatory framework for companies that transact with cryptocurrency in the state, similar to New York’s BitLicense system. In a statement, Newsom says it’s “premature to lock a licensing structure” and that implementing such a program is a “costly undertaking:”

A more flexible approach is needed to ensure regulatory oversight can keep up with rapidly evolving technology and use cases, and is tailored with the proper tools to address trends and mitigate consumer harm.


Welcome to the new Verge

Revolutionizing the media with blog posts

Nilay PatelSep 13
A
Youtube
Andrew WebsterSep 24
Look at this Thing.

At its Tudum event today, Netflix showed off a new clip from the Tim Burton series Wednesday, which focused on a very important character: the sentient hand known as Thing. The full series starts streaming on November 23rd.


A
The Verge
Andrew WebsterSep 24
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.


T
Twitter
Tom WarrenSep 23
Has the Windows 11 2022 Update made your gaming PC stutter?

Nvidia GPU owners have been complaining of stuttering and poor frame rates with the latest Windows 11 update, but thankfully there’s a fix. Nvidia has identified an issue with its GeForce Experience overlay and the Windows 11 2022 Update (22H2). A fix is available in beta from Nvidia’s website.