Vermont town clerk not told about vote tabulator machine vulnerabilities

Editor’s note: This article by Bruce Parker originally published Sept. 22, 2016, on

Vote tabulation machines can be hacked to switch votes without officials knowing it, but one town clerk in Vermont says she’s never heard of the vulnerability and received no guidance from the Secretary of State’s office for how to spot it.

As states prepare for the upcoming presidential election, cyber attacks have federal and state leaders on high alert.

The FBI, CIA, NSA and Department of Homeland Security are investigating high-profile data breaches of state election systems, and secretaries of state in all 50 states are communicating with feds about how to prevent a hacked election.

So far, nine states have requested that Homeland Security scan their electronic election systems following cyber attacks on Arizona and Illinois. In Vermont, Secretary of State Jim Condos has been on the lookout for hacker IP addresses sent from the FBI in August.

Condos launched a cyber-risk assessment of all systems as early as 2013. That assessment involves “penetration testing” from an out-of-state company, in partnership with a Vermont contractor that has a Department of Defense security clearance.

But Vermont’s cybersecurity assessment appears to have overlooked at least one well-known vulnerability.

According to computer science experts speaking out in high-profile interviews and online videos, AccuVote tabulators at the center of most state voting systems are easy to hack, and poll workers have no way of spotting it until after Election Day.

In this video, Princeton University computer science professor Edward Felten demonstrates how hackers can make AccuVote machines switch votes by putting malicious software on the unit’s removable memory card.

According to Felten, the hack is invisible to election officials — not even pre-election “logic and accuracy” tests can spot it. That’s because hackers know how to program their code to switch votes on Election Day only, and to delete itself afterward.

Pam Kingman, town clerk in New Haven, says she is unaware of the machines’ vote-switching vulnerabilities.

“It’s my first time hearing about it,” Kingman told Vermont Watchdog.

It probably shouldn’t be.

Town clerks are the first line of defense against election fraud. These key election workers are trained to run a smooth election, and they learn important protocols to help prevent voter machine and ballot tampering.

New Haven, a small rural town of 1,300 registered voters, has one AccuVote-OS machine. It was purchased around 2008 with federal money appropriated by the Help America Vote Act.

Kingman says the maintenance of the machine, including programming of the all-important memory cards, is managed by a relatively unknown third-party company. LHS Associates, a private company located in Salem, N.H., programs memory cards for all AccuVote tabulator units in New England.

“They come every year, probably every six months. LHS does maintenance to it — batteries, checks everything,” she said.

The memory cards, which LHS provides to town clerks about four weeks before the election, are sent by certified mail and are to be placed in a secure vault.

Next, 10 days before the election — Oct. 29 this year — Kingman and other town clerks must test the memory cards using clearly marked official test ballots. If something goes wrong during the logic and accuracy test, the officials have time to get service from LHS and perform a retest.

“We run sample test ballots through the machine and then verify that it’s accurate,” Kingman said. “So, I’m sure if they weren’t accurate it would show on the test run, if something was amiss.”

Not so, according to Felten.

The Princeton professor says poll workers get a false sense of security from pre-election test runs, including the logic and accuracy testing. He says hackers can program malicious software to execute only after the tabulator is set into “election mode,” after logic and accuracy tests are conducted.

If the memory cards have been hacked, according to Felten, false tallies will be recorded on AccuVote’s internal memory, the removable memory card and the paper tape printout.

Felten warns that the scam can happen right under everyone’s noses: “When the election ends, the vote-stealing software can delete itself from the voting machine — no evidence remains that the machine was ever hijacked, no evidence remains that any votes were stolen. As far as anyone can tell, the election was conducted fairly. But the result is fraudulent.”

Discrepancies between machines and hand-counted ballots were reported in the New Hampshire Democratic primary in 2008. In 2007, Connecticut passed Senate Bill 1311 — Public Act 07-194 — to address troubling differences between machine counts and hand counts in multiple races. Bernie Sanders supporters routinely criticized AccuVote machines during this year’s Democratic primary.

Fortunately, a hack can be spotted after the election using a manual hand-count audit of paper ballots. If a hand-count doesn’t match the machine results, a cyber attack has occurred.

Surprisingly, Vermont’s AccuVote guidance regarding Election Daychain of custody and logic and accuracy testing doesn’t tell town clerks how to conduct this important audit.

Condos nevertheless claims his office is conducting “a thorough cybersecurity assessment, including penetration testing for all data/systems.” He told Watchdog that the machines are safe from hackers since they are not connected to the Internet or to each other.

But Felten warned that a single hacker with access to memory cards can add malicious software to them, or insert a computer virus that spreads from one machine’s memory card to another machine.

When Watchdog asked Kingman how town clerks could defend against the possibility of hacked memory cards, she replied, “We’d have no control over it. We’re at the mercy of LHS, basically. We depend on them to program it.”

When Condos was asked who is conducting an assessment of LHS Associates, he replied: “I can’t tell you if there’s someone from the federal government that goes in and checks it — I don’t know that.”