Voting machine vendors and election officials have long insisted that no one can manipulate voting machines and ballots because tamper-evident seals used to secure them would prevent intruders from doing so without anyone noticing.
But a security researcher in Michigan has shown in videos how he can defeat plastic security ties that counties across his state use to protect ballot bags, the cases that store voting machines and the ports that store the memory cards on optical-scan machines—electronic voting machines that record paper ballots scanned into them. He can do so without leaving evidence of tampering. If an intruder obtains physical access to the machines and this port, it's possible to alter software in the machines using a rogue memory card—something that security researchers at Princeton University demonstrated in the past is possible.
Matt Bernhard, a grad student at the University of Michigan and voting machine security expert, posted two videos online last week showing how he can open different types of plastic tamper-evident ties used in Michigan in just seconds, using a shim crafted from an aluminum Dr. Pepper can. By simply curling a small piece of the aluminum around a plastic zip tie and slipping it into the channel that encases the tie, he's able to open the security device and re-close it, while leaving no marks or damage to indicate it was manipulated. He demonstrated the technique on smooth plastic ties as well as zip ties.
This isn't the first time someone has demonstrated how to defeat such ties. A presentation at the DEF CON hacker conference in 2011 also showed how to subvert some of the same types of security ties, as well as metal tamper-evident ties and security stickers.
Bernhard, who is an expert witness for election integrity activists in a lawsuit filed in Georgia to force officials to get rid of paperless voting machines used in that state, said the issue of security ties and seals came up in the lawsuit earlier this year when Fulton County Elections Director Richard Barron told the court that his Georgia county relies on tamper-evident metal and plastic ties to seal voting machines and prevent anyone with physical access to the machines from subverting them while they sit in polling places days before an election.
"I've heard a lot of election officials claim that the voting machines are safe because they're not connected to the internet and because they're sealed with tamper-evident seals," Bernhard said. "But the seals aren't tamper-evident… I don't think election officials have ever thought about how their seals could be tampered with without their knowing."
A spokesman for Michigan's secretary of state downplayed Bernhard's videos.
"The seal that is shown in the video was not affixed to anything, and the video does not represent a real-world scenario of how seals are used and affixed," spokesman Fred Woodhams said in an email to Motherboard. "The video also provides no context about the sum total of security measures for tabulators and sealed ballot containers, which are stored in locked area within a clerk’s office, among other security measures that help prevent election tampering. I would note that the sealed ballot containers store ballots that already have been counted."
Bernhard, however, said that although voting machines may be locked when they are stored in the county clerk's building, they are left unattended for days at polling places—high school gyms, churches, and community centers—prior to elections. Often times they're left out in the open or in rooms that don’t have locks. Even when they are stored in rooms that have locks, those locks can be defeated as easily as the seals. And although some of these facilities may also be monitored by surveillance cameras, cameras can be defeated as well he notes.
"Seals [and ties] make machines a little bit more secure because attackers have to do a little more work [to get to the machines]," he said, but not much. Even more advanced tags made from steel can be defeated, though it might take a little longer to do so. "It takes 5 minutes vs, 20 seconds [for the plastic ones]," he said.
He noted that defeating ties and seals in non-tamper-evident ways isn’t the only method to wreak havoc on an election in Michigan. The state has a unique law that prohibits ballots from being used in a recount if the number of voters doesn't match the number of ballots cast at a precinct or if the seal on a ballot box is broken or has a different serial number than what it should have. Someone who wanted to wreak havoc on an election or alter an election outcome in Michigan could purposely tamper with ballot box seals in a way that is evident or simply replace them with a seal bearing a different serial number in order to get ballots excluded from a recount. The law came into sharp relief after the 2016 presidential election when Green Party candidate Jill Stein sought to get a statewide recount in Michigan and two other critical swing states and found that some precincts in Wayne County couldn't be recounted because the number of voters who signed the poll books—which get certified with a seal signed by officials—didn't match the number of ballots scanned on the voting machines.
Bernhard obtained one of the plastic seals used in his video from an election official in Washtenaw County where he is serving as a volunteer poll worker. "I had poll worker training and I asked the trainer if I could take one [of the tags] home, and he said sure," Bernhard told Motherboard. But these and other seals used in Michigan can be purchased by anyone from an election supplies website.
A handy chart posted on the secretary of state's website lists all of the seals and certificates Michigan uses to secure and track election equipment and ballots, along with a description of what each item is used for as well as pictures showing how they look. The state has also posted a number of videos online showing how election officials use the devices to secure ballots, memory cards, and other equipment.
Bernhard was able to order two other types of election seals listed on the Michigan website, as well as several paper seals, tamper-evident stickers, and election certificates through Election Source. The Michigan-based company provides equipment and supplies primarily to that state, but also to jurisdictions outside Michigan. It sells voting machines, election-management software, security seals, and forms election officials use for tracking paper ballots, certifying that seals on voting machines and ballot boxes are properly affixed, and for canceling the registration of individual voters or transferring their registration to another jurisdiction.
Bernhard said Election Source didn't ask him why he needed the items or conduct due diligence to ensure it was only selling to authorized election officials. Election Source didn't return a phone call seeking comment about procedures for ensuring that only authorized election personnel can purchase security seals and other official election supplies.
Susan Greenhalgh, policy director at the National Election Defense Coalition, an election integrity group, said Bernhard's videos and collection of seals and certifications from Election Source show why election officials shouldn't rely on the physical security of voting machines to protect them and the integrity of elections. The only way to ensure the integrity of an election, she told Motherboard, is through paper ballots and manual audits of those paper ballots after each election.
"Cyber security expert have long insisted that resilience against cyber attacks in the form of paper ballots and post-election audits is the only way to ensure elections are not manipulated," she said.