Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

South Carolina’s Voting Machines Are Vulnerable to Attacks

Two of the state’s voting systems connect to the Internet, making them accessible for voters who are stationed overseas but also increasing the risk of cyberattacks and data breaches that could result in fraud.

(TNS) — This year, South Carolina welcomed into its arsenal of election technology two systems that connect to the internet — one of the features that makes them vulnerable to hacking, voting experts say.

Both the state's new electronic poll book system and a new online platform called OmniBallot, made to help a small group of S.C. voters stationed overseas send their ballots home, rely on internet access.

Members of some military and government service groups, their families along with citizens outside the United States registered to vote in South Carolina had access to the new OmniBallot system when voting this year.

In 2016, the group — classified as "UOCAVA citizens" after the Uniformed and Overseas Citizens Absentee Voting Act that grants them special voting privileges — cast 8,621 ballots, said Chris Whitmire, a spokesperson for the State Election Commission ( SEC). Before OmniBallot, the UOCAVA citizens were allowed to send their ballots by fax, email or mail. Those legacy options were still available to them during the 2020 presidential election.

But now, when using the platform, voters can download their unique ballots by accessing a single URL online, the website of the private company that makes the product, Democracy Live, states. The system is accessible to people with disabilities and is secure, it says.

"We've had over 100 cybersecurity researchers review the system, they haven't been able to get in the system or compromise it," confirmed Bryan Finney, the founder and president of Democracy Live.

Yet in June, a final-year PhD candidate at MIT and a professor of computer science and engineering at the University of Michigan analyzed the OmniBallot platform and found it wanting.

"We find that OmniBallot uses a simplistic approach to Internet voting that is vulnerable to vote manipulation by malware on the voter's device," wrote the researchers. "In addition, Democracy Live, which appears to have no privacy policy, receives sensitive personally identifiable information — including the voter's identity, ballot selections, and browser fingerprint — that could be used to target political ads or disinformation campaigns."

Three months later, it was announced that a group of S.C. voters would use the platform in the 2020 presidential election.

UOCAVA citizens voting electronically, whether via fax, email or an online platform like OmniBallot, has been "deemed insecure by election and cybersecurity experts," determined the Center for American Progress, a nonpartisan policy institute, in 2018.

Not only does returning ballots electronically provide an avenue for malicious actors to manipulate the voting results, the Center clarified, but "it is impossible to carry out meaningful post-election audits on voted ballots submitted electronically because there is no reliable paper record that can be referenced during the auditing process."

Even so, allowing UOCAVA citizens to vote this way is not uncommon. Thirty-two states permitted regular absentee voters or citizens and military abroad to do so at the time of the report.

"Something Needs To Be Fixed"

States whose systems were determined to be safer by the Center for American Progress only allowed the voters to mail in hand-marked paper ballots. Those states actually had slightly higher response rates from overseas voters than those that permitted ballots to be submitted electronically, the institute has said, indicating that the safer, paper-only requirement does not disenfranchise voters.

One advantage of the new OmniBallot platform is that it was free to the state. The cost of two years of offering the pilot platform to voters was paid for by a grant from the nonprofit, Tusk Philanthropies. The nonprofit is funded exclusively by Bradley Tusk, a venture capitalist, who told The State that the group is non-partisan.

"Our role is to provide financial and communications support for election officials to bring new innovative technologies to their jurisdictions," Tusk said.

Another is that it allows voters more privacy than before, Whitmire added, as votes submitted via OmniBallot remain confidential and so protect the voters' constitutional right to a secret ballot. Any sent through fax or email in previous years had to be intercepted by a staffer prior to submission. A third benefit is that the system is "generally safer and more secure than the legacy system that relies on email or fax for return of completed ballots," Whitmire told The State Media Co.

Finney mentioned that Democracy Live made its privacy policy "more public" after the MIT and University of Michigan researchers criticized it, and that the OmniBallot platform makes sense for the relatively small group of UOCAVA voters because of their special circumstances.

"You can't just do a hand-marked paper ballot if you're on a submarine," he said.

But it says a lot that "something nobody thinks is a good idea is better than what we have been doing," said Duncan Buell, professor of computer science and engineering at the University of South Carolina and vice chair of the Board of Voter Registration and Elections in Richland County.

Since he knows that the online platform is vulnerable to hacking because of its internet connectivity and doubts the quality of the technology, Buell said that if he were to find out that even one vote was cast in Richland County through OmniBallot, he would not vote to certify the 2020 presidential election. Doing so would constitute "gross professional hypocrisy," he said.

On Thursday, Buell emailed the newspaper saying that he had been informed that Richland had not received any ballots sent through the platform, but that "one of the larger counties" in South Carolina did receive ballots sent over OmniBallot.

But Buell believes the state shouldn't be using the platform at all. "There is something wrong and something needs to be fixed," he said.

Election Day Poll Book System 'Exposed'

The electronic poll book system was used on Election Day by poll workers to review voter records, assign and print ballots and direct people to different locations if they appeared at the wrong place to vote. Most people who voted in-person interacted with it.

Election Systems & Software (ES&S), the company responsible for the branded "ExpressPoll" software and accompanying tablets and ballot printers, submitted its answer to the state's request for proposals for new poll books this summer.

In that documentation, ES&S states that the poll books have "a web-based application that allows election officials to monitor poll activity from connected ExpressPoll devices used across the jurisdiction, in near-real time." The ExpressPoll devices would be able to connect to a central server "by way of MiFi device provided by a telecommunications provider such as Verizon," the document stated. MiFi devices are portable, wireless routers that act as Wi-Fi hotspots. They can connect to cell phone networks and provide internet access for multiple devices.

Susan and Morgan Yates, two poll workers at River Bluff High School in Lexington, said the technology helped the check-in process go smoothly on Election Day and was useful for directing people elsewhere when they showed up in the wrong precinct. Susan Yates used the technology to quickly identify the number of the people registered to vote there who had done so in-person and those who had sent in absentee ballots.

The web-based software in the new poll books "helps us to be able to see issues out there," said Whitmire with the State Election Commission, who also confirmed that the poll books had the ability to connect remotely to a central computer.

Dan Wallach, professor of computer science at Rice University in Houston and voting scholar, agreed that the kinds of features made possible by poll books with internet connectivity are convenient. "If you like the idea of early voting, where a voter can go to any early voting location and see his or her correct valid [ballot] style, then you have to have electronic poll books connected to the internet."

But the software needs to be secure, he added, in part because "America has to be able to defend its elections against hacking attempts by foreign nations."

In the ES&S documentation, the company described a couple of the features that it said made the poll books safe while doing that. An ID and password are required to activate the tablets that run the software, the system transmits encrypted data through "secured, private connections," and the carrying case for the unit can be sealed with special security seals to prevent and detect unauthorized entry prior to their official use.

Wallach said language like that is misleading. Even if private companies or election officials say the poll books connect over a private network, "it's still the internet," he said. "It's still the phone network. It's still accessible to the Russians." The fact that there are no federal standards for the functionality or security of poll book technology makes the software even more exposed, he added.

Participants at DEF CON, the world's largest hacker conference, laid bare some of the vulnerabilities of the ExpressPoll software last year. After attendees were given access to an ES&S ExpressBook tablet and its internal software during one of the events at the conference, some wrote a report that described the security flaws of the technology.

Locking mechanisms did not prevent access to external USB and SD ports on the tablet or its stand, they observed, and the ports were not sealed to prevent tampering. Though the SD card containing voter data in the machines was encrypted, the keys were stored in plain text in a standard file, "allowing all data to be easily accessed and modified, therefore rendering encryption meaningless."

"Hardening" a technology system means reducing security risks by eliminating ways that the system can be attacked. Hackers at DEF CON found that the operating system of the ES&S poll books "lacked any attempt to perform even the most rudimentary platform hardening." That dearth of protection "is especially dangerous given that for one of the recommended deployments the system is intended to communicate over WiFi with wireless internet access," the report mentioned. "There is an extremely wide, unprotectable, exposed attack surface."

This August, ES&S was awarded $9.4 million to supply South Carolina with the poll books and ballot printers, Whitmire told The State.

When asked about the security of the poll books it provided to South Carolina, a spokeswoman for ES&S said the protections in all the company's technology are robust. "From internal protocols to training on every piece of equipment, we go above and beyond what's required to keep our elections safe," Katina Granger wrote in a statement sent to The State. "ES&S is committed to delivering high security products and services to ensure the integrity of our nation's elections."

In addition to being vulnerable to malicious external attacks, when put to the test on Election Day, another problem surfaced with the system. Poll workers at Dutch Fork High School and Oak Pointe Elementary School, two polling locations in Irmo, said that a power outage early in the day made the ExpressPoll ballot printers stop working.

In both places, the fact that the check-in technology was temporarily unusable lengthened the wait times for voters in line to cast their ballots. Power outages also affected A.C. Moore Middle, Hand Middle and Rosewood Elementary School in Columbia, and one poll worker at the Woodlands Park precinct mentioned that a provided WiFi hotspot had experienced connection issues.

This reporting was produced with support from The GroundTruth Project through a Preserving Democracy & Voting Rights Fellowship awarded to the author.

(c)2020 The State (Columbia, S.C.). Distributed by Tribune Content Agency, LLC.