Hacking An Election Is Hard. Why Not Pwn The Messenger Instead?

Election day USA, November 8th, is nigh.

US elections (during a presidential election year) are a massive affair comprising federal, state, and local candidates for all sorts of elected positions: president, governors, senators, representatives, judges, state and county commissioners, et cetera. They are organized and run at the county level. There are 3,144 counties and county equivalents in the USA. And each of those county board of elections will be reporting results on the evening of November 8th.

So, just how is it possible to organize all of that information for national consumption in just one evening?

The practical answer is… the Associated Press (AP) does a lot of it.

Calling races, from the national level to state legislatures, is a vital function the AP provides to its members and customers.

From top to bottom, no other news organization has people on the ground covering elections like the AP does. This puts AP in a somewhat delicate position as the timing of calling races can get political…

In June 2016, the Associated Press called the Democratic nomination for Hillary Clinton, a day before six states voted, angering many supporters of Senator Bernie Sanders. But still, broadcasters such as NBC and ABC soon followed the AP’s lead. And expectations were set. That’s the oversized role the Associated Press plays in the US election process.

And how does the process work?

Here it is, as described by the AP’s products & services, How AP Calls Winners, page.

AP Calling Races, Steps 1 to 5

Step 3 – Vote entry clerk keys in results.

Stringers and entry clerks? Sounds interesting. Let’s find out more.

This is from AP’s FAQ on counting the vote:

Q: How are the votes counted?

A: Shortly before the polls close, over 4,000 stringers report to county election centers. When the first polls close, they’ll be ready to start phoning in the raw vote as it is reported by the counties. They’ll place their calls to AP election centers around the country.

At the centers, a total of over 800 vote entry clerks will answer those calls, and walk each stringer through a dialogue as they enter the number of precincts reporting and the candidates’ votes into our election night system. Since many states and counties display their election night results on websites, teams at the election centers also monitor those sites and enter results into the same system. This system tabulates the results and disseminates them in a number of formats to our member news organizations and customers.

(Emphasis mine.)

Here’s a picture of AP’s 2012 Eastern Election Center.

AP's Eastern Election Center 2012

Source: AP

So, 800 vote entry clerks input the results into an “election night system”. And given the world that we live in, that system is probably connected to the Internet, right? If so, perhaps we can locate it on the deep web.

Using F-Secure Riddler, I first searched for “pld:ap.org” and yielded 171 results. Next, I narrowed my search to “pld:ap.org keyword:microsoft-iis/6.0” and got back 16 results including one for a server called: apvotecount2.ap.org. Hmm.

Riddler pld:ap.org keyword:microsoft-iis/6.0 – apvotecount2.org

Having a “2” in its name suggests it’s a legacy server, as does the 2006 copyright.

Screenshot of apvotecount2.ap.org

© 2006

I continued searching and located: apvotecount.ap.org, running IIS 7.0.

Riddler pld:ap.org keyword:microsoft-iis/7.0 – apvotecount.ap.org

It displays a 2010 copyright…

Screenshot of apvotecount.ap.org

© 2010

Disclaimer – I have no idea if “AP Vote Count” is the “election night system” referred to above. It seems quite possible that it is (but I hope I’m wrong).


  • Leaving a legacy server online is probably (actually, definitely) a bad idea.
  • A publicly visible plain text, non-encrypted login page, no HTTPS. Really not a great idea.
  • AP Vote Count appears to be hosted in New York, not behind DDoS mitigation services. That sort of seems problematic.

Pwning the messenger

Let’s stipulate that hacking a U.S. election is very unlikely because the system is so diffuse.

So, what’s a threat actor to do?

Well, what’s not diffuse? The reporting of the results! Those are far more centralized – a perfect target.

And therefore, AP’s system could be a critical point of failure on election night. A threat actor couldn’t actually change the vote, but the results could definitely be undermined. A DDoS attack on the AP’s election night system could result in a delayed tally. And in the current political environment, delayed results will spread suspicions of voter fraud. If the system is vulnerable to hacking, illegitimate input might be possible, confusing the reporting, with the same potential results.

Alternatively, if the system is vulnerable, perhaps an attacker would prefer insider access for the sake of market arbitrage. Or to create market chaos. It wouldn’t be the first time that a hacker caused markets to move.

Market reaction to AP Tweet

April, 2013


I wish these concerns were far fetched. But given the targeted hacks and DDoS attacks seen during 2016, I don’t think they are.

Articles with similar Tags