The news coming out of last month’s DefCon hacker conference in Las Vegas was not good for voting machine manufacturers — and unsettling for election officials. A “voting village” was set up where hackers tested the security of about a dozen voting machines. They made their way into every single one. Eric Hodge, director of consulting at CyberScout, helped plan the event. There had been plenty of discussion about the security of these machines, he said. American intelligence officials concluded last year that Russia interfered with the 2016 presidential election, but many state election officials argued that their voting machines were secure because they were not connected to the internet. The DefCon voting village was set up to actually test the physical machines, which Hodge said never experience much penetration testing. In their testing debut, they didn’t fare too well. … Within minutes, some of the machines were hacked. “These guys are good,” Hodge said. “But, you know, so are the Russians.”
One of the key takeaways for election officials, he said, is that “these systems aren’t safe just because they’re offline.” Election officials must take steps to ensure they’re using up-to-date technology and follow best practices, such as having a chain of custody for voting data and disabling ports on voting machines, he said.
To mitigate the risk from hacked machines, risk-limiting audits will have to become standard, according to Philip Stark, the associate dean of the Division of Mathematical and Physical Sciences at University of California at Berkeley.
“There is no such thing as unhackable computer technology,” Stark told GCN. “So the only way that you can get some reassurance that computers did the right thing is have a way to make an end run around them and check that they functioned correctly.”