Officials in Georgia are strangely apathetic about addressing key vulnerabilities in the state's voting system ahead of the special election Jun. 20 between Republican former Georgia Secretary of State Karen Handel and Democratic political newcomer Jon Ossoff.
Politico spoke with cyber security expert Logan Lamb who heard last August that the FBI was investigating attempted hack attacks on voting machines and decided to try for himself to hack a Georgia voting machine to see how it stood up to an outside threat.
The results were not good, according to Lamb, who Politico's Kim Zetter described as, "(a) 29-year-old former cybersecurity researcher with the federal government’s Oak Ridge National Laboratory in Tennessee, Lamb, who now works for a private internet security firm in Georgia."
A bit of research showed Lamb that the state of Georgia does all of its testing and programming of voting machines through Kennesaw University's Center for Election Systems. He went to the center's website and began to examine its vulnerabilities.
"I was looking for PDFs and documents," Lamb told Politico, any items that would illuminate how the state's system works. What he found alarmed him.
"(H)e encountered a number of files, arranged by county, that looked like they could be used to hack an election," wrote Zetter. "Lamb wrote an automated script to scrape the site and see what was there, then went off to lunch while the program did its work. When he returned, he discovered that the script had downloaded 15 gigabytes of data."
“I was like whoa, whoa. … I did not mean to do that. … I was absolutely stunned, just the sheer quantity of files I had acquired,” Lamb said.
Even as reports mount that Russia-aligned hackers have penetrated multiple states' voter databases and the full extent of their activity is still unknown, Georgia election officials are taking no steps, critics say, to secure the vote and render it impervious to outside tampering.
“The security weaknesses recently exposed would be a welcome mat for bad actors," said Marilyn Marks of the Rocky Mountain Foundation -- a vote integrity group that has sued the state of Georgia demanding paper ballots in the runoff election between Handel and Ossoff in case of the need for a recount.
Among the documents Lamb found in his possession were "a database containing registration records for the state’s 6.7 million voters; multiple PDFs with instructions and passwords for election workers to sign in to a central server on Election Day; and software files for the state’s ExpressPoll pollbooks — electronic devices used by pollworkers to verify that a voter is registered before allowing them to cast a ballot. There also appeared to be databases for the so-called GEMS servers. These Global Election Management Systems are used to prepare paper and electronic ballots, tabulate votes and produce summaries of vote totals."
All of these items were supposed to be behind a password-protected firewall, Lamb said, but due to a configuring error in the site's server, anyone could download whatever they wanted from the site.
“You could just go to the root of where they were hosting all the files and just download everything without logging in,” Lamb said.
Furthermore, the university center is using an outdated version of the content manager software Drupal, one that contains a critical security flaw known by security researchers as "Drupageddon."
"It would let attackers easily seize control of any site that used the software," Zetter explained. "A patch to fix the hole had been available for two years, but the center hadn’t bothered to update the software, even though it was widely known in the security community that hackers had created automated scripts to attack the vulnerability back in 2014."
Lamb said that given what we know about attempts to hack to 2016 election, cyber intruders could easily have penetrated the database and planted malware or corrupted files which would then be copied on to the computers of every election worker in the state, giving hackers back door access to the state's entire voting system.
For more than a decade, the Kennesaw University center has played a crucial role in calibrating and certifying Georgia's voting machines. The center also supplies every county in the state with GEMS software to use in counting and tabulating votes. According to Lamb, this enables hackers to program voting machines to record votes for the wrong candidate.
"And since Georgia’s machines lack a proper paper trail — which would allow voters to verify their choices before ballots are cast and could also be used to compare against electronic tallies during an audit — officials might never know the machines recorded votes inaccurately," Politico said.
It is currently unclear whether this has ever happened in Georgia, but security experts say that there is sure way to recognize this type of hacking after the fact. The votes look exactly the same as accurately tallied votes to vote-counting software.
The center also distributes voter registration lists to the state. During the 2016 election, multiple voters arrived at their polling places in Fulton County -- one of the largest urban counties in the southeast -- and were told they were registered elsewhere. When the voters went to the new location, they were told to return to the original polling place. These are the types of mistakes and miscounts that would be most readily pulled off by malevolent hackers.
This week, Reuters reported that Russian hackers penetrated vote databases in 39 states and removed or altered voter data. They also managed to access the software used by poll workers to verify voters at the polls -- the same software distributed by the Kennesaw center.
Most states in the U.S. have a patchwork, Politico said, of different brands and types of voting machines. All of the touch screen voting machines in Georgia come from the same manufacturer, the now-defunct Premier Election Systems -- formerly known as Diebold.
The state uses more than 27,000 of these years-old machines and more than 6,000 ExpressPoll poll books, also made by Diebold. In other states, individual counties program and test their machines. Politico said that Georgia's reliance on one central agency makes it "a bull’s-eye for someone wanting to disrupt elections in the state."
On Friday, Fulton County Superior Court Judge Kimberly Esmond Adams ruled against plaintiffs seeking an injunction against using the potentially compromised voting machines. The Secretary of State's office declined to answer Politico's questions about the integrity of the state's voting machines.
Lamb made the center aware of the vulnerabilities last August and executive director Merle King said he'd see to it that the problem was handled. However, a colleague of Lamb's named Chris Grayson attempted to download the same cache of information in March of this year and found that it was still possible without a password.
King -- who had hidden the issue from the public and from the Secretary of State's office -- was forced to acknowledge the failure to protect the state's election system. He refused to comment to Politico about the matter.
The center contacted the FBI, accusing Lamb and Grayson of malicious hacking. After investigating the two security specialists, the FBI found no wrongdoing but urged Lamb to delete the files he'd found.
"(T)he incident exposed the fact that the center had been operating its networks outside the scope of both the university system and the secretary of state’s office for years, according to a March 1 preliminary analysis produced by University Information Technology Services (UITS) and obtained by Politico," wrote Zetter.
“Essentially, what that report is saying is that there was this rogue operation,” said a source familiar with the UITS review . “The Election Center was operating outside of [the university’s] processes, and they weren’t aligned with any larger security strategy.”
Workers at the center connected the center's private database to the internet and created a wireless portal for themselves, UITS said, both of which created entry points for hackers.
Politico obtained emails from the center that said after the March breach of the database, a private security firm was brought in. However, it does not appear that any in-depth forensic analysis has taken place to see whether other intruders have accessed the network, nor is it clear whether the center kept sufficient network logs to use in an investigation.
In 2016, the Department of Homeland Security extended an offer to Georgia and other states to help safeguard their election systems from outside attack. Secretary of State Brian Kemp (R) declined the offer.
“[B]ecause of the DNC getting hacked -- they now think our whole system is on the verge of disaster because some Russian’s going to tap into the voting system,” Kemp told Politico at the time. “And that’s just not -- I mean, anything is possible, but it is not probable at all, the way our systems are set up.”
If the NSA reports are to be believed, it is not only possible but probable that Georgia's election systems have been compromised, but officials don't seem interested in addressing the problem before the special election runoff next Tuesday.
During her own time as Secretary of State, Handel commissioned a report from Georgia Tech analyzing the state election system for security flaws. The study found multiple issues, but not only did Handel decline to address them, she held a meeting in which representatives of the Kennesaw center shouted down the investigation team's leader Richard DeMillo and his staff at her office.
“I thought it was very strange,” DeMillo said to Politico. “It was kind of a contentious meeting. The Kennesaw people just stamped their foot and said ‘Over our dead body.’”