As recently as 2014, you could drive into the parking lot at certain Virginia polling places, connect to the voting machines inside by wifi and have your way with the vote tallies.
That gaping hole in election security has been plugged. Virginia dropped these machines last year.
But with Republican presidential nominee Donald Trump suggesting the November election may be rigged, and security officials blaming Russia for a politically sensitive hack of the Democratic National Committee, election cybersecurity is getting a closer look.
The risks are real, experts say, though it’s another question how likely they are to happen.
Every machine susceptible
«It’s possible for a sophisticated attacker to hack the machines and start stealing votes,» says University of California at Berkeley computer science professor David Wagner.
Wagner worked on a 2007 statewide review of California’s voting system. «Every voting machine that’s been studied is susceptible,» he says.
«It would be challenging,» he adds. «It would require considerable technical sophistication. And it would require someone to be physically present in each county, tampering with at least one machine. This is not something that some random teenager can do over a weekend. It’s not something that can be done from across the world over the internet.»
But, he adds, «If you want to talk about a nation-state-level adversary, yes, they’re probably capable.»
Hard-copy ballots help
The best defense against fraud is a system that retains a hard-copy ballot, plus a post-election audit to spot-check for irregularities.
These systems are on the rise. This November, three-quarters of voters across the U.S. will cast ballots on systems that retain a hard copy of their choices, according to elections watchdog group Verified Voting. Twenty-six states mandate post-election audits.
But that means one-quarter are voting on systems with no paper copy, and nearly half of the 50 states don’t require audits.
Still, Wagner says, «at this point, I’m not alarmed.» While a lot more can and should be done to improve cybersecurity, he adds, «we’ve come a long way in protecting our elections.»
Locks and keys
If attackers want to hack voting machines, they’d have to get to them first. «Most of them are under lock and key,» says Denise Merrill, Connecticut Secretary of State and president of the National Association of Secretaries of State.
Usually under two keys, in fact — one for a Republican representative and one for a Democrat. Both are required to unlock the machine.
Local jurisdictions control their elections, and there are more than 7,000 jurisdictions nationwide, with widely varying equipment and procedures.
While that means widely varying levels of security, it also means an attack on one jurisdiction would not affect the others.
«Certainly, someone who is really determined and had a massive operation could perhaps do something,» Merrill says. «But even then, it would have to be in very specific places.»
Safety lies in awareness of risks
Verified Voting President Pam Smith says the focus on the risks in the election system is a good thing. She says more states are already moving toward paper ballots and increased physical security of voting equipment.
«I think what will happen as we go forward is that people will want to have any and every extra tool they can to eliminate any lingering concerns or questions that people might have,» she adds.
On a conference call Monday, Homeland Security Secretary Jeh Johnson offered state election officials help in finding and fixing election cybersecurity risks.
The department is considering designating election systems as «critical infrastructure,» placing them alongside the electrical grid, water systems and other sectors as essential to national security.
There’s one other check available to anyone concerned about election fraud, Smith adds. «It’s not too late to sign up to be a poll worker. You can learn more about it from the inside out and see what some of the safeguards are.»