Disclaimer: vote tampering of any kind is a felony. Accessing computer systems without proper authorization is a felony. This post was not written with intent to enable election tampering, and I expressly condemn any activity to that end. Some technical details are omitted for both brevity and to prevent this from being a literal election-stealing guide. Rest assured, our adversaries already know it all.

Last week saw a federal court hearing in Curling v. Kemp, a lawsuit aimed to get paperless DRE voting machines out of use in the state of Georgia. The hearing had many surreal moments, which are well documented here, here, and here, among other places. The record of the hearing can be found here. The testimony was chilling, but there were two clear standouts: the testimony of Michael Barnes (of the Secretary of State’s office, in charge of all Georgia voting systems) and Rick Barron (Fulton County’s Election Director). Both provided deep technical insight into how Georgia’s election system is run, and also made public several vectors by which votes can be stolen in Georgia. Nevertheless, the defense insisted that the system is secure, and that nothing is wrong.

This post comes in three parts: an overview of how Georgia runs elections, how adversaries can attack it, and what we can do about it. All of this information is as of now completely public, and I guarantee that any serious threat to our elections has known it for years.

Georgia’s Election System

For a full-resolution version of this image, see https://mbernhard.com/ga.svg

Michael Barnes’s testimony gives us a relatively full picture of how Georgia’s election system works. There are three servers at the Secretary of State’s office: a public facing website, a ballot building server likely running GEMS (the program that allows election workers to manage ballots and program voting machines), and an ExpressPoll data server (the voter registration database). The public facing website was the one indexed by Google that Logan Lamb accessed, and contained a complete voter database file as well as GEMS database files (though Barnes claims these were just for training). According to Barnes, this server is not networked to the two servers that actually put data on voting machines and ExpressPoll units.

The other two servers are connected to a private (i.e. “air-gapped”, tightly controlled and not exposed to outside connections) network within the Secretary of State’s office, and data entry into these networks is done only via keyboard. However, there is at least one notable exception: Barnes’s office must distribute proof ballot files to the county election officials, so they can ensure all races and candidates are accounted for, spelled correctly, etc. To do this, he transfers PDF representations of the ballots from the GEMS “air-gapped” network to his personal, Internet connected work computer, and from there uploads them to a file-transfer (FTP) server so that the counties can retrieve them.

According to Barnes’s testimony, the USB drive he uses to transfer the ballot proofs has a write-lock (that Barnes refers to as a “lock position”) that in theory could prevent someone from writing data to the USB drive when they shouldn’t be able to. He also claims to format it after every use. He states that this is the only removable media device (excluding compact flash memory cards) ever connected to the “air-gapped” network.

Barnes states that from the supposedly air-gapped network, election data and voter databases are loaded onto encrypted CD’s and compact flash cards, respectively, and then hand-delivered to the counties by SoS staff. The CD’s with the ballot data can only be decrypted with a password contained by the SoS’s office, and counties must call with a verification code to get the password over the phone and decrypt the CD and download the election data to their own GEMS servers. From there, the counties’ GEMS servers are physically connected to one voting machine, and compact flash cards are loaded into this machine and programmed by the server. Then they are put into the voting machines to be used in each polling place, and each voting machine is dropped off at a polling place. A similar procedure is presumably followed for the electronic poll books, though Barnes’s testimony did not go into details about them.

At the end of each election, the election results are “accumulated” in each polling place by taking one compact flash card and plugging it into each voting machine in the polling place, aggregating the results. If you imagine each voting machine as its own ballot box, this is akin to putting all the ballots in one box. From there the results card is physically taken to the county office where it is combined with the rest of the county data in a manner similar to the polling place-level accumulation, and then election results are announced and transmitted to the SoS office.

As a brief aside, the one exception to this is Fulton county, where results cards and individual electronic ballots are taken to annexes and then transmitted to the county office via dial-up. Rick Barron, the Fulton County Election Director, insists his voting machines are never connected to the Internet, assuming that analog phone lines can’t be hacked. For reference, Apple Computers got started because its founders built “blue boxes” which let them hack the phone network into giving them unlimited long-distance calling, among other things. A Fulton County poll worker has even said that the phone lines in Fulton County’s election preparation center get telemarketing calls. The very same lines over which election results are transmitted.

Hacking Georgia’s election: top down

Based on this layout, there are several points of entry that can give attackers full access to the state’s entire system. The most obvious one is Barnes’s computer: an attacker from anywhere in the world could send Barnes an email with a virus attached that could then spread to the USB drive, the ballot programming network, the county’s ballot CDs or voter registration cards, and then into every voting machine and voter registration tablet.

I can speak from personal experience that email is a particularly effective vector of attack. Impersonating someone via email is not hard, and in fact we teach undergraduates to do it at the University of Michigan. Phishing attacks, where a bad actor sends an email to someone to gain some sort of access, like stealing their password, are notoriously hard to defend. This was exactly the kind of attack that gave Russians access to John Podesta’s email account in 2016, so we know that at least one adversary is already more than competent of executing this attack.

Once the email has been sent to Barnes, the next step is building a virus that, once downloaded, will try to infect every USB device connected to the computer. There are numerous ways to do this that are publicly known, and almost certainly even more that are known to hackers and intelligence agencies like NSA and GRU. It should be pretty easy to defeat the read-only setting that Barnes has on his USB stick, and if the malware manages to overwrite the firmware on the thumb drive, it could even be resilient to formatting. Hackers could just overwrite the code that tells the USB stick how to talk to whatever computer it’s plugged into with code that instead downloads files from a foreign server that will then get put on the “air-gapped” machines as soon as its plugged in to them. Attacks like these are how the U.S. and Israel (allegedly) carried out the Stuxnet attack on Iranian nuclear centrifuges, and also how Russia has jumped air-gaps and gotten into U.S. industrial control systems that aren’t connected to the Internet in recent months.

This line of reasoning applies to any USB that’s connected to the private network. If another employee ever sticks a USB drive into the network, the chance of bad guys getting in is just as high as if Barnes gets phished. It is nearly impossible to police employees to ensure they aren’t doing this, as NSA has learned with leaks like Snowden and Reality Winner, so I’m fairly confident this is just as viable an attack vector. Moreover, an attacker could craft a fake email from Barnes or another higher up instructing an employee to insert a thumb drive into the private network.

Once the malware is on the ballot building network, it would simply have to replicate itself onto some or all of the CDs burned and sent to county election offices. From there, it could exploit known vulnerabilities in either Windows XP drivers or in the Diebold GEMS software to gain control of the targeted county computers. Then once elections are programmed on memory cards, it could finally make the jump onto each and every voting machine in Georgia, or just ones targeted to achieve the desired outcome. Malware that steals votes and spreads in this manner has already been created by academics; it’s no stretch of the imagination that such malware has also been built by our nation’s adversaries.

Hacking Georgia’s Election: bottom up