Over the past two days, all major US news outlets breathlessly reported that hackers in Las Vegas needed little time to expose the security flaws of several types of voting machines this weekend. While it is certainly nice to see the mainstream media cover election integrity issues more than once every four years, anybody following the topic, as WhoWhatWhy routinely does, was hardly surprised that the hackers were so successful. How do we know? Because, in anticipation of what happened at the DEF CON hacking conference, WhoWhatWhy spoke to many of the leading election integrity experts to get their thoughts on the event. Most of them expressed hope that the hackers would raise much-needed awareness of the vulnerabilities of US voting machines. Some of the experts we spoke to ahead of the event expressed concerns that, should the hackers fail to breach the machines, it would give people a false sense of security. It turns out that they did not have to worry about that — at all.
… Hackers had varying degrees of success circumventing the security of the Sequoia AVC Edge, the iVotronic, and a TSX machine, which are collectively employed by more than 800 municipalities nationwide, according to Verified Voting. The same machines are rolled out statewide in Nevada and Louisiana (Edge); Washington, DC and South Carolina (iVotronic); and Alaska, Georgia, and Utah (TSX).
Some computer experts, like J. Alex Halderman, entered the weekend with tempered expectations. The prominent University of Michigan computer science professor, well-regarded for his work in the field of election-tech security, said that, while the event was “a nice way to raise awareness of the issues,” he “suspect[ed] that it’s way too short a time for anybody to demonstrate interesting hacks.”
Election security consultant Neal McBurnett, who was also prepared for a lackluster showing, cautioned against jumping to conclusions. “If nothing new comes out of this, it is NOT a sign that all is well,” said McBurnett, noting that DEF CON’s “very ad-hoc” setting was “no substitute for a proper red-team engagement, with sufficient time, access to system code and documentation, etc., all of which are of course available to a well-supported adversary. In hindsight, the biggest takeaway here seems to be that meager resources are no barrier to a determined, capable hacker.
… Philip Stark, an associate dean of mathematical and physical sciences at UC Berkeley, went so far as to pronounce the hype surrounding the event “a little overblown,” given the vulnerabilities already brought to light by state-sponsored evaluations like EVEREST, as well as the published findings of academics like Halderman and Hursti. Hursti’s successful hack of a Florida county’s voter systems, all the way back in 2005 — depicted in the documentary Hacking Democracy — prompted the state of California to order its own comprehensive security review.
Stark, who also serves as an advisor to the federal Elections Assistance Commission, anticipated that DEF CON hackers would “find new flaws.” But he said he was not worried about further shaking the confidence of the American public in the country’s voting systems: “Once you’ve discovered that the front door is unlocked and that there’s no alarm system and no security cameras, how much does it matter whether the windows are unlocked, too?”