Today, Explained - Can I hack it? (Yes, you can.)
Episode Date: November 2, 2018Hacking our elections is so easy, a 7-year-old can do it. (Really.) How we got here and why the best solution is one you might not expect. Learn more about your ad choices. Visit podcastchoices.com/ad...choices
Transcript
Discussion (0)
You know what time it is? It's Today Explained time, but it's also finally time for the Viper Club to be showing in theaters nationwide.
The movie stars Susan Sarandon as a mother trying to get back her journalist son and kind of striking out on her own to do so because the government can't help.
Viper Club, starring Susan Sarandon in theaters in New York and Los Angeles and other places too.
Logan Lamb is what is known in the business as a white hat hacker.
So there are black hat hackers, and those are the bad guys who go into systems and do,
you know, nefarious things.
And then there are white hat hackers
whose job it is basically to figure out
whether or not systems are secure.
He decided to start looking into the election systems in Georgia
because people had been talking about it
during the 2016 campaigns.
He starts poking around in the election systems center, which is at a university in
Georgia called Kennesaw State. And that's where all of the election data is organized. He wrote
a little program to just see what he could find within that website. And he was shocked because
it had downloaded
all sorts of information that should have been private,
should have been behind a firewall.
He found every single voter in the voter database.
So that's something like 6.7 million voters. All of the
software for the electronic poll books, all sorts of PDFs with passwords for the election workers to
sign in to their central server on election day. He got into all the databases for the election
management services where they put together the ballots.
Basically, he found everything that would have been needed to run an election, and therefore everything
that would be available to be hacked.
So at that point, he was obviously very surprised,
and he reported it to the guy who was in charge of the election center, a man named Merle King.
King told him, OK, thanks a lot for telling me this, but make sure you don't tell anyone downtown.
So he didn't.
And he just assumed that King was going to take care of it.
A few months later, there was the election,
and there was always this talk at that point of, you know,
Russian interference with the election.
So he was talking to a friend of his, and they decided to go back and see if they could get access to it.
They assumed they couldn't, but he went in, and there it was again.
They were able to download everything again that he had found.
Georgia did nothing with the information that Logan Lamb had found out.
And it was only after the second venture
that they actually moved it away from Kennesaw State.
But it was unsecured throughout the entire election.
Sue Halpern, you wrote about election hacking for The New Yorker. When we talk about hacking our elections, what are we talking about? Is it the Russian bots spreading propaganda on Facebook
with fake accounts? Or is it like, you know, I voted for a Democrat and some hack changed my
vote to a Republican or something more sinister sounding like that?
Hacking is many, many different things.
There's the kind of hacking that we saw during the election and prior to the election and now, which is spreading propaganda essentially through social media. And then there is the kind of hacking that we sort of think more typically as hacking, which is going in and messing with some kind of data.
What people focused on during the election was, did the Russians manage to change votes?
That campaign was multifaceted. It involved cyber espionage, leaks of stolen data, cyber intrusions into voter registration systems, online propaganda, and more.
There's no evidence that they did change votes. It's possible, so it's not clear.
So we know for a fact that they may have influenced the way people voted, but we don't know for a fact if Russians changed any votes directly.
That's right.
There's no smoking gun.
No, the Department of Homeland Security has said numerous times that although no actual votes were changed in 2016 machines that are in service in this country that
have no way of being audited or no ability to have a recount. So it's really just not clear.
You know, a lot of the work that hackers do is surreptitious. So they can't say for certain that
it really didn't happen. You can just say probably didn't happen.
Did Homeland Security find any evidence of an attempt to get at any voter registration, voter machines, anything like that?
Yeah. Homeland Security found that Russian hackers had touched something like 20 states' voter registration databases.
We saw targeting of 21 states, and an exceptionally small number of that 21 were actually successfully penetrated.
What that really means is states that had sensors on their servers that would indicate that someone from the outside was trying to gain access to it.
But not every state has those sensors.
That number is not necessarily a representative number. It's just the number that
we have. We know for sure that they were able to get access to the Illinois voter database,
but I think that might be the only one that we know for sure that they went beyond just touching
it. Is that a thing you want to like hack into? Like a voter roll, a voter registration roll?
They have them when you go vote.
You see all these names kind of, you know, there's a volunteer managing it.
Couldn't you just like run into like a voting booth and grab one and run away?
But that doesn't do you any good unless you can manipulate it.
If you could get access to it at the kind of root level of it and then start messing with it.
Okay.
When you go to vote, what appears to be the real record
has been manipulated, has been changed. That's a trick. And it's particularly worrisome in a state
like Georgia, because Georgia has very strict rules. Someone can get tossed off if they haven't
voted in a couple of years. And so if they delete someone's voter history
and that person shows up to vote and says,
I'm here to vote, and the poll worker says,
well, you haven't voted in the last couple of elections,
so you're no longer registered to vote,
there's no way to prove that they actually did vote.
So it's a very effective way of hacking an election
without changing a single ballot.
What about voting machines? I mean, when I go to vote and I'm using this old clunky piece of
hardware and I hear about voter hacking, I always think like, well, those machines can't be that
hard to hack, can they? They look vulnerable. It depends on the machine. But for the most part,
the ones that we're using now are extremely vulnerable. Part of the reason why they're
vulnerable is they're really old. They are probably close to 20 years old. They probably had a shelf life of about 10.
Wow.
They often use software that is no longer supported by the manufacturer, but they're
very expensive. That doesn't necessarily mean that someone's going around to your voting place and
messing with your particular system.
It would be much more efficient to hack into the vote tabulators. But if a voting machine
is sending information to a central server over the internet or over cellular data streams,
it can be intercepted. There are things called stingrays.
Stingrays.
It sets up a fake cell phone tower
that tricks something sending cellular data
into sending the data to it.
It can manipulate it,
and then it sends it on to the final destination.
So that's a possibility.
Have you ever hacked into a machine, Sue?
No.
Okay.
But I have been in the presence of people
hacking into election machines, for sure.
For example, not for real, right?
Yeah, yeah, yeah, obviously.
Because if I did it for real, or if it was even in the presence of someone doing it for real, that's actually a felony.
Right.
So no.
Every year, for the last two years at DEF CON, which is the big hackers conference in Las Vegas, there's something called Voting Village.
This voting machine is used in 18 different states,
and it's extremely easy to get admin access on this machine.
So let me show you how quick it is.
It's about a little under two minutes.
A bunch of computer scientists will have gathered
probably about 30 or 40 old voting machines
that they buy off of eBay or at government surplus auctions
to be hacked.
All they have to do, this bad actor, would be to open up this machine
by pressing this button right here, unplugging this.
Again, you don't need any tools to do this.
Pick this lock here with a ballpoint pen.
And now I have full admin access under two minutes.
So I've watched people do that.
And then this year, they set up a whole other system, which was a voter registration database.
It was a mock-up of the Illinois system.
And they let people try to hack into that.
When you go hang out with these folks who are hacking machines or hacking databases,
how surprising is it to you how easy they can do it?
You know, it's actually very shocking.
There was a really funny thing that happened this year at DEF CON.
They set up a situation for kids to hack into mock Secretary of State voter registration databases.
So they weren't the real thing, obviously.
My name is Alex, and I'm seven years old, and I'm hacking into voting.
It's actually really easy. I bet the Russians could do it in their sleep.
It took the kids minutes to get into them and then to manipulate them.
The idea that kids are capable of doing this is worrisome.
The fact that the best hackers in the world can break into most of these machines within minutes is worrisome.
I mean, the whole thing is worrisome.
Coming up, how we ended up with this trash fire of a system in the first place. I'm Richard McCarthy is the editor of Today Explained, and she was listening to the promos I've been doing for the movie Viper Club,
and she was like, it sounds like you've seen Viper Club.
And I just want to be clear, I have not seen Viper Club.
I have been working, making a daily podcast every day.
And it was Halloween, and I got family in town.
I haven't seen Viper Club, but now I can,
because it's showing in Washington, D.C. right now.
I just Googled it.
It's showing at the Regal Gallery Place Stadium 14 at 12.15, 2.55, 5.35, 8.15, and 10.55.
And it's showing at the landmark Bethesda Rose Cinema at 1.30, 4.25, 7.25, and 9.55.
You too can find out when Viper Club is showing near you because it's Friday, November
2nd, and Viper Club is now showing in theaters nationwide.
When did the election system get so vulnerable to hacking? When exactly did that happen?
In the 2000 election, Bush v. Gore, there were a lot of older voting machines.
Look at this in Florida. Here we are, 99% of the vote in.
We have projected it, obviously, for George W. Bush.
I've just gotten off the phone. It is, in fact, true that the vice president has called to recant his concession.
But this race is simply too close to call.
And until the recount is concluded
and the results in Florida become official,
our campaign continues.
Voting machines in Florida
were the ones that resulted in
these things called hanging chads.
Do you have an hour? I can explain it. First you have to know that the punch hole is called
a chad. It is attached to the ballot by four threads.
You were pushing a button and the button was supposed to make a mark on a ballot.
In the morning the commissioners had decided that if it had been detached by only one thread,
it would not be counted as a vote.
Two detachments, maybe.
Three, definitely counted as a vote.
But then there was also another whole issue there.
Democrats charge a confusing ballot layout led voters to think they were punching the
ballot for Al Gore when they were actually voting for Reform Party candidate Pat Buchanan.
It wasn't clear who the person was actually voting for.
Number four, pointing over here. Number five, pointing over there.
They either voted for the wrong man or they hit two numbers.
And so there was this complete mess going on in Florida. Given the totality of the circumstances here, I move that this board conduct a manual recount
of all the ballots for the presidential election for the year to come.
You know, it went to the Supreme Court.
The Supreme Court of the United States has reversed the decision of the Florida Supreme
Court.
And now by one vote on the Supreme Court, this election is over.
As a consequence, Congress passed this law called Help America Vote Act, HAVA.
The Help America Vote Act of 2002 is a bipartisan measure to help states and localities update their systems of voting and ensure the integrity of elections in America. HAVA put aside a lot of money that went to the states
for them to upgrade their election machinery and their systems.
And so a lot of states went out and bought these kind of fancy new electronic voting machines.
But first of all, they degrade.
Second of all, they have security holes that don't get patched.
And as we've seen, they're also easy to hack.
Are they being used differently across the country?
Every state administers its own elections. So every state has its own systems. And within
every state, every county has its own system. And every county administers its own elections.
And so it's a patchwork. They're very, very different. There's no consistency, municipality to municipality.
And that has been seen in many ways as a benefit because it's harder, obviously, to break into
a system that is very localized.
You can break into it, but it won't necessarily have that big an effect.
If you're a hacker, you want to find a big attack surface.
You want to find the biggest attack surface. You want to
find the biggest one you can find because that will have the biggest impact. The understanding
has been that the patchwork system that we have, which can work better in some municipalities and
others, is a deterrent to hackers. It's a feature, not a bug.
Yeah. It's unclear if that's true, but that's been one of the talking points
for people who are trying to allay other people's worries that this is a hackable system.
Has the government tried to do anything about the fear of hacking in particular yet?
Yeah, so the government has done a bunch of things to try to deal with this problem.
But the federal government has no control over elections.
It's only the states that control elections. And some states are really very much opposed to the
federal government having any role in elections whatsoever because they see it as taking over
some state autonomy, and they don't like that. The idea of federalizing our elections to where we have a one-size-fits-all
voter registration system or mandating that states use a certain voting system creates all
kinds of problems and quite honestly I think would make the system more vulnerable, not less.
Before Obama left office, his Secretary of Homeland Security declared our election systems to be critical infrastructure.
And of course on January 6, 2017, utilizing my authority as Secretary of Homeland Security,
I designated election infrastructure in our country as critical.
And that gave the federal government the ability to offer states help in hardening their systems. So they put money into
that. So they would send cybersecurity experts around to the states to help them figure out
how to make their systems more secure. But it was a voluntary thing. States didn't have to do it.
So how can this be solved? I mean, you've written about this, you've hung out with hackers,
you know quite a bit. Do you have ideas that the government doesn't? If I did, I think I could make a lot of money.
Is there money in this? It feels like in America, problems get solved when there's money in it. But
it feels like these sad voting machines continue to be used because no one really
cares to spend any money on this. It really, in many ways, is a money question, if we can upgrade the hardware and the infrastructure.
But then there's also another whole issue there, which is that pretty much every computer
scientist who looks at electronic voting machines of any kind will tell you that they can't be 100% secured.
It's just not a possibility. And that's why everyone in this field will also tell you that what's needed are paper ballots
and what are called risk-limiting audits at the end of an election period.
And the risk-limiting audit is basically a way of looking at a sample of ballots to make sure that they correspond to what the machines are saying happened.
Many of the machines that we have now are purely touchscreen machines that have no paper trail and therefore can't be audited and can't have a recount.
We have to have an ability to have a paper record that can be checked. And
that way we can have elections where we know the end result is true. This is one of the few things
in our day and age that technology can't fix. What's most interesting to me is that the people
who are the most technologically savvy
are the people who are saying, we need this very non-technical fix.
And the reason is because they know machines are vulnerable.
Sue Halpern is a contributing writer to NewYorker.com
and a scholar in residence at Middlebury College.
Sounds nice.
I'm Sean Ramos from This Is Today Explained. Before we go for the weekend, I just want to say we promote a lot of podcasts on this show,
but I feel especially invested in the second season of The Impact because I've been sitting
here at Vox for almost a year now watching Sarah Cliff and her team, Jillian Weinberger and Bird
Pinkerton, put together this show. And I hear about the stories they're focusing on for the second season, and it just sounds so good. What they're doing is getting out of Washington, D.C.
to look at how states are experimenting with policy to help people. Because unlike Washington,
D.C., local governments are constantly implementing new, exciting, experimental policies.
The first new episode of the season is called
Is Fixing Campaign Finance As Easy As Giving Everyone $100?
Because Seattle is running this radical experiment
to fix campaign finance.
Last year, the city sent every resident $100
that they could donate to the local campaign of their choice.
You can find out how that went.
Why wouldn't you want to listen to that?
Go subscribe to The Impact. Rate, review, listen to every episode. You're gonna love it, kid.