Close Close Comment Creative Commons Donate Email Add Email Facebook Instagram Facebook Messenger Mobile Nav Menu Podcast Print RSS Search Secure Twitter WhatsApp YouTube

File-Sharing Software on State Election Servers Could Expose Them to Intruders

A ProPublica analysis found election computer servers in Wisconsin and Kentucky could be susceptible to hacking. Wisconsin shut down its service in response to our inquiries.

Residents of Elkhorn, Wisconsin, submitting their ballot in the voting machine for the 2018 state primary election. (Scott Olson/Getty Images)

As recently as Monday, computer servers that powered Kentucky’s online voter registration and Wisconsin’s reporting of election results ran software that could potentially expose information to hackers or enable access to sensitive files without a password.

The insecure service run by Wisconsin could be reached from internet addresses based in Russia, which has become notorious for seeking to influence U.S. elections. Kentucky’s was accessible from other Eastern European countries.

The service, known as FTP, provides public access to files — sometimes anonymously and without encryption. As a result, security experts say, it could act as a gateway for hackers to acquire key details of a server’s operating system and exploit its vulnerabilities. Some corporations and other institutions have dropped FTP in favor of more secure alternatives.

Officials in both states said that voter-registration data has not been compromised and that their states’ infrastructure was protected against infiltration. Still, Wisconsin said it turned off its FTP service following ProPublica’s inquiries. Kentucky left its password-free service running and said ProPublica didn’t understand its approach to security.

The states’ reliance on FTP highlights the uneven security practices in online election systems just days before the midterm elections. In September, ProPublica reported that more than one-third of counties overseeing closely contested elections for congressional seats ran email systems that could make it easy for hackers to log in and steal potentially sensitive information.

Some states remain hampered by bureaucratic disagreements, or regard other needs as more pressing. If intruders were able to gain access to election-related server files, for instance, they could prevent people from registering to vote, compromise unofficial tallies or direct voters to the wrong polling place. Those actions could potentially sow chaos on Election Day and raise questions as to whether the vote was legitimate.

“FTP is a 40-year-old protocol that is insecure and not being retired quickly enough,” said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., and an advocate for better voting security. “Every communication sent via FTP is not secure, meaning anyone in the hotel, airport or coffee shop on the same public Wi-Fi network that you are on can see everything sent and received. And malicious attackers can change the contents of a transmission without either side detecting the change.”

The mere presence of superfluous services on a public server, such as FTP, raises the risk of a hacker gaining access to sensitive configuration details about the server, Hall said. "Unnecessary services like FTP," he said, can be used to cripple a server by bombarding it with traffic — known as a distributed denial of service attack — or allow hackers to break into other computers on the same network. Secure FTP services, or SFTP, which were introduced more recently, should be used instead, Hall said.

In March 2017, the FBI warned of “criminal actors” targeting FTP servers that allow access to anyone on the internet without a password. This year, the website DataBreaches.net said a security researcher discovered an FTP server was configured in a similar manner and accidentally exposed the details of more than 200,000 patients.

Using a list of internet addresses for websites run by each state’s election agency, ProPublica scanned them for open “ports,” or virtual doors, which allow any computer on the internet to access them. Those ports can reveal some of the software a server is running, such as a website or FTP.

The FTP server in Wisconsin required a password. Kentucky’s didn’t. In addition, ProPublica found Maine’s FTP service on the same internet address as a state website that directs voters to their local polling places. But Kristen Schulze Muszynski, a spokeswoman for the Maine secretary of state, said the FTP service ran on a computer server separately from the lookup tool. It “never jeopardized Maine’s election process, and at no time was voter data at risk of being manipulated,” she said.

Several other states appear to have open FTP ports that weren’t operating. In one of those states, West Virginia, Chief Information Officer David Tackett said FTP services are protected behind a firewall.

Cyberattacks on state election systems marred the 2016 campaign. For example, special counsel Robert Mueller charged 12 Russians this past July in connection with an unspecified breach that Illinois officials say was very likely an attack on its voter registration database that exposed the personal details of thousands of people. A hacker’s ability to alter unofficial or early voting results was “a very real threat” ahead of the 2016 election, former Homeland Security Secretary Jeh Johnson testified in March before a Senate intelligence panel.

The Wisconsin Elections Commission revealed in September 2017 that the U.S. Department of Homeland Security notified it of an unsuccessful Russian hacking attempt the previous year that involved scanning for computer system vulnerabilities. Commission spokesman Reid Magney said the Russians did not scan the state’s “commercially-hosted agency websites,” including the commission’s site.

Major search engines like Google often prominently post voting results gathered automatically from state election commission sites. Magney said Wisconsin’s website ran an FTP service for years because the hosting provider, Cruiskeen Consulting, never turned it off. Cruiskeen is a mostly one-person operation that sometimes uses freelance consultants, according to its website.

Asked if Cruiskeen has ever alerted officials about suspicious activity or unauthorized access attempts, Magney said: “Cruiskeen does a lot of monitoring for unsuccessful login attempts and blocks them at the firewall. They also check the logs regularly for suspicious activity.” The same internet address previously hosted commercial websites like BoutiqueLiquidators.com.

Cruiskeen did not return phone calls or messages from ProPublica this week seeking comment. Magney said the owner is retiring soon, and the state plans to transfer the election-results website to a state-run computer system.

As of late Wednesday, Kentucky’s voter-registration server still allowed users to browse a list of files without a password. Even the names of the files contained clues that could conceivably help an intruder. For example, they indicated that Kentucky may use driver’s licenses on file in its motor vehicle software to verify voters’ identities.

Bradford Queen, a spokesman for Kentucky’s secretary of state, declined to say if running an FTP server was problematic. “We are constantly guarding against foreign and domestic bad actors and have confidence in the security measures deployed to protect our infrastructure,” he said.

“ProPublica’s claims regarding Kentucky’s website lack a complete understanding of the commonwealth’s full approach to security, which is multi-layered. Defenses exist within each layer to determine and block offending traffic.”

ProPublica’s Electionland project covers problems at the polls that prevent people from voting. If you experience or witness something on Election Day, let us know at https://www.propublica.org/electionland

Mike Tigas and Ken Schwencke contributed to this report.

Do you have access to information about election security problems that should be public? Email [email protected] Here’s how to send tips and documents to ProPublica securely.

For more coverage, read ProPublica’s previous reporting on elections.

Protect Independent Journalism

ProPublica is a nonprofit newsroom that produces nonpartisan, evidence-based journalism to expose injustice, corruption and wrongdoing. We were founded ten years ago to fill a growing hole in journalism: newsrooms were (and still are) shrinking, and legacy funding models failing. Deep-dive reporting like ours is slow and expensive, and investigative journalism is a luxury in many newsrooms today — but it remains as critical as ever to democracy and our civic life. A decade (and five Pulitzer Prizes) later, ProPublica has built the largest investigative newsroom in the country. Our work has spurred reform through legislation, at the voting booth, and inside our nation’s most important institutions.

This story you’ve just finished was funded by our readers and we hope it inspires you to make a gift to ProPublica so that we can publish more investigations like this one that holds people in power to account and produces real change.

Your donation will help us ensure that we can continue this critical work. From the Trump Administration, criminal justice, health care, immigration and so much more, we are busier than ever covering stories you won’t see anywhere else. Make your gift of any amount today and join the tens of thousands of ProPublicans across the country, standing up for the power of independent journalism to produce real, lasting change. Thank you.

Donate Now

Jack Gillum

Jack Gillum is a senior reporter at ProPublica based in Washington, D.C., covering technology and privacy.

Portrait of Jeff Kao

Jeff Kao

Jeff Kao is a computational journalist at ProPublica.

About Electionland

ProPublica’s Electionland project covers problems that prevent eligible voters from casting their ballots during the 2020 elections. Our coalition of newsrooms around the country are investigating issues related to voter registration, pandemic-related changes to voting, the shift to vote-by-mail, cybersecurity, voter education, misinformation, and more.

Questions? Read our FAQ.

Follow Electionland

Partners

and 50+ local and national newsrooms. Sign up to become a partner here.

Technical Partner

More Election Tools

The User’s Guide to Democracy

Congress works for you. Here’s how to be a better boss.

Represent

See what your representatives in Congress say and do.

ProPublica on IFTTT

Do more with ProPublica data and automated notifications.

Latest Stories from ProPublica

Current site Current page