America was getting on top of its electronic voting machine security – then suddenly... A wild pandemic appears

Black Hat Just as America was getting a grip on improving the security of its electronic ballot boxes, the coronavirus pandemic hit, throwing a potential surge in remote voting unexpectedly into the mix, the Black Hat hacking conference was told today.

In his keynote address to the now-virtual infosec confab, Georgetown Professor Matt Blaze said election officials will likely have to deal with a larger-than-normal number of citizens voting by mail, rather than in person, and all that entails, as people are encouraged to socially distance and stay away from crowds to curb the COVID-19 virus outbreak.

"Election security at the beginning of the year was just a matter of getting it implemented. There was reason for optimism," said Prof Blaze. "Then the pandemic came along and that added a whole new set of concerns that were always there, but got brought sharply into focus."

Professor Matt Blaze ... Source: Black Hat live stream.

Previously, Blaze – an NSA-bothering voting-machine prober and Tor Project chairman-of-the-board – had focused much of his research on the security of electronic polling booth systems. He led the charge in setting up the DEF CON voting village in which machines were physically taken apart and scrutinized for exploitable flaws.

The outbreak of coronavirus, however, has shifted Blaze's gaze to absentee voting systems, which pre-COVID-19 weren't such a high priority.

The big issue, said Blaze, is how officials will handle a large number of citizens wanting to vote by mail rather than queue up in person. The professor pointed out that while some states and towns are well-adapted to voting by mail – Oregon, for example – others are going to face a learning curve in handling such basics as printing enough mail-in ballots.

There's been a lot of noise from the Trump administration about voting by mail and absentee ballots, so here's a primer for those unaware of how it works. It varies by state, but generally speaking, if you want to vote by mail, you apply to receive an absentee ballot and if successful, you complete the ballot and mail it back, and that casts your vote. Some states – Washington, Oregon, Colorado, Utah, and Hawaii – send out ballots in the mail automatically for people to fill in and post back, or drop off at a voting box.

Over the past two decades, more than 250,000,000 votes have been cast by mail, with just 1,285 proven cases of voter fraud resulting in 1,100 convictions, according to the conservative Heritage Foundation. For more details on mail-in and absentee voting, see here and here. The US Postal System claimed it has the capacity to handle a flood of mailed votes.

The paperwork load involved is admittedly non-trivial. The presidential election this November will be held alongside voting for state and city measures, and in 2016, for example, there were 178,217 different ballots in use throughout the country, Blaze said.

"We need to prepare for a number of scenarios that may not come to fruition," said Prof Blaze. "It is likely that most jurisdictions are not going to have the funding or other resources to do this."

The infosec guru also repeated his call for the hacking community to step in. He wants many of the same folks who cracked open voting machines in years past to volunteer their services to local polling places. "This community is precisely the one whose help is going to be needed by election officials," said Blaze. "I think we can do this, but we have to want to. We all have to take responsibility for this."

Incidentally, election equipment maker ES&S hopes to tap up security experts via the online Black Hat conference this week to test and improve its machines' defenses.

Oh, and there was bad news for blockchain fanatics: Prof Blaze said it wasn't really suitable for election security at the moment due to its complexity. It appears many of the keynote's viewers disagreed. ®