Hackers rocked the voting machines this summer. On July 28, at the first DefCon “village” dedicated to exposing weaknesses in electronic voting machines—and the first coordinated, research-based assault on EVMs in the United States since 2007—it took visitors just 80 minutes to hack the first machine. The hackers proceeded to find and penetrate multiple security vulnerabilities in each of the village’s 20 machines, representing five voting machine models, calling into question how secure machine-assisted elections are. Rep. Will Hurd (R-Texas) and Rep. Jim Langevin (D-R.I.), two of Congress’ senior cybersecurity experts, visited the village and later told hackers that they were “surprised” by how easy it was to hack voting machines. Langevin promised during the first on-stage appearance of sitting Congressmen at DefCon that when they return to Washington, D.C., “this is going to be a primary topic of conversation.”
The recent news that thirty electronic voting machines of five different types had been hacked for sport at the Def Con hackers’ conference in Las Vegas, some in a matter of minutes, should not have been news at all. Since computerized voting was introduced more than two decades ago, it has been shown again and again to have significant vulnerabilities that put a central tenet of American democracy—free and fair elections—at risk. The Def Con hacks underscored this. So did the 2016 presidential election, in which the voter databases of at least twenty-one and possibly thirty-nine states, and one voting services vendor, came under attack from what were apparently Russian hackers. Last September, then-FBI Director James Comey vowed to get to the bottom of “just what mischief” Russia was up to, but, also sought to reassure lawmakers that our election system remained secure. “The vote system in the United States…is very, very hard for someone to hack into because it’s so clunky and dispersed,” Comey told the House Judiciary Committee. “It’s Mary and Fred putting a machine under the basketball hoop in the gym. These things are not connected to the Internet.” Comey was only partially correct. Clunky and dispersed, American elections are run by the states through three thousand individual counties, each one of which is responsible for purchasing and operating the voting machines set up by Mary and Fred. But Comey missed a central fact about many of those machines: they run on proprietary, secret, black-box software that is not immune to hacking, as Def Con demonstrated.
Increased use of open source software could fortify U.S. election system security, according to an op-ed published last week in The New York Times.Former CIA head R. James Woolsey and Bash creator Brian J. Fox made their case for open source elections software after security researchers demonstrated how easy it was to crack some election machines in the Voting Machine Hacking Village staged at the recent DefCon hacking conference in Las Vegas. … “They confirmed what we already knew,” said James Scott, a senior fellow at the Institute for Critical Infrastructure Technology. “These are extremely vulnerable machines.” “Think of what a voting machine is,” he told LinuxInsider. “It’s a 1980s PC with zero endpoint security in a black box where the code is proprietary and can’t be analyzed.” Although the researchers at DefCon impressed the press when they physically hacked the voting machines in the village, there are more effective ways to crack an election system. “The easiest way to hack an election machine is to poison the update on the update server at the manufacturer level before the election,” Scott explained. “Then the manufacturer distributes your payload to all its machines for you.”
The news coming out of last month’s DefCon hacker conference in Las Vegas was not good for voting machine manufacturers — and unsettling for election officials. A “voting village” was set up where hackers tested the security of about a dozen voting machines. They made their way into every single one. Eric Hodge, director of consulting at CyberScout, helped plan the event. There had been plenty of discussion about the security of these machines, he said. American intelligence officials concluded last year that Russia interfered with the 2016 presidential election, but many state election officials argued that their voting machines were secure because they were not connected to the internet. The DefCon voting village was set up to actually test the physical machines, which Hodge said never experience much penetration testing. In their testing debut, they didn’t fare too well. … Within minutes, some of the machines were hacked. “These guys are good,” Hodge said. “But, you know, so are the Russians.”
Calls for paper-based voting to replace computer-based systems at the DEF CON hacker conference have intensified in the wake of a wave of voting machine hacks earlier this month. … “It’s undeniably true that systems that depend on software running in a touchscreen voting machine can’t be relied on,” Voting Village organizer Matt Blaze said in a Facebook Live feed hosted by US congressmen Will Hurd (R-Texas) and James Langevin (D-R.I.), in the aftermath of the DEF CON hacks. “We need to switch to systems that don’t depend on software,” said Blaze, a renowned security expert who is a computer science professor at the University of Pennsylvania. Blaze recommends OCR-based systems using paper ballots that provide an audit trail for counting and confirming votes. … “We know that computers can be hacked. What surprised me is that they did it so quickly” with the voting machines at DEF CON, says computer scientist Barbara Simons, president of Verified Voting. “One of the things that 2016 made quite clear is that we have very vulnerable voting systems and we don’t do a good job” of protecting them, Simons says. “So we exposed ourselves, and we haven’t taken the necessary steps to protect ourselves.”
Defcon is the annual hacker conference in Vegas and the buzz this year centered around the Voting Machine Hacking Village. A dozen electronic voting machines, like you might see at your local polling place, were set up along the walls of a conference room. In the center were tables where hackers took some machines apart. … In fact, until 2015, hacking voting machines — even to do research — was against the law unless you got a special waiver, said Matt Blaze, a computer science professor at the University of Pennsylvania. “So far, only a few dozen people who are computer scientists thinking about this have been able to get access to these machines,” Blaze said. Blaze helped set up the voting village at Defcon. A decade ago he obtained a waiver to study electronic voting machines in California and Ohio. “And my team of graduate students and I were able to very quickly discover a number of really serious and exploitable problems with those systems,” he said.
Last week at the Def Con Hacking Conference in Las Vegas chess grandmaster Garry Kasparov discussed artificial intelligence and cybersecurity, electronic voting machines were hacked into, and the US army taught hacking skills to children. Plus a group called the Online Privacy Foundation unveiled research on whether ‘dark ads’ on social media can sway political opinion. Targeting voters through social media, and customising the messaging based on publicly available data is a recipe for underhand political advertising. It allows for messaging that’s not fit for a party political broadcast to be targeted to an audience in swing areas. For example, in the recent UK election, Conservative attack ads warning voters against ‘Corbyn’s death tax’ were served to voters in the marginal constituency of Delyn in Wales.
American Democracy depends on the sanctity of the vote. In the wake of the 2016 election, that inviolability is increasingly in question, but given that there are 66 weeks until midterm elections, and 14 weeks until local 2017 elections, there’s plenty of time to fix the poor state of voting technology, right? Wrong. To secure voting infrastructure in the US in time for even the next presidential election, government agencies must start now. At Def Con 2017 in Las Vegas, one of the largest hacker conferences in the world, Carsten Schurmann (coauthor of this article) demonstrated that US election equipment suffers from serious vulnerabilities. It took him only a few minutes to get remote control of a WINVote machine used in several states in elections between 2004 and 2015. Using a well-known exploit from 2003 called MS03-026, he gained access to the vote databases stored on the machine. This kind of attack is not rocket science and can be executed by almost anyone. All you need is basic knowledge of the Metasploit tool.
The toughest thing to convey to newcomers at the DefCon Voting Village in Las Vegas this weekend? Just how far they could go with hacking the voting machines set up on site. “Break things, just try to pace yourself,” said Matt Blaze, a security researcher from the University of Pennsylvania who co-organized the workshop. DefCon veterans were way ahead of him. From the moment the doors opened, they had cracked open plastic cases and tried to hot-wire devices that wouldn’t boot. Within two minutes, democracy-tech researcher Carsten Schürmann used a novel vulnerability to get remote access to a WINVote machine. The Voting Village organizers—including Harri Hursti, an election technology researcher from Finland, and Sandy Clark from the University of Pennsylvania—had set up about a dozen US digital voting machines for conference attendees to mess with. Some of the models were used in elections until recently and have since been decommissioned; some are still in use. Over three days, attendees probed, deconstructed and, yes, even broke the equipment in an effort to understand how it works and how it could be compromised by attackers. Their findings were impressive, but more importantly, they represented a first step toward familiarizing the security community with voting machines and creating momentum for developing necessary defenses.
If there’s a single lesson Americans have learned from the events of the past year, it might be this: Hackers are dangerous people. They interfere in our elections, bring giant corporations to their knees, and steal passwords and credit card numbers by the truckload. They ignore boundaries. They delight in creating chaos. But what if that’s the wrong narrative? What if we’re ignoring a different group of hackers who aren’t lawless renegades, who are in fact patriotic, public-spirited Americans who want to use their technical skills to protect our country from cyberattacks, but are being held back by outdated rules and overly protective institutions? In other words: What if the problem we face is not too many bad hackers, but too few good ones? The topic of ethical hacking was on everyone’s mind at Def Con, the hacker convention last week in Las Vegas. It’s the security community’s annual gathering, where thousands of hackers gathered to show their latest exploits, discuss new security research and swap cyberwar stories. Many of the hackers I spoke to were gravely concerned about Russia’s wide-ranging interference in last year’s election. They wanted to know: How can we stop attacks like these in the future?