A program overseen by the head of President Trump’s so-called “election integrity” commission—which is now largely a tool for driving conspiracy theories about “massive voter fraud” in the United States—is placing the personal data of millions of American voters at risk, according to internal records and security experts who examined the program at Gizmodo’s request.
The stated purpose of the program, known as the Interstate Crosscheck System, is to identify potential duplicate registrations among states and provide evidence of possible double voting. It does not work.
According to records recently released by states participating in the program, which has been administered since 2011 by Kansas Secretary of State Kris Kobach, Crosscheck has collected nearly 100 million voter records in 2017 alone. Though its methods have been roundly debunked by academics and election experts, 28 states took part in the Crosscheck program this year.
It would be difficult to overstate Crosscheck’s carelessness when it comes to handling voter records. While officials in charge have promised the program’s data security practices are up to snuff, it is all an illusion, a myth, a lie. To imply those overseeing the program have been grossly negligent would be, frankly, too kind. But that’s not too surprising.
Earlier this year, President Trump appointed Kobach vice-chairman of his “election integrity commission,” founded after the president repeatedly claimed that between 3 and 5 million people voted illegally in the 2016 general election, costing him the popular vote. (The claim is demonstrably false and otherwise absurd on its face.) Since taking office, the Trump administration has been pushing, essentially, to take Kobach’s flawed program and methodologies nationwide.
The commission is currently being sued by one of its own commissioners.
Gizmodo has learned, however, that the records passing through the Crosscheck system have been stored on a server in Arkansas operating on a network rife with security flaws. What’s more, multiple sets of login credentials, which could be used by virtually anyone to directly access the Crosscheck system—as well the encrypted voter data it contains—have been compromised.
Our investigation into the program builds on the work of ProPublica, which last month published a report describing multiple security flaws plaguing Crosscheck’s operations. Documents obtained under state transparency laws by the anti-Trump group Indivisible Chicago revealed that Crosscheck had emailed Illinois election officials both the username and password to the program’s FTP server—credentials that Illinois neglected to redact before releasing the emails publicly.
The emails further revealed that participating states had submitted millions of voter files to the Arkansas server using an unencrypted file transfer protocol. Gizmodo has learned that while some of the data sets were encrypted prior to being transferred, the passwords to decrypt three year’s worth of voter files, belonging to every state participating in Crosscheck, have likewise been exposed.
The internet address of the Crosscheck server was redacted in the Illinois records exposing the program’s login credentials. It was not redacted, however, in the emails of Idaho election officials released to Indivisible Chicago this month. On Monday, Gizmodo provided the server’s publicly available location to multiple security firms and requested an analysis of its vulnerabilities.
The results are troubling, to say the least. They not only confirm the findings contained in ProPublica’s report, but further reveal an alarming array of previously unreported weaknesses in the network hosting the Crosscheck server.
An ecosystem of insecurity
Crosscheck was launched by the Kansas Secretary of State’s office, which continues to run the program to this day. But, for whatever reason, before election officials in Kansas actually acquire any of the voter data, it is dumped onto a server maintained by the Arkansas Secretary of State’s office. According to security experts, the network on which the server sits is highly susceptible to attack. One of the researchers told Gizmodo with high confidence that infiltrating the network would likely take only a matter of hours.
Researchers at Netragard, a penetration testing company specializing in “realistic threats,” concluded that administrators overseeing the Arkansas server are likely deluded by a false sense of security. The firm’s CEO and managing partner, Adriel Desautels, said that “breaching these systems can likely be done by a novice hacker,” a conclusion he arrived at less than five minutes into examining the network.
“If the State of Arkansas hired us to deliver a penetration test, based on what we see here, we’d almost certainly be able to breach without them detecting us,” Desautels said. “In fact, we’re so confident in that, that we wouldn’t bill them if we failed to breach.”
In particular, the researchers found that a majority of the network’s SSL certificates are either self-signed or not trusted, leaving it vulnerable to man-in-the-middle attacks by hackers within proximity to the network. (SSL certifications are necessary to encrypt your data as it travels between a website and your browser.) Such an attack would in theory require only rudimentary hacking skills and could be used to compromise usernames and passwords, potentially granting access to confidential systems and files.
Both Netragard’s researchers and those at the cybersecurity firm Kromtech discovered “one or more” instances of remote desktop protocols operating on the network—services which used neither valid SSL certificates nor Dual Factor Authentication. “As a result, a spear phishing attack would likely enable an attacker to steal credentials and breach the network, or at the very least access restricted resources,” Desautels said.
The kind of attack Desautels is describing is similar to the sort that upended the Democratic National Committee last summer. More than 130 Democratic party employees were bombarded with malicious links using emails that appeared to come from Google, but were actually crafted by a persistent hacking group. In a “spear phishing” campaign, however, malicious emails are highly customized using names and other personal details to convince the target they’re communicating with someone they know.
None of the researchers actually accessed the Arkansas network. Instead, they conducted what’s called “passive reconnaissance,” meaning there was no hacking, testing, or offensive work being done. The information provided to Gizmodo was already in the public domain, and gathered using a variety of non-invasive tools. The passive nature of the analysis also means that it’s impossible to the know the full extent of the Arkansas network’s vulnerability.
The portion of the network on which the Crosscheck system exists is somewhat better protected. For example, it does appear to restrict access to a particular range of IP addresses used only by public officials, as internal documents suggest. But as ProPublica reported, a determined hacker would likely find ways to bypass this defense—the easiest route being to trick Crosscheck’s administrators into adding a different IP by spoofing the email account of a state authority.
Netragard also found two DNS servers located within this IP range. “One DNS server is incorrectly configured and can be queried by anyone,” said Desautels, raising the possibility that an attacker might use the server to collect information about its users.
While the Crosscheck server appears to be situated behind a WatchGuard appliance—a firewall placed between the server and the rest of the internet—it only provides the “appearance of security,” Desautels said. Ultimately, it would not be difficult to bypass. Since the firewall does not appear to use Dual Factor Authentication—a method for confirming a user’s identity using more than just a password—a basic phishing campaign is likely to produce the credentials needed to gain access, he said.
A second FTP server uncovered by Kromtech was anonymously accessed without a password as recently as the 16th of last month, the company said. While close to Crosscheck’s server on the network, it’s unclear if it holds sensitive data or credentials. A few of the records cached by Google include a spreadsheet with the names and addresses of candidates, which is public information, and the contact information of an analyst at the Arkansas Secretary of State’s office.
Chris Vickery, director of risk research at cyber-resiliency firm UpGuard, noted that the Arkansas government is using more than one outdated email access portal. “Those are the types of footholds that an attacker can easily leverage in order to gain knowledge and potential access,” he said, noting that if certain rate-limiting settings aren’t already in place, “it is likely that those instances have already been accessed via bruteforce password guessing.”
Passwords to encrypted voter data files submitted to Crosscheck are routinely transmitted by email. And numerous passwords have been released publicly—presumably by mistake—by several states in response to freedom of information requests.
The State of Idaho, for instance, released not only a username and password granting access to the Crosscheck repository, but the IP address of the server itself. Illinois reportedly used the passwords “election$2012” and “election$2014” to secure its voter data, according to documents obtained by Indivisible Chicago. The password for the 2016 election was not released—but if someone wanted to access the data, they might have a reasonable first guess.
Furthermore, a spokesperson for Indivisible Chicago told Gizmodo that using public record requests, the group was also able to obtain the current username and password used by the Illinois State Board of Election to access the Crosscheck system.
Gizmodo provided the Secretaries of State for Arkansas and Kansas a detailed summary of the security researchers’ findings on Tuesday. Neither responded to a request for comment.
To put it bluntly, Crosscheck’s methods for detecting voter fraud are overly simplistic and statistically inaccurate in almost every respect. In fact, an oft-cited paper published this year by researchers at Stanford, Harvard, Yale, the University of Pennsylvania, and Microsoft, revealed that Crosscheck is capable of producing false positives for double voters roughly 99 percent of the time.
The program works (or rather doesn’t) by searching for duplicate voter registrations based solely on names and dates of birth—attributes which are commonly shared more often than you might think.
The so-called “birthdate problem”—an extension of, but not to be confused with, the “birthday problem”—suggests, for example, that among a group of 180 people (ages 18 to 81), there’s at least a 50 percent chance that two were born on the same day, month, and year. Toss another 280 people in the room and the likelihood shoots up to 99 percent. Consider this: There are tens of thousands of Maria Garcias and James Smiths living in the United States, to name only two of the most commonly shared names.
Crosscheck’s true value is not in preventing or detecting voter fraud, but generating talking points for opportunistic pundits, particularly Republicans pushing voter-identification laws.
During a 2014 interview, for example, conservative political strategist Dick Morris told Fox News’ Sean Hannity that Crosscheck represented “the first concrete evidence” of “massive voter fraud” in North Carolina. In fact, the program had identified 35,750 voters whose names and birthdates matched voters in other states. But after the records were compared using Social Security numbers, that figure shrunk to merely eight potential cases. Only two people were convicted, according to The New York Times.
For now at least, aggregating the Social Security numbers of Americans and combining them with voter files in a central location is one of the few ways to determine, with any level of accuracy, which voters pulled a fast one. The trade-off in locating these individuals—whose handful of votes could in no way impact the results of an election, in which the victory margin is measured in hundreds, if not tens of thousands of votes—is that a program like Crosscheck would almost certainly risk exposing millions of people to an Equifax-level breach.
Allowing such a database to exist would represent an imminent threat to the personal data and financial security of nearly every American voter—particularly, it seems, if the Kansas secretary of state were in control.
Earlier this year, Kobach sent a letter to officials in 50 states asking them to turn over their voter data, including partial Social Security numbers, to the Presidential Advisory Commission on Election Integrity. As Gizmodo reported, the email address Kobach provided for the transfer was not secure and failed to take advantage of the most basic and widely-used encryption technology.