Updated: Nov 05, 2016 1:55 AM Central
A vote counting machine to be used in a number of states for the upcoming election is vulnerable to hacking, according to a new report.
Researchers at cybersecurity startup Cylance said they were able to hack into the Sequoia AVC Edge Mk1, used to count votes in states including California, Florida, and New Jersey, and change the final tally it produced.
The Edge machine is a touch-screen variant of the Sequoia AVC Advantage, “one of the oldest and vulnerable, electronic voting machines in United States,” as Politico put it in a recent cover story. The article detailed how a separate group of academics had also been able to hack into these machines, even infecting one Edge “with malware that allowed it to do nothing but play Pac-Man.”
Get Data Sheet, Fortune’s technology newsletter.
In Cylance’s hacking demonstration, researchers were able to alter the memory of the machine as well as the paper trail it created to change vote counts and precinct records. To pull off the hack, the researchers slipped in a custom PC memory card that overwrote software embedded on the device. (The company said it wouldn’t release more specific details about the attack “for election integrity reasons.”)
President Putin holds Russian Security Council meeting
Russia Vows to Retaliate If There Are New U.S. Sanctions Over Cyber Attacks
Stuart McClure, CEO of Cylance, said the problem likely extends beyond this model to “anything that uses a touch screen and compact flash model,” referring to the machine’s design. Asked about the likelihood of such an attack on election day, he said, “we don’t have the threat intelligence to say it is going to happen, but we know it is quite easy and possible to do.”
You can watch the demo below, or here.
Cylance recommended that election officials and volunteers inspect the machines’ software and hardware for problems, and monitor them for evidence of tampering. Something as simple as covering the machines’ input slots and back panels with duct tape may help reveal whether someone has tried to meddle with them.
Cylance said it had notified Dominion Voting Systems (née Sequoia), the voting machine’s maker, and government authorities about the threat. Cyclance said that it had spoken with the government, but had not heard back from Dominion.
Dominion did not immediately reply to Fortune’s request for comment.
In order to affect the election’s outcome, hackers would have to pull off a coordinated series of attacks on a massive scale while going undetected. But most cybersecurity experts are less worried about the mass manipulation of voting machine records than they are about disinformation campaigns designed to undermine faith in the election and the democratic process.
In recent months U.S. intelligence agencies have blamed Russia for breaking into computer networks operated by campaigns and political parties, and for having leaked private communications between officials and other documents to the public. Russian officials have dismissed the allegations.
Though researchers have warned about the possibility of hacking voting machines for some time, a likelier scenario on election day, experts say, involves targeted attacks against media outlets, attempts at manipulating or throwing into doubt sources of real-time news, or denial-of-service strikes against key parts of Internet infrastructure. Last week, for example, there was a massive Internet outage on the East Coast by an unidentified hacker or hackers.
Other states that use the Sequoia AVC Edge Mk1 are Arizona, Colorado, Illinois, Louisiana, Missouri, Nevada, Virginia, Washington, and Wisconsin, according to VerifiedVoting.org.