DEF CON

Tag Archive

National: Voting Village brings equipment to lawmakers to boost urgency on election security | Sean Lyngaas/CyberScoop

A year from the 2020 election and with a new round of election security funding stalled in Congress, the DEF CON Voting Village organizers have again taken to Capitol Hill to raise awareness about software vulnerabilities in voting equipment. This time, they brought the equipment with them to drive home their point. “If we’re going to meaningfully introduce funding or introduce new technologies for 2020, time is rapidly running out to be able to do that,” Matt Blaze, a professor at Georgetown University and co-organizer of the Voting Village, told CyberScoop. “We need to act pretty fast.” A handful of House Democrats and their staffers sauntered up to equipment on display, including a ballot-marking device and an electronic voting machine, to ask the researchers about the software bugs they found. “This is really helpful in understanding that these aren’t just abstract problems, that these are real things,” Blaze, an expert in cryptology, told CyberScoop. This is the second time in a month that the Voting Village has hosted an event on Capitol Hill. Last month, Blaze and Harri Hursti, another village organizer, unveiled the village’s annual report on flaws in voting gear that could be exploited by hackers.

Full Article: Voting Village brings equipment to lawmakers to boost urgency on election security.

National: Hacking a voting machine is getting easier | Brooke Crothers/Fox News

At the world’s premier hackers convention, hacking a voter system was as easy as ever, according to media reports. A summary of the “Voting Village” event posted last week said hackers at Defcon “compromised every single machine over the 2.5-day event, many of them with trivial attacks that require no sophistication or special knowledge on the part of the attacker.” “In most cases, vulnerabilities could be exploited under election conditions surreptitiously…an attack that could compromise an entire jurisdiction could be injected in any of multiple places,” according to a full version of the report. In many cases, physical ports were unprotected, passwords were either left unset or in their default configuration and security features went unused or in some cases, were disabled, the report added. Attendees were given access to over 100 machines at the event, including direct-recording electronic voting machines, electronic poll books, Ballot Marking Devices, Optical scanners and hybrid systems. One machine, based on an old PC hardware, had no BIOS password set on the machine. The BIOS (Basic Input Out System) controls the basic functions of a PC.

Full Article: Hacking a voting machine is getting easier | Fox News.

National: Hacker conference report details persistent vulnerabilities to US voting systems | Maggie Miller/The Hill

U.S. voting systems remain vulnerable to cyberattacks three years after documented efforts to penetrate election machines, according to a report released Thursday. The report is based on the findings of the white-hat hacker DEF CON Voting Village, an annual gathering of hackers that uses election machines to find vulnerabilities that could allow someone to interfere with the voting process. This year’s event allowed hackers to test voting equipment, including e-poll books, optical scan paper voting devices and direct recording electronic voting machines — all certified for use in at least one U.S. voting jurisdiction. “Voting Village participants were able to find new ways, or replicate previously published methods, of compromising every one of the devices in the room in ways that could alter stored vote tallies, change ballots displayed to voters, or alter the internal software that controls the machines,” the report said. Despite the “disturbing” findings of the report, the authors wrote that the findings were “not surprising,” particularly in light of the fact that many of the election equipment cyber vulnerabilities found were “reported almost a decade earlier.” Equipment that was tested included those made by leading voting machines companies Election Systems and Software (ES&S) and Dominion Systems.

Full Article: Hacker conference report details persistent vulnerabilities to US voting systems | TheHill.

National: Some Voting Machines Still Have Decade-Old Vulnerabilities | Lily Hay Newman/WIRED

In three short years, the Defcon Voting Village has gone from a radical hacking project to a stalwart that surfaces voting machine security issues. This afternoon, its organizers released findings from this year’s event—including urgent vulnerabilities from a decade ago that still plague voting machines currently in use. Voting Village participants have confirmed the persistence of these flaws in previous years as well, along with a raft of new ones. But that makes their continued presence this year all the more alarming, underscoring how slow progress on replacing or repairing vulnerable machines remains. Participants vetted dozens of voting machines at Defcon this year, including a prototype model built on secure, verified hardware through a Defense Advanced Research Projects Agency program. Today’s report highlights detailed vulnerability findings related to six models of voting machines, most of which are currently in use. That includes the ES&S AutoMARK, used in 28 states in 2018, and Premier/Diebold AccuVote-OS, used in 26 states that same year.

Full Article: Some Voting Machines Still Have Decade-Old Vulnerabilities | WIRED.

National: Cyber Experts Warn Of Vulnerabilities Facing 2020 Election Machines | Miles Parks/NPR

A group of guys are starring into a laptop, exchanging excited giggles. Every couple minutes there’s an “oooooh” that morphs into an expectant hush. The Las Vegas scene seems more like a college dorm party than a deep dive into the democratic process. Cans of Pabst Blue Ribbon are being tossed around. One is cracked open and spews foam all over a computer keyboard. “That’s a new vulnerability!” someone yells. The laptop that’s drawing the most attention in this moment is plugged into a voting machine that was used just last year in Virginia. “Right now, we’re trying to develop a way to remotely control the voting machine,” said a hacker named Alex. He’s seated next to Ryan, and like a lot of the hackers at the Defcon conference, they didn’t feel comfortable giving their full names. What they’re doing — messing around with voting equipment, the innards of democracy — falls into a legal gray area. The voting machine looks sort of like a game of Operation. The cover is off and dozens of cords are sticking out, leading to multiple keyboards and laptop computers. No one could get that kind of access on a real Election Day, which is when most people come into contact with voting machines for a few minutes at most. Election supervisors are quick to point out that any vulnerabilities found under these conditions aren’t indicative of problems that actually could be exploited during an election. All the same, hackers like Alex and Ryan say the work they’re doing is important because it’s the highest profile public investigation of the equipment U.S. citizens use to vote. And if they can exploit it, so could government-sponsored specialists working for another nation’s intelligence agency.

Full Article: In 2020, Millions Will Cast Ballots Using Insecure Machines, Experts Say : NPR.

National: Election Security Lessons from DEFCON 27 | Ciara Torres-Spelliscy/Brennan Center for Justice

Given the extent of foreign interference in the 2016 election, every American should be concerned about election security in 2020. But what can computer hackers teach us about it? To find out, I went to Las Vegas earlier this month to attend DEFCON 27, the largest annual hacking conference in the United States, knowing this was probably my last chance to see a legal election hacking. Voting machines are protected from reverse engineering under the Digital Millennium Copyright Act. But the Library of Congress, which has certain authorities under the law, set a three-year window to allow third parties access to voting machines to test their security. Barring an extension by the Library of Congress, 2019 is the third and last year these hacks are legal. DEFCON is a huge event, and I saw fellow conference-goers all over Las Vegas with their distinctive glowing badges. I was only interested in the DEFCON Voting Village, which included a large assortment of voting equipment for participants to test, hack, and break.

Full Article: Election Security Lessons from DEFCON 27 | Brennan Center for Justice.

Vermont: Ethical Hackers Breach Vermont Voting Machines, But Officials Say No Need To Panic | Peter Hirschfeld/Vermont Public Radio

Elections security experts have discovered new ways to manipulate the type of voting machine used in Vermont, but local elections officials say it’s unlikely that bad actors could exploit those vulnerabilities to change the results of an election. At a recent technology conference in Las Vegas, ethical hackers from across the country tried to infiltrate some of the voting machines used in U.S. elections. Probing for vulnerabilities in ballot tabulators is an annual tradition at the DEF CON Hacking Conference. This year, however, hackers tried to gain access to the same type of voting machine used by 135 towns in Vermont. Montpelier City Clerk John Odum retrieved one of the machines from a vault last week and placed it on a desk in his office. It’s a pretty ancient-looking piece of technology — like something you might have seen in a middle school computer room in the early 1990s. “As I understand it, the memory cards that we use, the technology was originally developed for the original Tandy laptops,” Odum said, “so this is some old stuff.” The machine is called an AccuVote, and its name is clearly meant to inspire confidence in the results it spits out. But when white-hat hackers set to work on this tabulator at DEF CON earlier this month, they quickly found all kinds of ways to manipulate results.

Full Article: Ethical Hackers Breach Vermont Voting Machines, But Officials Say No Need To Panic | Vermont Public Radio.

National: Hackers can easily break into voting machines used across the U.S.; play Doom, Nirvana | Igor Derysh/Salon

Voting machines used in states across the United States were easily penetrated by hackers at the Def Con conference in Las Vegas on Friday. Participants at Def Con, a large annual hacker conference, were asked to try their skills on voting machines to help expose weaknesses that could be used by hostile actors. A video published by CNN shows a hacker break into a Diebold machine, which is used in 18 different states, in a matter of minutes, using no special tools, to gain administrator-level access. Hackers also quickly discovered that many of the voting machines had internet connections, which could allow hackers to break into machines remotely, the Washington Post reported. Motherboard recently reported that election security experts found that election systems used in 10 different states have connected to the internet over the last year, despite assurances from voting machine vendors that they are never connected to the internet and therefore cannot be hacked. The websites where states post election results are even more susceptible. The event had 40 child hackers between the ages of 6 and 17 attempt to break into a mock version of the sites. Most were able to alter vote tallies and even change the candidates’ names to things like “Bob Da Builder,” CNNreported. “Unfortunately, it’s so easy to hack the websites that report election results that we couldn’t do it in this room because [adult hackers] would find it boring,” event organizer Jake Braun told CNN.

Full Article: Hackers can easily break into voting machines used across the U.S.; play Doom, Nirvana | Salon.com.

National: At Def Con, hackers and lawmakers came together to tackle holes in election security | Taylor Telford/The Washington Post

As Sen. Ron Wyden (D-Ore.) toured the Voting Village on Friday at Def Con, the world’s hacker conference extraordinaire, a roomful of hackers applied their skills to voting equipment in an enthusiastic effort to comply with the instructions they had been given: “Please break things.” Armed with lock-pick kits to crack into locked hardware, Ethernet cables and inquiring minds, they had come for a rare chance to interrogate the machines that conduct U.S. democracy. By laying siege to electronic poll books and ballot printers, the friendly hackers aimed to expose weaknesses that could be exploited by less friendly hands looking to interfere in elections. Wyden nodded along as Harri Hursti, the founder of Nordic Innovation Labs and one of the event’s organizers, explained that the almost all of the machines in the room were still used in elections across the United States, despite having well-known vulnerabilities that have been more or less ignored by the companies that sell them. Many had Internet connections, Hursti said, a weakness savvy attackers could abuse in several ways. Wyden shook his head in disbelief. “We need paper ballots, guys,” Wyden said. After Wyden walked away, a few hackers exchanged confused expressions before figuring out who he was. “I wasn’t expecting to see any senators here,” one said with a laugh.

Full Article: At Def Con, hackers and lawmakers came together to tackle holes in election security - The Washington Post.

National: DEF CON Voting Village: It’s About ‘Risk’ | Kelly Jackson Higgins/Dark Reading

DHS, security experts worry about nation-state or other actors waging a disruptive or other attack on the 2020 election to sow distrust of the election process. When DEF CON debuted its first-ever Voting Village in 2017, it took just minutes for researcher Carsten Schürmann to crack into a decommissioned WinVote voting system machine via WiFi and take control of the machine such that he could run malware, change votes in the database, or even shut down the machine remotely. Several other researchers were able to break into other voting machines and equipment by pulling apart the guts and finding flaws by hand that year, and then again on other machines in the 2018 event. The novelty of the live hacking of decommissioned voting machines has worn off a bit now and there weren’t many surprises – nor did the organizers expect many – at this year’s Voting Village, held at DEF CON in Las Vegas last week. But once again the event shone a white hot light on blatant security weaknesses in decommissioned voting machine equipment and systems. “DEF CON is not about proving that voting machines can be hacked. They all can be hacked and 30 years from now, those can be hacked, too. It’s about making sure we understand the risk,” Harri Hursti, Nordic Innovation Labs, one of the founders of the Voting Village, told attendees last week. Hursti as well as other security experts, government officials, and hackers at this year’s event doubled down on how best to secure the 2020 US presidential election: ensuring there’s an audit trail with paper ballots; employing so-called risk-limiting audits (manually checking paper ballots with electronic machine results); and proper security hygiene in voting equipment, systems, and applications.

Full Article: DEF CON Voting Village: It's About 'Risk'.

National: Hackers Take on Darpa’s $10 Million Voting Machine | Lily Hay Newman/WIRED

For the last two years, hackers have come to the Voting Village at the DefCon security conference in Las Vegas to tear down voting machines and analyze them for vulnerabilities. But this year’s Village features a fancy new target: a prototype secure voting machine created through a $10 million project at the Defense Advanced Research Projects Agency. You know it better as Darpa, the government’s mad science wing. Announced in March, the initiative aims to develop an open source voting platform built on secure hardware. The Oregon-based verifiable systems firm Galois is designing the voting system. And Darpa wants you to know: its endgame goes way beyond securing the vote. The agency hopes to use voting machines as a model system for developing a secure hardware platform—meaning that the group is designing all the chips that go into a computer from the ground up, and isn’t using proprietary components from companies like Intel or AMD. “The goal of the program is to develop these tools to provide security against hardware vulnerabilities,” says Linton Salmon, the project’s program manager at Darpa. “Our goal is to protect against remote attacks.” Other voting machines in the Village are complete, deployed products that attendees can take apart and analyze. But the Darpa machines are prototypes, currently running on virtualized versions of the hardware platforms they will eventually use. A basic user interface is currently being provided by the secure voting firm VotingWorks.

Full Article: Hackers Take on Darpa's $10 Million Voting Machine | WIRED.

National: Senator: Status quo on voting machine security is a ‘danger to our democracy’ | Alfred Ng/CNET

In the aftermath of the 2016 US presidential election, lawmakers have seen little change in security for voters. But if voting machine security standards don’t change by the 2020 presidential election, Sen. Ron Wyden warns, the consequences could be far worse than the cyberattacks of 2016. The Democrat from Oregon, who is a member of the Senate Intelligence committee, told the Defcon hacking conference that US voting infrastructure is failing to keep elections secure from potential cyberattacks. He made the comments in a Friday speech at the Voting Village, a special section of the Las Vegas conference dedicated to election security. “If nothing happens, the kind of interference we will see form hostile foreign actors will make 2016 look like child’s play,” Wyden said. “We’re just not prepared, not even close, to stop it.”  Election security has been a major concern for lawmakers since the 2016 election, which saw unprecedented interference by the Russians. Though no votes are believed to have been changed, the Russians targeted election systems in all 50 states, according to the Senate Intelligence Committee. Legislation to protect elections has been trudged along in Congress. Multiple members of Congress were at Defcon to discuss the issue, as well as to learn about cybersecurity policy.

Full Article: Senator: Status quo on voting machine security is a 'danger to our democracy' - CNET.

National: DARPA’s $10 million voting machine couldn’t be hacked at Defcon (for the wrong reasons) | Alfred Ng/CNET

For the majority of Defcon, hackers couldn’t crack the $10 million secure voting machine prototypes that DARPA had set up at the Voting Village. But it wasn’t because of the machine’s security features that the team had been working on for four months. The reason: technical difficulties during the machines’ setup. Eager hackers couldn’t find vulnerabilities in the DARPA-funded project during the security conference in Las Vegas because a bug in the machines didn’t allow hackers to access their systems over the first two days. (DARPA is the Defense Advanced Research Projects Agency.) Galois brought five machines, and each one had difficulties during the setup, said Joe Kiniry, a principal research scientist at the government contractor.  “They seemed to have had a myriad of different kinds of problems,” the Voting Village’s co-founder Harri Hursti said. “Unfortunately, when you’re pushing the envelope on technology, these kinds of things happen.” It wasn’t until the Voting Village opened on Sunday morning that hackers could finally get a chance to look for vulnerabilities on the machine. Kiniry said his team was able to solve the problem on three of them and was working to fix the last two before Defcon ended.

Full Article: DARPA's $10 million voting machine couldn't be hacked at Defcon (for the wrong reasons) - CNET.

National: Election Systems Are Even More Vulnerable Than We Thought | Louise Matsakis/WIRED

Hacker summer camp is here again! You know what that means: WIRED is back in Las Vegas for the annual Black Hat and Defcon security conferences, where we’re digging into the latest and greatest hacks on display. First, let’s talk about iPhones. A researcher found it’s possible to break into one just by sending a text message. To help uncover similar vulnerabilities in the future, Apple is handing out new, hacker-friendly iPhones to its favorite security researchers, and paying up to $1.5 million in bug bounties. Moving on to planes. Boeing’s 787 jets might not be very secure, it turns out—Andy Greenberg talked to a security researcher who found multiple serious flaws in the code for one of the plane’s components. (The 787 is distinct from the 737 MAX plane grounded earlier this year, although a recent test flight of that jet had its ups and downs, as WIRED’s transportation desk reports.) That’s not all that’s happening in Vegas. Safecrackers can unlock an ATM in minutes without leaving a trace. Apple pay buttons can make websites less safe. Have you heard of DDOS attacks? Kindly meet their cousin, the DOS attack. Lily Hay Newman also looked at two very old bugs that have continued to persist, one in desk phones and another in a ubiquitous encryption algorithm. Lastly, check out this very cool fake hospital, where real medical devices get hacked on purpose.

Full Article: Election Systems Are Even More Vulnerable Than We Thought | WIRED.

Editorials: 2020 and the black-box ballot box | Jon Evans/TechCrunch

One of the scarier notions in the world today is the prospect of American voting machines being compromised at scale: voters thrown off rolls, votes disregarded, vote tallies edited, entire elections hacked. That’s why the nation’s lawmakers and civil servants flocked (relatively speaking) to Def Con in Las Vegas this week, where hackers at its Voting Village do their best to prove the potential vulnerabilities — including, in some cases, remote command and control — of voting systems. There are several ways to help secure voting. One, thankfully, is already in place; the decentralization of systems such that every state and county maintains its own, providing a bewildering panoply of varying targets, rather than a single tantalizing point of failure. A second, as security guru Bruce Schneier points out, is to eschew electronic voting machines altogether and stick with good old-fashioned paper ballots.

Full Article: 2020 and the black-box ballot box | TechCrunch.

National: Def Con draws election officials to Las Vegas in effort to combat hackers | Miranda Willson/Las Vegas Sun

Ahead of the annual hacker and cybersecurity conference Def Con in Las Vegas this weekend, organizers anticipate that the part of the event devoted to election security will entice more local, state and federal election officials than ever before. Drawing tens of thousands of hackers, researchers, lawyers and others interested in cybersecurity every year to Las Vegas, Def Con has included a so-called “Voting Village” in its weekend-long programming for the past three years to address election security and how to protect elections from hacking. This is the first time that Def Con explicitly invited local and state election officials to attend, and many seem to be taking advantage of the opportunity, said Harri Hursti, co-founder of the Voting Village and founder of computer and network security company Nordic Innovation Labs. “We never intended this to be a main or big thing. It became a big thing because of popular demand,” Hursti said. Among those attending the conference are representatives from the Clark County Election Department and the Nevada Secretary of State’s Office.

Full Article: Def Con draws election officials to Las Vegas in effort to combat hackers - Las Vegas Sun Newspaper.

National: Inside the DEF CON hacker conference’s election security-focused Voting Village | Joe Uchill/Axios

The DEF CON hacker conference’s Voting Village event has become a testing ground for our national debate over voting security, referenced by Senate reports, several congressmen and even a presidential candidate (albeit incorrectly, see below). This year’s version, happening next week, comes with some upgrades. The big picture: Now in its third year, the event is traditionally one of the only places where many security researchers get a chance to audit the security of election systems.

Background: Voting Village burst onto the scene in 2017, when it took hackers only a matter of minutes to discover serious problems with machines. That was despite it being the first time many of the hackers had seen the systems.

Full Article: Inside the DEF CON hacker conference's election security-focused Voting Village - Axios.

National: DEF CON Invites Kids to Crack Campaign Finance Portals | Kelly Sheridan/Dark Reading

A new challenge at this year’s DEF CON will let kid hackers take aim at simulated election campaign financial disclosure portals and use their findings to stage disinformation campaigns. DEF CON’s Voting Village and AI Village have teamed up with r00tz Asylum, a nonprofit dedicated to educating kids about white-hat hacking, to teach budding infosec enthusiasts ages 8–16 about digital threats to democracy. Like the Voting Village, which lets adults explore flaws in election infrastructure, r00tz Asylum gives kids a chance to poke holes in election security. Last year, r00tz Asylum made its first foray into election security. Kids used SQL injection to access and manipulate synthetic state election results websites, where they could change the candidates and displayed vote counts. It took two 11-year-old hackers just 15 minutes to crack a replica of the Florida Secretary of State’s website and change its vote count reports.

Full Article: DEF CON Invites Kids to Crack Campaign Finance Portals.

National: First look at the DEFCON Voting Village | Eric Geller, Mary Lee and Natasha Bertrand/Politico

Sen. Ron Wyden (D-Ore.) and former 2020 presidential candidate Rep. Eric Swalwell (D-Calif.) will speak at this year’s DEFCON Voting Village, MC can reveal. The lawmakers will join California Secretary of State Alex Padilla and former NSA national threat operations director Sherri Ramsay in the election security-focused corner of the cybersecurity conference, which runs Aug. 8-11 in Las Vegas. “The overwhelming interest we are seeing from government leaders demonstrates that securing our democracy is a national security priority,” Voting Village co-founder Harri Hursti says in a press release set to go out this morning, “and we need policy solutions that address the concerns brought to light each year by this Village.” The Voting Village sparked controversy last year when the National Association of Secretaries of State dismissed its findings about voting technology vulnerabilities by saying the test conditions were unrealistic. NASS said at the time that it looked forward to working more closely with the village’s organizers this year. That appears to have happened: This year’s event will “feature a significant increase” in government speakers, including “prominent state and local election authorities,” the organizers said. Other speakers will hail from the DHS Cybersecurity and Infrastructure Security Agency, the Defense Advanced Research Projects Agency and the Pentagon. And good news for attendees seeking a hands-on experience: Per the organizers, there will also be “a more extensive array of voting equipment” this year.

Full Article: Exclusive first look at the DEFCON Voting Village - POLITICO.

National: 5 Risks We Face with E-Voting Technology | Techspective

Technology brings with it a number of conveniences, but it also opens up opportunities for scammers and hackers to take advantage of people through tech fraud. That crime involves using technology in a variety of possible ways to mislead people, steal data, shut down systems and more. Increasingly over the past several years, tech fraud has influenced voter fraud, which also manifests in many ways. People may use fake information at the polls, try to vote more than once or otherwise wrongfully attempt to swing votes in a certain direction. Unfortunately, e-voting could facilitate both tech fraud and election fraud if the platforms aren’t sufficiently locked down.

Full Article: 5 Risks We Face with E-Voting Technology.