‘Reckless and stupid’: Security world feuds over how to ban wireless gear in voting machines

But the proposal “profoundly weakens voting system security and will introduce very real opportunities to remotely attack election systems,” 22 security experts, activists and former election officials told the Election Assistance Commission in a Feb. 3 letter obtained by POLITICO. The experts included academics from Princeton, Johns Hopkins University and the University of California at Berkeley.

“This decision is unconscionable, reckless and stupid,” said Susan Greenhalgh, the senior adviser on election security at the activist group Free Speech for People, who helped organize the letter.

The commission is expected to approve the compromise measure this week as part of a massive and long-awaited update to federal voting equipment guidelines, the latest step in years of election security efforts by federal and state authorities. Its decision to reject a tougher wireless ban drew new attention in recent weeks after it quietly updated the draft standards with new language spelling out its compromise on the issue.

An earlier draft version of the key provision, approved by the EAC’s advisory boards in mid-2020, did not explicitly say that wireless hardware could remain as long as it was disabled. But the final version, on which the EAC’s four commissioners will vote Wednesday, added the words: “this requirement does not prohibit wireless hardware within the voting system so long as the hardware cannot be used.”

The EAC did not respond to multiple requests for comment. Nor did the Commerce Department’s National Institute of Standards and Technology, which coordinates the working groups that propose the standards updates to the EAC. But on Friday, the EAC posted a memo “dispelling misinformation” about the changes.

The commission denied that its working groups had initially proposed a more stringent wireless ban only for the agency to replace it with a weaker requirement, noting that a separate provision in an earlier draft explained how to disable wireless hardware. “If the intent was for a complete ban requiring no hardware present,” the agency said, “information on disabling wireless would not have been included in the requirements draft placed out for public comment.”

Supporters of the EAC’s language, which was added after conversations with equipment manufacturers, describe it as a reasonable compromise. They say other election security improvements will lessen the risks.

“Now that we’ve got paper ballots … we’ve got a durable record of the votes that’s beyond the ability of nation-state attackers to tamper with it, which gives us a bit of breathing room,” said Dan Wallach, a Rice University computer science professor. “So by weakening these requirements, I don’t see any inherently fatal flaw in the overall security of our elections.”

But many jurisdictions still use electronic voting machines that produce no paper record, despite the hundreds of millions of dollars that Congress has provided to state and local governments to secure their technology.

And critics argue — with some precedent — that disabling wireless equipment does not guarantee it cannot be reenabled, whether accidentally or deliberately. They also worry that vendors would obtain federal certification only to reenable the wireless functions at the request of local election officials, who often enjoy using it to instantly report unofficial vote tallies.

A long road to progress

The Voluntary Voting System Guidelines, produced by the EAC and NIST, are the country’s most influential voting machine standards. States, which run elections and buy voting equipment — or, in some cases, create menus of equipment that counties can pick from — do not have to use the VVSG, but most do so, requiring equipment vendors to submit their products to federally accredited labs that run certification tests based on the guidelines.

The guidelines have not been significantly overhauled since their initial publication in 2005, five years after Florida’s debacle with punch-card ballots in the Bush v. Gore presidential election triggered an initial move toward paperless devices. Version 2.0 has been in the works since January 2017. After Russia’s interference in the 2016 election, the working group drafting VVSG 2.0’s cybersecurity requirements was eager to ensure that the next generation of standards protected machines from widely feared digital attacks.

Voting machine manufacturers insist that their devices are safe from hackers because they never connect to the internet. But that is not true of all machines. As election security gained more attention, the spotlight fell on voting machines with built-in wireless modems, which use cellular technology to transmit unofficial results to central offices on election night. This data transits the internet, creating the risk that hackers could tamper with it. The modems also expose the machines themselves to intrusions.

Wireless modems have also occasionally gotten vendors into trouble. In August 2020, the EAC ordered Election Systems & Software, the country’s largest vendor, to stop claiming in marketing materials that its modem-enabled ballot scanner was federally certified. (A federal lab had certified only the modem-free version of the scanner.)

In late 2019, the VVSG 2.0 cyber working group added provisions to the new document that banned wireless and internet connectivity in voting systems. Activists, who had collected more than 50,000 public comments supporting such a ban, were elated. A representative of the conservative advocacy group FreedomWorks, which was part of the bipartisan coalition that drove the comment campaign, called the ban “a commonsense measure to ensure the integrity of our voting machines.”

Appeasing vendors

As the wireless restrictions were being drafted, many security experts pushed for strict language requiring the machines to be physically incapable of connecting to external networks. But the EAC opted to allow manufacturers to include networking hardware as long as it was rendered unusable. The guidelines offer several examples of how to do this, including disabling the software that allows the wireless hardware to work.

Voting machine vendors pushed for this approach, according to two people involved in private discussions between EAC and NIST staffers and vendor representatives, who requested anonymity to discuss confidential deliberations.

Commercial off-the-shelf “components and systems without multiple wireless capabilities … are difficult to source and are expensive,” said Maurice Turner, a former senior adviser to the EAC’s executive director. “The elections market just isn’t big enough to sustain that kind of specialized chip development.”

Major voting machine vendors either declined to comment on the compromise wireless ban or did not respond to requests for comment.

Wallach, who spent 2020 working with the election technology nonprofit VotingWorks, said the company had built its electronic voting machines around commercially available tablets and laptops. “It’s actually quite difficult to order a [commercial off-the-shelf] tablet or laptop without any sort of [wireless] radio!” he said.

Given the complexities of building new hardware and preparing testing regimens, it may be a decade or more before voting machines certified to VVSG 2.0 enter the market. By that point, Turner said, vendors may find it almost impossible to buy wireless-free equipment.

“The demand for devices and components without wireless capability is already shrinking rapidly,” he said. “I expect the costs to rise and supply to shrink [as] demand shrinks.”

The EAC’s memo made the same argument, saying the compromise was “an attempt to not paint ourselves into a corner’ where voting system costs may rise substantially in the future if they require custom [commercial off-the-shelf] configurations that are no longer widely available.”

“These requirements,” it said, “are based on the possibility that the elimination of the wireless hardware is unattainable in some circumstances.”

‘An obvious line of attack’

The EAC argued that disabling wireless hardware offered strong protection against hackers. “Wireless is effectively banned,” the agency’s memo said, “as any voting machine seeking to install the drivers, configure the hardware, and enable the functionality will not be certified by the EAC.”

But to some security experts, the EAC’s decision to accommodate vendors leaves too much to chance. The new guidelines may require wireless gear to be unusable, but their implementation may create a messier reality.

“It simply is not true that we can rely on ‘a system configuration process that disables wireless networking devices,’” said Neal McBurnett, an independent security consultant who helped draft the ban, referring to language in the document. “That leaves open an obvious line of attack, by modifying the software or changing the configuration via a variety of common methods.”

The guidelines themselves acknowledge that “testing software is so difficult that [security audits] cannot rely on the software itself being correct,” McBurnett said, which is why the VVSG cyber working group rejected this way of implementing a wireless ban.

The compromise prohibition on wireless connectivity would allow vendors to meet the requirement in faulty ways, said Alex Halderman, a University of Michigan computer science professor and one of the country’s leading voting security experts.

Vendors could, for example, simply remove the part of the voting machine’s operating system that lets a user click on a wireless network and join it. “In that case,” he said, “the [wireless] radio might still be powered on and receiving transmissions.”

Hackers have demonstrated the ability to remotely commandeer devices such as iPhones over Wi-Fi without their owners knowing. Voting systems with latent networking hardware “will be vulnerable to malware worms that spread wirelessly,” McBurnett said.

History validates experts’ concerns about defective wireless restrictions. In 2015, Virginia stopped using AVS WINVote touchscreen voting machines, devices that researchers had labeled notoriously insecure. As Wired reported at the time, “investigators found that even when they clicked a button to disable the wireless function in an attempt to close them off from remote attack, the device’s network card was still able to send and receive traffic.”

Leaving dormant wireless hardware inside voting machines also puts a significant amount of trust in maintenance contractors and poll workers.

Kevin Skoglund, the president and chief technologist of the nonprofit activist group Citizens for Better Elections, which focuses on “promoting election security and efficiency” in Pennsylvania but is not associated with right-wing conspiracy theories, said he worried about a scenario in which “the wireless features will be turned on accidentally or fail to be properly turned off.” He added that “some counties have over 3,000 voting machines to maintain using thin resources and there are many ways the configuration could get changed.”

For example, a vendor’s employees might ask election workers to enable the wireless feature for remote tech support and forget to have them disable it, he said.

Wallach acknowledged these risks. “By having reduced requirements, we might enable some election administrators to run their elections with reduced security,” he said. “That’s the tradeoff. With more flexibility comes more responsibility.”

Skoglund, who helped draft the original ban, also fears that companies will “turn off wireless to gain EAC certification and then turn it back on” for customers. “Vendors say they continue to sell modems to states as after-certification add-ons despite the risks ‘because that’s what our customers want,’” he said.

Jeremy Epstein, the lead program officer for the National Science Foundation’s Secure and Trustworthy Cyberspace program, described the change to the ban as “a bad move” and “a way to allow vendors to build hardware that meets the requirements, and then allow states to turn on the wireless.”

The EAC denied this. “Any jurisdiction or manufacturer enabling the functionality will be subject to a revoked certification,” its memo said.

And while supporters of the modified ban argue that the increasing use of paper ballots provides a check against malware-induced malfunctions in electronic voting machines, this is only true if voters verify that their paper printouts accurately reflect their vote choices and were not tampered with. Research shows that they often do not.

No end to the debate

With the EAC poised to approve VVSG 2.0 and its compromise wireless ban, critics of the agency see fresh evidence that it is more concerned with protecting vendors than preventing cyber threats.

Greenhalgh said that by quietly adding new language to the draft guidelines, the agency was “trying to do an end run around the statutory requirements” for VVSG update procedures “to avoid public scrutiny of some of the more dangerous changes it has made.”

The debate over new voting equipment standards comes as congressional Democrats ready ambitious election reform legislation. The bill contains some cybersecurity provisions, but lawmakers did not include specific voting equipment requirements beyond the use of paper ballots.

The final vote on the revised guidelines may not be the end of the story. Election officials have urged the EAC to let its staff experts update the VVSG’s requirements without a vote of the commissioners in response to changing threats.

If that happens, Wallach said, a stronger wireless ban and other discarded VVSG provisions “could be folded back in … if it turns out that their removal was only in hindsight considered to be a huge error.”