Voter Websites In California And Florida Could Be Vulnerable To Hacks, Report Finds

Enlarge this image

An election worker uses an electronic pollbook to check voters at a polling station in the Echo Park Recreation Complex in Los Angeles on March 3, 2020.

Patrick T. Fallon/Bloomberg via Getty Images

hide caption

toggle caption

Patrick T. Fallon/Bloomberg via Getty Images

2020 Election: Secure Your Vote
U.S. Blames Iran For Threatening Election Emails, Says Russia May Interfere Too

2020 Election: Secure Your Vote
Voters In Florida And Alaska Receive Emails Warning ‘Vote For Trump Or Else!’

The election threat report that flagged the vulnerability was written by cybersecurity experts at the cybersecurity firm RiskIQ and by Northrop Grumman, and compared voter registration websites around the country with those that appeared to have been hacked in 2016.

The report makes clear that the threat today is hypothetical, and had no evidence of a current attack on American elections. U.S. intelligence officials contacted by NPR before last night’s announcement, who read the contents of the report, agreed however that voter registration websites are a favored target of foreign hackers for a simple reason: They can be an easy target.

Administration officials have confirmed publicly that they believe that several counties in Florida, the State of Illinois Board of Elections, and possibly several counties in California had been victims of a hacking campaign four years ago.

Trouble in Riverside

One of the cases that remained mysterious, though, happened in Southern California. During the 2016 primary elections, District Attorney in Riverside County, Michael Hestrin, began fielding calls from angry voters who said they weren’t allowed to cast their ballots — their voter information, they said, had been changed.

«Once the number got to be over 15 or 20, I was very concerned,» Hestrin recently told NPR. «I asked my chief investigator to send out several investigators to some of the larger polling places in our county… and meet some of these voters who had called me.»

Enlarge this image

Riverside County District Attorney Mike Hestrin speaks at a press conference on Jan. 18, 2018, in Riverside, Calif.

David McNew/Getty Images

hide caption

toggle caption

David McNew/Getty Images

2020 Election: Secure Your Vote
Race For A (Ballot) Cure: The Scramble To Fix Absentee-Ballot Problems

2020 Election: Secure Your Vote
When The Voting Is Done: Facebook, Twitter On ‘High Alert’ For Post-Election Threats

The RiskIQ-Northrop Grumman report also found that dozens of counties in Florida had voter registration websites that had lots of similarities to those in Riverside County in 2016. Those websites have since migrated to a new operating system that isn’t vulnerable to the same attack, but the report concluded that in order to make sure they weren’t hacked before the migration, their websites need to be checked for vulnerabilities that might have slipped in before they moved. (The report names 69 counties in both Florida and California that might be vulnerable to attack, but NPR is not naming them.)

The report also raises the concern that these Florida counties could potentially be even more vulnerable than Riverside County was four years ago because they all share the same website management system. So if a hacker is inside one website he or she could have access to all the others too.

This past May, the FBI briefed Florida lawmakers on which of their 67 counties were successfully breached back in 2016. The officials were not allowed to divulge what they had learned, but they stressed that there was no evidence that cyberattacks changed any votes. They confirmed that Russian hackers would have been able to change voter registration data if they had wanted to. There was no evidence, they said, that the hackers did so.

Getting loud

«I think [Riverside] is one of the most unheralded incidents of 2016,» said Ryan Munsch, a solutions architect at RiskIQ who tracks election systems and possible vulnerabilities. He decided not to speak about the substance of the report but agreed to talk about Riverside County, which is public. «There is what we call proof of concept in which you wouldn’t gain a whole lot of attention, which was the case in Riverside, and you conduct an exercise that proves you can do something that, if necessary, can be done at a larger and broader scale.»

Just a month after the Riverside incident, the Illinois State Board of Elections found intruders inside its voter-registration website. Someone had been probing their voter rolls and was downloading voter information. Officials only discovered the breach after the intruder was inside and accidentally crashed a server. Intelligence officials later confirmed publicly that they had traced the breach to Russian hackers.

«The actors got loud and essentially shut down the voter registration database, and that called attention to the problem,» said Neil Jenkins, who served as DHS’ election security coordinator in 2016 and is now chief analytic officer at the Cyber Threat Alliance. «And there’s been a bit of a conversation about why those actors, who we now know were Russian hackers, why were they so loud? Were they loud because they made a mistake, or were they loud because they were trying to draw attention to their presence there?»

DHS has been worried enough about voter registration websites that it hired the RAND Corporation to assess vulnerabilities. RAND found, among other things, that state and local registration websites could be locked by hackers looking for money or manipulated by bad actors wanting to rattle the election. Jenkins said DHS officials continue to be concerned that suspicious incidents they saw back in 2016 were a dry run for something more sophisticated in 2020.

Too close to the election

The RiskIQ/Northrop Grumman report looked at the websites’ vulnerability to a particular kind of hack, something called a Padding Oracle Exploit, or POE. It was popular with hackers over a decade ago and is used to decrypt encrypted information.

One of the concerns laid out in the report is that bad actors could use a POE to decrypt credentials to give themselves administrator access to the voter registration website. Armed with this type of access they could potentially plant malware, change code, and even insert errors into the data.

DHS, for its part, said it found the report «misleading» and pointed out that the report itself said that websites in Florida were probably protected from the hack because they had migrated to a newer operating system. The report also said, however, that the websites could have been compromised before the migration happened. The last voter website to migrate to a new operating system did so in 2019. The report suggests DHS do an audit of the Florida voter registration websites to make sure some vulnerability didn’t accidentally slip in.

Jenkins said DHS officials might also be hesitant to address details of the report or contact local officials about its findings because they haven’t seen any indication that this hack is imminent, and, as a general matter, local officials are unlikely to patch their systems against a possible vulnerability this close to the election.

«Amazon probably doesn’t make a lot of changes to its infrastructure just before Prime Day because they’ve got something big coming up,» Jenkins said. «Target doesn’t patch a lot of vulnerabilities the day before Black Friday because they know operationally the website has to be up and running.»

The last thing election officials would want to do just weeks before their big day, he said, is to patch a website against a vulnerability that might not be severe and then find themselves watching helplessly when the patch makes their website crash.

NPR’s Monika Evstatieva contributed to this story.

• 2020 election
• election security
• voter registration
• voting