clock menu more-arrow no yes

Filed under:

Real security flaws became a sketchy hacking investigation in Georgia

New, 4 comments

How do cybersecurity experts disclose vulnerabilities if they’re going to be accused of hacking?

Illustration by Alex Castro / The Verge

Just a few days before the midterm elections, Georgia’s Republican gubernatorial candidate and secretary of state, Brian Kemp, accused Georgia’s Democratic Party of hacking into the state’s voter registration base. It was a controversial move that is already generating concerns regarding conflicts of interest. Kemp’s office has yet to provide any evidence in support of these claims, and with mere hours left before the final votes are cast, it’s unclear what his motives are in announcing the investigation.

It now seems like Kemp’s accusation may have referred to a legitimate cybersecurity investigation by Georgia Democrats, which uncovered real and significant flaws in the state’s voter registration system. If that research was the source of Kemp’s claim, it would be the latest in a long line of incidents where legitimate researchers are cast as criminal hackers in order to cover up serious security flaws.

Over the weekend, WhoWhatWhy published a report detailing a document it obtained that was initially sent by the Democratic Party of Georgia. The document points out massive security flaws in Georgia’s voter registration system, some of which could be exploited by the most amateur hacker.

According to the document, “it would not be difficult for almost anyone with minimal computer expertise to access millions of people’s private information and potentially make changes to their voter registration — including canceling it.”

Hours after news broke of the flaws, Georgia’s secretary of state announced that it would be investigating the Democratic Party, but it gave no indication whether the security report was the source of the claims. “While we cannot comment on the specifics of an ongoing investigation, I can confirm that the Democratic Party of Georgia is under investigation for possible cyber crimes,” the statement reads. The office also requested an FBI investigation into the matter as well, despite no clear evidence that the discovered vulnerabilities had subsequently led to a breach of voter information.

It’s not the first indication of security problems in Georgia’s election system. This summer, the special counsel investigation disclosed that foreign actors had targeted Georgia’s election infrastructure as part of an indictment of Russian military intelligence officials. After this was uncovered, the Department of Homeland Security offered to help strengthen the state’s elections security. Kemp denied that assistance.

This isn’t the first time an election researcher has been charged with computer crimes. In 2016, David Levin of Vanguard Cybersecurity was arrested after Florida law officials accused him of hacking into the state elections database. Levin was charged with three counts of gaining unauthorized access to a network, his home was raided by the police, and all of his devices were confiscated.