By Guy Page

On September 28, software engineer Jon Lynch of Colchester expressed concern to state officials that the voter portal on the Vermont Secretary of State website was vulnerable to cyber-theft, including voters’ name, email address, hometown, date of birth, drivers’ license number, and social security number. In response, a security measure was added, both the Secretary of State’s office and Lynch have confirmed.

Cybertheft of voter information became front page news Wednesday, October 21 when the FBI and senior intelligence officials announced that Russia and Iran had stolen vital U.S. voter data from election websites and will use it to sow disinformation leading up to the Nov. 3 general election.

Jon Lynch of Colchester

On September 28, Lynch – a candidate for the Vermont House from Colchester – telephoned me for advice on how best to share with state officials the information that hackers could easily bypass minimal security measures and access voters’ personal information on the My Voter Page, the voter portal on the Secretary of State’s website. Using fairly simple, known “hacker” software and techniques, thieves could have stolen all of the personal information required by the portal: name, hometown, DOB, license number/social security number. Hackers could also learn if ballots had been sent via U.S. mail.

The My Voter Page does not contain personal information such as bank/credit card numbers, party affiliation, or how a person voted. Such information, therefore, was never at risk.

But even the available data in the hands of skilled cyber-thieves is potentially catastrophic. Lynch knew he had to act. He had already sent an online message to the Secretary of State’s Office. There was no response. Not knowing anyone at the Secretary of State’s Office, he called me as someone familiar with state government. We agreed to not “go public” with the problem. Instead, we presented the problem to Deputy Secretary of State Chris Winters and Director of Elections Will Senning. I “introduced” the three men via email and briefly described the problem in layman’s terms. Lynch then explained the problem (reprinted below from 9/28 email) to Winters and Senning in considerably more detail:

When I noticed (back in late May or June) that the MVP page was using just SSN4/DOB [editor’s note: last four numbers of social security number/date of birth] as an authentication mechanism, I submitted a notification to you via your contact page, but received no response. Just recently I went back to the page to check my own mail-in ballot status and noticed the security issue still has not been addressed, so I’ve done some more research over the last 24 hours and discovered the problem is far worse than I expected. Hence my reaching out again.

To add some more details to Guy’s description… You have a completely public, unsecured endpoint at: https://mvp.vermont.gov/Security/GetVoterId. This endpoint authenticates a user by just Name, Town, DOB and SSN4. The problem, of course is that Name, Town and DOB are common enough to be considered public information, and there are only 9999 possible combinations of SSN4.

Further, there is no bot detection on that endpoint, so it can be used to gain access to any Vermont My Voter Page using a simple brute-force attack. A distributed attack could easily hack all Vermont voter pages in a matter of minutes.

The security token you are using is weak, inadequate and re-issued with every visit to the page if not supplied.

Once access to a voter’s MVP age is acquired, all the voter contact information is displayed along with their historical ballot information. There is also the ability to “Update Voter Record” which could be used to wreak havoc by submitting random updates to thousands of Vermonter’s voter records.

Lynch’s use of the term “bot detection” refers to basic cyberprotection software which detects activity by a task-driven software program or “bot” trying to (for example) quickly input publicly-available names of voters and then, for each name, find the last four digits of the social security number by running the 9999 possible combinations. Such data entry and harvesting take mere seconds for a “bot” software program.

Winters responded on September 28: “Thank you for bringing this to our attention. I would be surprised if we had this vulnerability given that we perform annual penetration tests and have been focused on cybersecurity, especially in the last four years. That said, we certainly want to investigate and are doing so now.”

During subsequent exchanges, Winters said the problem was being reviewed by in-house and third-party IT experts. On October 1 he emailed: “We have put into place solutions to prevent the unwanted activity on our website you brought to our attention. Election security has long been a priority for us and we take it seriously. Thank you for understanding that we had to complete our due diligence, which is why we needed to take the time to engage our security team to test the information you have provided. At this time we are confident in the security solutions we have in place.”

Tests run by Lynch subsequently confirmed that bot detection has been added to the voter portal. Only time will tell how safe is the portal from cyber-theft. He recommends an additional layer of security – such as personal password protection, the effective if annoying method used for example to secure online banking and social media accounts.

Read more of Guy Page’s reports. Vermont Daily is sponsored by True North Media.