EAC standards don’t fully protect voting systems, pen tests show

Even states that meet U.S. Election Assistance Commission (EAC) standards, might find their voting systems are not adequately protected, the results of penetration tests show.

Pen tests on voting systems in 10 statements revealed a number of vulnerabilities and pen testers at Coalfire were able to reverse engineer voting media and replace voting system software with an emulation program that adds malicious logic to record malicious votes, the company said.

“The U.S. voting system is peppered with vulnerabilities, and voters are losing confidence,” said Coalfire CEO Tom McAndrew. “Our voting systems require significant improvement from the hardware and software that run voting machines, the networks that connect the votes and databases, and the policies and standards that oversee their operations.”

Company Vice President Mike Weber said the EAC standards, used to certify voting machines, “cover the essentials of security, but adherence to the standards doesn’t prevent them from being subverted.” Weber called for “a requirement for this level of extensive testing – as alluded to in Section 8 of the Secure Elections Act, ‘Hack the Election,’ which suggest a bug-bounty-style program to leverage the security community to help find ways to secure these systems.”  

The machines and devices tested came from a variety of manufacturers. Coalfire assessed the gaps in the current VVSG 1.1 standard. The company also looked at other cybersecurity vulnerabilities that exist in end-to-end voting, including voter registration systems and network infrastructure, election staff, who could become victims of social engineering.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.