When Physical Access Becomes a Remote Threat: Lessons from Election System Breaches

TLDR: Recent investigations into election system breaches reveal that physical access to voting machines and election management systems allowed for the mass exfiltration of proprietary software and sensitive data. These incidents demonstrate that once an attacker gains physical control, they can dump entire system images and potentially develop exploits that bypass standard logic and accuracy testing. Security researchers and auditors must prioritize hardware-level security and supply chain integrity to prevent these vulnerabilities from being weaponized in future election cycles.

The security of election infrastructure is often discussed in terms of remote network threats, but the most critical failures frequently occur at the physical layer. When an insider or an unauthorized actor gains physical access to a voting machine or an election management system, the game changes entirely. The recent breaches in jurisdictions like Coffee County, Georgia, and others across the country, prove that standard security controls are often insufficient against someone with the time and physical access to dump system images and exfiltrate proprietary binaries.

The Mechanics of the Breach

These incidents were not sophisticated remote zero-day exploits. They were classic cases of Broken Access Control where the physical environment was treated as a trusted zone. By gaining access to the election management room, attackers were able to use valid credentials or bypass authentication to interact directly with the hardware.

The attack flow followed a predictable pattern:

1. Physical Access: Attackers entered restricted areas, often with the cooperation of local officials or by exploiting lax physical security protocols.
2. Data Exfiltration: Using standard forensic tools, they imaged hard drives and copied proprietary software from voting machines, scanners, and electronic poll books.
3. Staging and Distribution: The exfiltrated data was moved to external storage and subsequently shared among a network of individuals, effectively turning proprietary software into a target for reverse engineering.

For a pentester, this is a reminder that physical security is the foundation of all other controls. If an attacker can pull the drive, they can bypass almost any software-based restriction.

Reverse Engineering and the Lack of Obfuscation

A critical technical detail highlighted in the research is that the exfiltrated files were binaries, not source code. However, the lack of code obfuscation makes this distinction less of a defense than one might hope. In many of these systems, the binaries are not hardened against reverse engineering.

An attacker with a copy of the binary can use tools like Ghidra or IDA Pro to decompile the code and reconstruct a reasonably readable version of the logic. Once the logic is understood, creating a malicious variant is trivial. Because these systems often lack robust integrity checks or secure boot processes that verify the entire software stack, a modified binary can be re-loaded onto the hardware without triggering an alarm.

The danger here is not just the initial theft, but the long-term potential for exploitation. With two years between major election cycles, an attacker has ample time to study the code, identify vulnerabilities, and develop a payload that can be introduced via a simple USB drive or a compromised poll worker device.

Real-World Applicability for Researchers

For those of us in the security research community, these breaches underscore the need for a more rigorous approach to hardware security. When you are assessing an embedded system or a kiosk-style device, do not assume that physical access is out of scope. If the device lacks full-disk encryption or a Trusted Platform Module (TPM) to anchor the boot process, it is vulnerable to the same techniques used in these election breaches.

During a penetration test, if you find yourself with physical access to a device, your priority should be:

• Identifying the bootloader: Can you drop to a root shell or boot into a custom kernel?
• Extracting firmware: Can you dump the flash memory or hard drive to analyze the filesystem?
• Analyzing communication protocols: Are there unencrypted debug ports (JTAG/UART) that expose the system state?

The impact of these vulnerabilities is severe because they undermine the integrity of the entire system. If an attacker can modify the ballot counting logic, the system becomes a black box that can no longer be trusted to report accurate results.

Strengthening the Defense

Defending against this level of access requires moving beyond perimeter security. Organizations must implement Hardware Security Modules (HSMs) and ensure that all sensitive data at rest is encrypted. Furthermore, the use of Risk-Limiting Audits (RLAs) is essential. An RLA provides a statistical guarantee that the reported outcome of an election is correct, regardless of whether the underlying software was compromised.

We must stop relying on the assumption that election systems are "air-gapped" or otherwise protected by their isolation. The reality is that these systems are part of a complex supply chain, and their security depends on the integrity of every component, from the firmware to the physical locks on the doors.

The next time you are looking at a system that handles sensitive data, ask yourself how it would hold up if the attacker had a screwdriver and an hour of alone time. If the answer is "not well," you have found your most critical vulnerability. The lessons from these election breaches are clear: physical access is the ultimate privilege, and we need to start building systems that assume it will eventually be compromised.