Virginia just decertified its most hackable voting machines

Following a vote on Friday by the Virginia State Board of Elections, the state will take decisive action to ensure the integrity of its voting machines. Virginia’s election supervisors have instructed 22 localities to abandon their existing machines immediately, citing risks inherent in the way they record votes.

“The Department of Elections believes that the risks presented by using this equipment in the November General Election are sufficiently significant to warrant immediate decertification to ensure the continued integrity of Virginia elections,” Department of Elections Commissioner Edgardo Cortés said in a memo accompanying the decision.

Notably, the Virginia Department of Elections cited security research from the most recent DefCon in its decision:

“As security threats against election systems have increased, the Department has grown more vigilant regarding potential threats against voting equipment. In this environment, DefCon, an annual conference of hackers, promoted the “Voting Machine Hacking Village” at which multiple voting machines, mostly DREs, were made available. Multiple types of DREs, some of which are currently in use in Virginia, were hacked according to public reports from DefCon.”

The central issue is that Virginia’s touchscreen equipment, known as direct-recording electronic (DRE) voting machines, did not produce a paper trail — one of the most robust if old-fashioned safeguards against potential vote tampering. Verified Voting, an organization that monitors voting equipment explains how these machines work:

“… Using one of three basic interfaces (pushbutton, touchscreen or dial) voters record their votes directly into computer memory. The voter’s choices are stored in DREs via a memory cartridge, diskette or smart card and added to the choices of all other voters. An alphabetic keyboard is typically provided with the entry device to allow for the possibility of write-in votes, though with older models this is still done manually.

DRE systems can be distinguished generally by the interface through which the voter indicate her selections… Some DREs can be equipped with Voter Verified Paper Audit Trail (VVPAT) printers that allow the voter to confirm their selections on an independent paper record before recording their votes into computer memory.”

Because they can’t be checked against a paper record, these voting systems make it almost impossible to detect suspicious activity. As the description above notes, some DRE machines are paired with an additional device that can record votes to paper, but Virginia’s systems did not have this additional security measure.

The decision comes in time to secure the state’s voting systems before its upcoming state and governor’s races on November 7.