Huddled in the corner of a small room in the Salt Palace Convention Center are a group of hackers and a row of 12 voting machines. The machines, all of which were used during the 2016 election in Utah, are now strewn in pieces across a table as attendees of HackWest’s first annual cybersecurity conference pour over them, searching for vulnerabilities. And they’ve found a pretty major one. Any hacker can enter a voting booth, remove the card reader from the machine, turn off the machine, then power it back on again. Once the voting machine has turned back on, the screen will display a “no card reader” error message. All the hacker has to do from there is pop the card reader back in, and the machine will display the system setup.
With access to the system, hackers can see the network address and what is encrypting the system.
“If you know what encryption is being used, you can do what is needed to hack that encryption. You can focus your attack,” said Jake Blaney, a volunteer at HackWest.
And hackers may not even need to crack the encryption to accomplish their goal. If a voting machine is compromised, those votes are immediately suspect.
“It just creates doubt in the integrity of the system, and if that doubt is there, you could do it in a district you may not be in favor of, and those votes get thrown out,” Blaney said.