When attendees at the July DEFCON conference breached every poll book and voting machine that event organizers had in the Voting Machine Hacking Village, elections officials took notice. A new report from DEFCON, the National Governors Association, the Atlantic Council, the Center for Internet Security and a number of universities and top technology vendors provides a more detailed look at just how vulnerable the entire U.S. election system – equipment, databases and infrastructure — is to hacking and urges policymakers to shore up security gaps. Vulnerabilities start with an insecure supply chain. Many parts used in voting machines are manufactured overseas, and the report authors suggested that bad actors could compromise the equipment “well before that voting machine rolls off the production line.” Voting Village participants found voting machines with universal default passwords and ones that broadcast their own Wi-Fi access point, which would allow hackers to connect. Once hackers gained access, they could escalate their privileges so they could run code, change votes in the database or turn the machine off remotely. Additionally, unprotected, uncovered USB ports provided easy inputs for thumb drives or keyboards.
Other issues uncovered showed that removing one chip could cause the entire machine to fail and revealed the use of an 8-bit cipher in firmware, which the report said is known for being insecure.
Voting Village organizers also had reported that an improperly decommissioned poll book still had voter information on it. It was used to check in voters at the poll, and it retained personal information on it for 654,517 Shelby County, Tenn., voters from 2008.
The report concluded that even hackers with few resources and little experience with voting machines could compromise the systems – including those not connected to the internet – and undermine the integrity of elections.