How Easy Is It to Hack a Voting Machine?

voting machine hack elections security
Voting booths at a New York City Board of Elections voting machine facility warehouse, the Bronx, New York, November 3. Drew Angerer/Getty Images

FBI Director James Comey believes the U.S. voting system is so "clunky" that it is immune to hacking, but a new security vulnerability to voting machines used in over 100 counties is calling into question these claims.

Researchers at security firm Cylance discovered the issue with the Sequoia AVC Edge machine, which is used in Arizona, California, Illinois, Missouri and Washington, as well as vital swing states Colorado, Nevada and Wisconsin. In total, the machines are expected to be used by more than 8 million registered voters.

The problem relates to a 16MB Compact Flash card that each AVC Edge machine relies upon, which can be easily removed, modified and replaced for the purpose of modifying voter counts.

"After about four days and about $25 worth of hardware we had the machines spitting out results that cannot be technically refuted," Ryan Smith, vice president of research at Cylance, tells Newsweek.

"It is an odd state of affairs when the technology in your phone is so strong that the FBI, with an $8.3 billion budget and months of work, cannot find a way into the machine protecting your text messages, yet the machines protecting our democracy can be foiled with just $25 in 32 hours."

In exposing the latest vulnerability, Cylance also explored previous issues with the machines that researchers have uncovered in the past. Their findings showed that many of the problems were still present, including being able to fully reset the machine.

To take advantage of these vulnerabilities, hackers would need physical access to the machines and coordinate an on-the-ground effort. Cylance has received criticism for disclosing the vulnerability so close to the election.

"This disclosure seems political in nature," bug-bounty expert Katie Moussouris told The Verge. "Releasing this publicly, after DHS and states have been aware of these types of attacks for years, only serves to fuel the fires of doubting the election results."

In response to such criticism, Smith says: "We followed a coordinated disclosure process in the hopes that if the public is able to see these machines spit out incorrect results at a time when the election is in the forefront of our minds, something can be done about these decades-old vulnerabilities."

For mitigation in the short-term, Cylance suggests due diligence is taken at polling places and with volunteers. In the long term, Cylance says, it is necessary to phase out the insecure machines altogether.