On October 27, 2020, Phoenix Security Labs released a report on the current state of election security in the United States with a focus on systems in the State of Georgia.
The full PDF of the report can be obtained here.
The report found that, while voting machines meet certain requirements for certification, there are still issues in the certification process. Currently, election machines are required to receive a one-time certification before they are implemented in an election. However, there is currently a hesitation with regards to de-certifying a system, even if a third-party vendor that the equipment relies on stops providing support. This could lead to machines continuing to be used in election cycles due to their certification, even if an underlying component is potentially vulnerable to attack.
Additionally, the report addressed concerns stemming from a security breach of election equipment that was previously housed at Kennesaw State University in Kennesaw, Georgia. In this incident, election servers were available via the open Internet, and likely led to a data breach.
Physical access to machines prior to an election can lead to the discovery of vulnerabilities not previously discovered by the vendors. For example, security researchers at a recent DEF CON conference, a conference of ethical hackers and security researchers, were able to demonstrate vulnerabilities in a Dominion system used in multiple states. While Dominion was able to fix the vulnerability, it demonstrates the risks of physical access to machines, as well as the benefits to interfacing with external security researchers to address security concerns prior to an election.
One of the recommendations pitched by Phoenix Security Labs is for the push to an annual recertification process for equipment, ensuring that voting machines are routinely audited on an annual basis, requiring patches or updates when issues are disclosed to keep their certification current.
Another recommendation is to ensure both the physical and network security surrounding voting equipment. There should be a detailed procedure for who is allowed to access equipment when stored, as well as a ledger of each time a machine is physically accessed. The presence of the equipment on a network needs to also be highly controlled as well, either completely removing remote access, or limiting access through the implementation of Virtual Private Networks (VPNs).
Finally, Phoenix Security Labs firmly believes in the security advantages organizations can obtain by interfacing with security researchers. Election equipment vendors and state election offices should consider how they interact with researchers, and implement a process for receiving notification of security issues discovered by researchers. In the case of the DEF CON example detailed in the report, we see the benefits to having security researchers test equipment before the same vulnerabilities are discovered by adversaries.
With the election process being a staple of American democracy, and one of the most direct ways that citizens become involved in the political process, ensuring the security and availability of elections is of paramount importance. For this reason, Phoenix Security Labs believes that the implementation of these recommendations should be strongly considered by vendors and election offices.