Researchers fear Georgia special election still vulnerable.
Researchers fear Georgia special election still vulnerable.

Several security vulnerabilities in systems used to manage Georgia's election technology, exposing the records of 6.7 million voters months before the nation most expensive House race slated for June 20, has raised the fears that the election could be disrupted.

Although 29-year-old security researcher Logan Lamb spotted and reported the vulnerabilities in August 2016, he said the state has continuously ignored efforts to patch the vulnerabilities of Georgia's special election between Democratic candidate Jon Ossoff against Republican former Secretary of State Karen Handel, according to Politico.

Lamb began looking into the voting systems when he learned that Kennesaw State University's Center for Election Systems tests and programs voting machines. He began looking for PDFs or documents that would give him more insight into the centers work when he set up an automated script to scrape the site and see what he could find.

The script ended up returning 15 gigabytes of data including a database containing the state's 6.7 million voter registration records, multiple PDFs with instructions and passwords for election workers to sign in to a central server on Election Day, and software files for electronic devices used by the state's poll workers to verify that a voter is registered before allowing them to cast a ballot.

The data was supposed to be behind a password protected firewall but the center misconfigured the server so that the files were accessible to anyone and the site was also using an outdated version of Drupal containing a critical vulnerability dubbed “Drupageddon.” 

The bug would allow an attacker to gain control of any site containing the vulnerability and it is unclear if any of these vulnerabilities have already been exploited before or after Lamb's discovery. Lamb reported the issues to the executive director at the center who told him the server would be fixed.

However, in March 2017 another independent researcher Chris Grayson discovered that although the Drupal vulnerability had been patched for the encrypted https version of the website, the unencrypted http version was still vulnerable and all of previously discovered data was still accessible. Following March incident, the center was forced to bring in outside security experts to assess its networks and advise it on how to secure firewall installation and network configuration the center, according to emails obtained by Politico.

The investigation revealed other security malpractices leading critics to say the center couldn't be trusted to properly secure the information. Last month, The Rocky Mountain Foundation sued the state to prevent it from using the voting machines in the upcoming election.

“While it is impossible to know the motivations of the officials at KSU's Center for Election Systems in leaving Georgia's elections completely exposed to malicious threats, it is likely that it is a combination of inadequate expertise, and the misplaced confidence that attacks are unlikely in a state that is not a swing state,” the foundation's executive director Marilyn Marks told SC Media. “While Merle King, Executive Director of CES, claims that the election system is ‘air-gapped,' he fails to disclose that the system, including vote tabulation databases, is exposed to cyber attack through counties' repeated use of the same flash drive to move election night tabulation interim iterations to the election night reporting application on the web.”

Other security pros expressed their concerns about the lack of reliability in the systems and voting machines used by the state. The lack of oversight even after the center was notified of the network vulnerabilities is astonishing, FFRI CEO Pablo Garcia told SC Media.

“There is a good chance the network was compromised and there is a good chance the network is currently compromised,” FFRI CEO Pablo Garcia told SC Media. “And most likely still vulnerable to attack.”

Garcia added situations like this are needed to make the necessary changes in the failing process. Other researchers expressed discontent in the overall lack of transparency in the voting technology as well.

“Georgia's reliance on touch-screen voting machines is a problem - there is no transparency of the machine's source code and no way to check whether votes were correctly counted since there is no paper trail,” Electronic Privacy Information Center Chief Technology Officer and Policy Director Caitriona Fitzgerald told SC Media. “The 2016 election taught us that state and federal election officials must constantly work to ensure that our voting systems are secure against the latest cyber threats.”

Fitzgerald went on to say state and local governments, on average, spend approximately 2 percent of their  IT budgets on security and that until sensitive data is impacted, it can be difficult for the security teams to get the funding they need.

"Until sensitive data is impacted, it can be difficult for the security teams to get the funding they need," National Cyber Security Alliance Director of Special Projects and Government Affairs Kristin Judge told SC Media. "NCSA works to educate elected officials on their role in budgeting and policy that impacts security. Incidents like this will help move us in the right direction."

There may be hope that situations like this and the recent revelation of the Russian hackers breached voting systems in at least 39 U.S. states will result in action. When asked if he thought if situations like this could spark more efforts to improve security, Joseph Kiniry, founder of the election technology company Free & Fair, said there's a possibility for change.

“At least on the ground with regards to elections integrity folks and amongst forward-thinking state and national legislators (at least, on the left),” Kiniry said. “But practically, given the current leadership at the state level in GA and at the national level, there is a near-zero chance that there will be any legislation or funding to help this state of affairs.”

Kiniry added that to admit the technology that has already been purchased and used is vulnerable would be politically problematic and would have bad optics.