Pennsylvania Rabbit Hole Part II


Hacking Voter Registration Databases
It’s easier than you think!

When we talk about hacking a voter registration database, what does that mean? In a nutshell it means getting access to the data, and stealing it. Or worse. Changing it.

There are several ways this might be done. Good old SQL injection, where a hacker takes advantage of code vulnerabilities to alter a database by sending code through a form input or even through the URL.

Or it could be an inside job. A nefarious programmer builds a little back door, or leaves a data-manipulation script that runs on the server.

Or it could be done the easy way. Through the “Change Your Registration” form on the state’s own website!

That’s right. All you need is a state not doing its job. Add in someone with a little bit of time and Presto you could move, change or add voters to your hearts content.

The Harvard Study

A study published by Harvard researchers in September shows how easy it would be to manipulate voter data using one of these forms.

The researchers found that many states allow you to purchase enough information about voters that anyone can impersonate that voter and change information – address, party preference, or even name – using the online forms provided by many states.

We quickly found at least one state where we could easily manipulated voter data this way. We made no actual changes, because that would be a felony.

Pennsylvania Voter Registration Files

The state we looked at was Pennsylvania. Where Trump edged out Clinton by under 45,000 votes out of 6.2 million, or 0.73%. Where the smallest hiccup in the electoral process could have affected this thin margin.

With a Voter Registration File from Pennsylvania you would have Over 8.5 million records. Names, addresses, dates of birth, political affiliation, voting history. A wealth of data that is available to the public.

Armed with this information, we went to the “Change your Registration” page of the Pennsylvania Department of State website. The information marked with red is mandatory. Everything else is optional.

What could nefarious actors do with all of this?

Naturally it’s illegal to impersonate a voter. But what could we do here, if we didn’t care about that?

Well we could certainly change the party of a voter. Or his or her name, or address. Says so right here.

What if we wanted to move a bunch of voters to different polling places? We could outright prevent these voters from voting–when they showed up to vote they would not be in the poll book.

Or we could move people with no history of voting, or old people who may not be capable of voting to new addresses. We could change their parties while we were at it. That way we could change the apparent demographics of a precinct with little fear of our changes being detected.

Or we could purchase a mailing list, and actually create new voters. Give them political parties and voting histories. We could even assign them to our desired polling places!

That “little” Cambridge Analytica thing

What about that script from Cambridge Analytica? It was posted to Github by an employee. It’s all about finding the geographic coordinates for an address. It specifically mentions “VoterID”.

Hmm …

It would be easy to find new addresses to assign our voters to, using that script. In fact, we could even write a browser plugin, to read a list of voters, addresses and new, fake, addresses, and fill out the Pennsylvania form automatically.

But how do we figure out which addresses are assigned to which polling places? We simply use this nifty online polling place locator interface, brought to you by the ever-helpful state of Pennsylvania:

This nifty public-facing voter registration hacking API is very well documented. Even a non-Russian could probably figure it out!

Is anyone thinking about Election Security?

Journalists and politicians, even the Department of Homeland Security insist that despite these obvious vulnerabilities, voter registrations weren’t changed. But how do they know that for sure?

Hold on. I promise you. It gets absolutely crazy from here.

Read the rest of the Pennsylvania Rabbit Hole Series:

Written by Unhackthevote

Follow us:

Author: Unhackthevote