Two days before the midterm elections, a series of security vulnerabilities have been discovered that would allow even a low-skilled hacker to compromise Georgia’s voter registration system and, in turn, the election itself. It is not known how long these vulnerabilities have been in place or whether they have already been exploited.
Just before noon on Saturday, a third party provided WhoWhatWhy with an email and document, sent from the Democratic Party of Georgia to election security experts, that highlights “massive” vulnerabilities within the state’s My Voter Page and its online voter registration system.
According to the document, it would not be difficult for almost anyone with minimal computer expertise to access millions of people’s private information and potentially make changes to their voter registration — including canceling it.
In this election and during the primaries, voters have reported not showing up in the poll books, being assigned to the wrong precinct, and being issued the wrong ballot.
All of that could be explained by a bad actor changing voter registration data — and at this point there may be no way of knowing if that happened.
It is not clear what impact — if any — this will have on Tuesday’s elections, or what it has had on early voting. Voters should still go to the polls and, if they are encountering problems, ask to cast a provisional ballot as is their right.
WhoWhatWhy contacted five computer security and election systems experts to review the document.
None of these cyber security experts tested the vulnerabilities described, downloaded any files, or altered any data.
All five noted that testing these vulnerabilities without permission would be illegal.
Instead, several logged onto the My Voter Page to look at the code used to build the site — something any Georgian voter could do with a little instruction — and confirmed the voter registration system’s vulnerabilities.
They all agreed with the assessment that the data of voters could easily be accessed and changed.
“For such an easy and low hanging vulnerability to exist, it gives me zero confidence in the capabilities of the system administrator, software developer, and the data custodian,” Kris Constable, who runs a privacy law and data security consulting firm, told WhoWhatWhy. “They should not be trusted with personally identifiable information again. They have showed incompetence in proper privacy-protecting data custodian capabilities.”
As secretary of state, Kemp is the data custodian, meaning he is responsible for the security of voter information. The system administrator works for Kemp and the software developer is a private contractor hired by Kemp’s office.
Kemp is the Republican candidate for governor in Tuesday’s election.
Because this story came together overnight, many of the state officials WhoWhatWhy has reached out to have not gotten back to us. We will update this story when they do. WhoWhatWhy also has additional information on these vulnerabilities that we will publish as quickly as possible.
Update (9:00 AM):
Following publication of WhoWhatWhy’s article, the secretary of state’s office announced that it is investigating the Democratic Party of Georgia:
“While we cannot comment on the specifics of an ongoing investigation, I can confirm that the Democratic Party of Georgia is under investigation for possible cyber crimes,” said press secretary Candice Broce. “We can also confirm that no personal data was breached and our system remains secure.”
However, prior to that statement being released, the computer security experts WhoWhatWhy contacted said that the vulnerable systems did not have security mechanisms to track changes. This raises questions about the statement from Kemp’s office.
In addition, the Democratic Party of Georgia at that time had already contacted computer security experts and notified them of the vulnerability.
Update (9:35 AM):
In response to the views of the security experts that such a breach and any damage caused as a result could not be tracked, Broce told WhoWhatWhy. “They know nothing of our security measures. They are wrong.”
Constable anticipated this response from Kemp’s office on Saturday when WhoWhatWhy spoke with him.
At the time, before the publication of this article and before Kemp’s office publicly announced its investigation, Constable noted that, in the United States, both private industry and the government have a long history of attacking the people who find insecurities in computer systems.
Instead of holding the custodian of the data responsible for not protecting it, the people who find the flaw are attacked, he said.
“How many unreported security vulnerabilities exist in the US government today because of the risk of doing research on them, as opposed to the bad guys who are exploiting these vulnerabilities because they continue to go unaddressed?” Constable asked.
The United States does not have a privacy law to enforce strong security of personally identifiable information and there is no legal mechanism to punish data custodians who leave private citizens’ data unprotected, Constable noted.
“Vulnerable systems will continue until there are repercussions for the custodian, such as whoever is responsible for this system,” Constable said, referring the the major security gaps in the My Voter Page and the voter registration page.
Update (10:30 AM):
What Kemp’s office is doing is disingenuous, Bruce Brown, lawyer for the nonprofit Coalition for Good Governance asserted.
Brown noted that, at 7:03 PM last night, he had emailed John Salter and Roy Barnes, former Governor of Georgia, in their capacities as counsel to Secretary of State Kemp, to notify them of the serious potential cyber vulnerability in the registration files that had been discovered without any hacking at all.
Brown also told Kemp’s lawyers that the information had already been forwarded to national intelligence officials.
The Coalition for Good Governance, an election security advocacy group, has sued Georgia multiple times over the vulnerability of its systems.
“We have seen, unfortunately, that we were too correct in our allegations and Judge [Amy] Totenberg was too prescient in her concerns about the system,” Brown said. “That Kemp would turn this around and blame other people for his failures is reflective of his complete failure as Secretary of State.”
Judge Totenberg had recently ruled that there was not enough time for Georgia to switch to paper ballots — widely seen as a more secure voting method — but expressed grave concerns over the security of the state’s elections.
“What is particularly outrageous about this, is that I gave this information in confidence to Kemp’s lawyers so that something could be done about it without exposing the vulnerability to the public,” Brown told WhoWhatWhy. “Putting his own political agenda over the security of the election, Kemp is ignoring his responsibility to the people of Georgia.”