Why Your Local Election Audit Is Likely Security Theater

TLDR: Recent research into post-election audits across U.S. swing states reveals that many so-called "risk-limiting audits" fail to meet basic security requirements. These audits often rely on unverifiable electronic records rather than hand-marked paper ballots, and many are conducted after election results are already certified. For security researchers, this highlights a critical gap between policy-mandated compliance and actual technical assurance.

Election security is often presented as a solved problem, backed by "rigorous" pre-election testing and post-election audits. If you spend any time looking at the actual implementation of these audits, however, the reality is far more fragile. The recent research presented at DEF CON 2025 by Susan Greenhalgh exposes a systemic failure in how swing states verify their election outcomes. We are not talking about theoretical threats here. We are talking about a fundamental disconnect between the cryptographic or procedural promises made by vendors and the actual, messy reality of how votes are recorded, aggregated, and audited.

The Illusion of the Risk-Limiting Audit

A true risk-limiting audit (RLA) is designed to provide statistical confidence that the reported election outcome is correct. It requires a random sample of paper ballots to be compared against the electronic tally. If the sample doesn't match, the audit must expand until the discrepancy is resolved. The research shows that many states claim to perform RLAs while violating the core tenets of the process.

In several jurisdictions, the "audit" is performed on the electronic output of a ballot marking device (BMD) rather than the voter-verifiable paper record. If a BMD is compromised—perhaps via a malicious firmware update or a supply chain attack—it can print a human-readable choice on the paper while encoding a different selection in the machine-readable barcode. When the audit scanner reads that barcode, it confirms the fraudulent vote, not the voter's intent. This is a classic "garbage in, garbage out" scenario, but with the added danger of institutional validation.

Technical Debt and Attack Vectors

The reliance on electronic systems creates a massive attack surface that is rarely addressed in audit procedures. Many election management systems (EMS) are not as air-gapped as officials claim. Wireless modems are still present in many machines, and even in systems that are supposedly offline, the process of loading ballot definition files via USB drives introduces a significant vector for T1552-unsecured-credentials or malware propagation.

Consider the mechanics of a typical EMS. It aggregates vote totals from precinct scanners and programs the machines before the election. If an attacker gains access to the EMS, they can manipulate the ballot definitions or the aggregation logic. Because these systems are often proprietary and lack the transparency of open-source software, identifying these manipulations is nearly impossible without a full, independent hand count of the original paper ballots.

The research highlights that in 2024, operatives hired by partisan groups gained improper access to voting systems in multiple states. This wasn't just a minor breach; it involved the extraction of software and the potential for long-term persistence. When you have an environment where the integrity of the software is in question, an audit that relies on that same software to verify its own output is fundamentally broken.

The Transparency Gap

For a pentester, the most frustrating part of this research is the lack of public data. An effective audit must be transparent. If the tally sheets, the random selection process, and the discrepancy logs are not immediately available for public review, the audit is effectively a black box.

In states like Michigan and Wisconsin, audit results were published months after certification. This delay renders the audit useless for correcting an incorrect outcome. If you are performing a security assessment on an election system, your first step should be to look for the OWASP Top 10 vulnerabilities in the web-based reporting interfaces that election officials use. These interfaces are often the only public-facing component of the entire election infrastructure, and they are frequently riddled with basic flaws like broken access control or insecure direct object references.

Moving Toward Verifiable Security

Defenders in the election space need to stop focusing on "compliance" and start focusing on "evidence." If an audit process does not include a manual, hand-counted check of a random sample of voter-marked paper ballots, it is not an audit. It is a performance.

For those of us in the security community, the path forward is clear. We need to push for legislation that mandates:

1. Hand-marked paper ballots as the primary record of voter intent.
2. Pre-certification audits that are mandatory, transparent, and conducted by independent, non-partisan entities.
3. Public access to all audit data, including the specific ballot images or records used in the sample.

We cannot secure a system that refuses to be audited. If you are working with local election officials, ask them how they handle discrepancies. If their answer is "we don't have a process for that," or "we just re-run the scanner," you know exactly where the vulnerability lies. The goal of an audit is not to confirm that the machines are working; it is to prove that the machines are telling the truth. Right now, in too many places, we are taking their word for it.