The litany of confusion and missteps by Georgia’s state election officials took a bizarre turn this weekend when someone discovered a massive flaw in the state’s online voter registration system and instead of addressing the vulnerability, Secretary of State Brian Kemp — also the Republican gubernatorial candidate — accused Democrats of attempting to hack state servers.
A Canadian security researcher who reviewed the vulnerability told me the flaw was so trivial that “a 12-year-old could have discovered it.
“It was a sequential number play,” said Kris Constable, who runs a Canadian based privacy and security consulting company called PrivaSecTech.
(These are the kinds of issues we examine in my podcast Breach, a one-hour investigation into America’s fragile voting systems. Listen on iTunes or Stitcher; find out more here.)
Here’s an example of a sequential number flaw: In poorly configured systems, users’ account numbers or other identifiers are included in part of the URL when account information is shown. Without proper validation, adding or subtracting numbers sequentially can reveal information from other accounts. Constable said that was essentially the vulnerability discovered on Georgia’s “My Voter” page.
He said that since Sunday’s initial story, he has seen evidence that the Georgia system is vulnerable to other simple attacks, too.
Constable said he did not test the vulnerability himself — doing so could be considered unauthorized access of a computer system, potentially a crime. Instead, he saw evidence of someone else demonstrating the technique.
Constable was one of five researchers contacted by website WhoWhatWhy.org, which first reported on the vulnerability, to review the details of the potential attack.
He did not know the identity of the finder, nor did he know if that person or group followed standard “responsible disclosure” practices to report the vulnerability — contacting the server’s administrator, for example.
“It was low-hanging fruit,” Constable said, so simple that “I wouldn’t even consider it a hack. The original finder was not necessarily sophisticated and (might not) have the expertise to know about responsible disclosure.”
UPDATE: The Atlanta-Journal Constitution published extensive email conversations between many of the parties involved here. It shows that all the proper authorities — including the FBI and the Secretary of State’s office — were brought into the loop nearly immediately when the flaw was found.
This is not the first time that Kemp accused a U.S. organization of hacking Georgia election servers. Two years ago, Kemp accused the Department of Homeland security of hacking state systems, alleging an “unsuccessful attempt to penetrate the Georgia Secretary of State’s firewall.” An inspector general’s report later found the accusations unfounded.
It is not uncommon in cybersecurity for a researcher who discovers and reports a vulnerability to be accused of illegal hacking. Researchers who find security flaws often have to engage in a difficult kabuki dance that involves sharing proof of the vulnerability without spooking system administrators into making accusations of unethical hacking.
Constable said he did not know anything about the identity of the person or group who found the flaw, but added “I’ve seen no evidence that opposing party” was involved. He said he is aware of speculation about the identity of finders, but did not make any attempts to verify their political affiliation.
Confusion over the reporting process for a security flaw is one possible explanation for what happened after the vulnerability was discovered; another is pure politics. On Sunday, Kemp’s office announced it was opening an investigation the state Democratic Party, accusing it of trying to hack Georgia servers. The Abrams campaign immediately accused Kemp of abusing his power.
The secretary of state’s website published a four-sentence press release announcing what it called a “failed hacking attempt” and an investigation into the “Georgia Democratic Party.” There was no evidence or detail provided about the alleged hack.
A few hours later, in another four-sentence release titled “(Secretary of State) releases more details about failed cyberattack,” the agency provided no additional details about the alleged attack.
“I’m doing my job,” Kemp said on Monday. “This is how we would handle any investigation when something like this comes up. Because I can assure you if I hadn’t done anything and the story came out that something was going on, you’d be going, ‘Why didn’t you act?'”
Georgia’s election situation is complicated by the fact that the Republican candidate – Kemp — is the current secretary of state, and his office is responsible for running the election.
Georgia’s voting process has been under scrutiny by election hacking experts for some time. Earlier this year, two groups sued the state over its use of electronic voting machines that produce no paper record. Election security experts have long criticized the use of machines that create no paper trail, and thus cannot be audited; Georgia is one of a handful of states that have not yet abandoned paperless machines. In September, a judge ruled against Georgians for Verified Voting, saying the state didn’t have time to switch its voting machines before election day.
Georgia has also been faced with several voter registration controversies. Earlier this year, Kemp’s office tried to impose an “exact match” requirement on registration records and motor vehicle records that critics said could have made more than 50,000 voters ineligible. A federal judge ruled on Friday against part of the exact match requirement. The ACLU has also sued the state over a new “signature match” requirement.
Georgia was also criticized for refusing federal help in securing its election systems.
Constable used the incident story to shed light on the problem of responsible disclosure in the tech industry. Constable, for example, pointed out that researchers like him face potential steep consequences for examining potentially vulnerable systems (so do reporters who might look to verify the information).
“Why is there more risk for researchers and journalists than the data custodians for such disclosures?” he said.