Four election vulnerabilities uncovered by a Michigan Engineer

The work of J. Alex Halderman, a professor of computer science and engineering, has made the United States election system more secure—largely by uncovering vulnerabilities in equipment like voting machines and ballot scanners, and by advocating for best practices and technological advances.

Along the way, he has also run up against the limitations of our elections systems, and even resistance from technology vendors and election officials. Ironically, his work has also been used to prop up false theories about fraud in the 2020 presidential election. (For his thoughts on this, read the Q&A with Michigan News.) 

Here are some of the key ways Halderman’s work has helped to strengthen election integrity in the U.S.

Generating a paper voting record

Georgia

Challenge

In 2017, Georgia was one of only a few states that still used paperless electronic voting machines statewide. These don’t give voters a way to ensure that their selections were recorded accurately or provide a physical record, which could be needed to rule out suspected electronic fraud.

Solution

Halderman’s research helped spur a lawsuit filed by the Coalition for Good Governance, a nonpartisan, nonprofit advocacy organization, and a handful of individual Georgia voters. Halderman testified as an expert and demonstrated on the witness stand how the machines could be hacked to steal votes. As a result, Georgia replaced its machines with new ones that produce a paper record. Manufactured by Dominion Voting Systems, the machines were installed in time for the 2020 presidential election.

Federal court ruling prohibiting Georgia from continuing to use paperless voting (PDF)

Patching software vulnerabilities

Georgia

Challenge

Rather than using hand-marked ballots like most states, Georgia’s new system uses a machine to print voters’ completed ballots, which encode the selections in a barcode that voters have no way to verify. When Halderman examined these machines after a federal court granted him access in 2020, he found that it was possible for a hacker to change the votes encoded in the barcode, even without physical access to the machines. The risk increased after January 7, 2021, when confidential election machine software and data from Coffey County, Georgia was illicitly copied and disseminated. 

Solution

After Halderman’s court testimony and 96-page report, Dominion Voting Systems developed a patch for several of the software vulnerabilities he discovered.

However, Georgia election officials have not implemented the fix. Secretary of State Brad Raffensberger, who has announced that the machines will not be updated until after the 2024 presidential election, described the risks Halderman identified as “theoretical and imaginary.” While a report commissioned by Dominion from the national security nonprofit MITRE argued at the time that the attacks were infeasible as long as physical security was sufficient to prevent access to the machines, the Coffee County incident later showed that such access is, in fact, possible. 

In-depth explanation on Freedom to Tinker

Making voting machines more reliable

Michigan

Challenge

In November 2020, election officials in northern Michigan’s Antrim County published incorrect vote totals in their initial counts, which were later corrected. Halderman investigated at the request of the Michigan secretary of state and attorney general and found no evidence of fraud. Instead, he discovered that a chain of human errors and insufficient software guardrails led to an incorrect ballot scanner configuration, producing the erroneous results.

Solution

Since the investigation, Halderman’s team has devised a way to bring tests of election election equipment, a process known as logic and accuracy testing, into the 21st century. The ways electronic voting machines can introduce errors are more complex than the obsolete mechanical voting machines for which existing testing methods were designed. Now, software developed by Halderman’s team thoroughly checks the system’s configuration in the smallest possible number of ballots, making the process comprehensive but still manageable for election officials. It has recently been piloted in several Michigan counties and Halderman is hopeful that it will be ready for use statewide before the upcoming election.

Paper on investigation for USENIX Security Symposium, 2022 (PDF)

Logic and accuracy testing for 21st century Michigan (PDF) (to appear in Operations Research, 2024)

Securing voters’ privacy

21 states

Challenge

Many municipalities publish ballot-level voting results online—either as ballot scans or lists of votes cast—to promote transparency. The data is randomly shuffled to protect voters’ identities. However, Halderman’s team found a vulnerability in certain Dominion Voting Systems ballot scanners that could un-shuffle the ballot information and reveal who cast what votes, which they detailed in a study published in August 2024. 

Solution

Halderman’s team reported the flaw to federal authorities and Dominion, which developed a software patch in response. His team also developed an open-source software tool and detailed instructions to help municipalities sanitize the data so that it is safe to make public.

Paper about the flaw for USENIX Security Symposium, 2024 (PDF)

Related Stories