A motley assortment of hackers walk into a room packed full of voting machines. You can guess what happened next.
In many ways, the 25th Annual DEF CON went down like those that preceded it. Over the weekend, 25,000 hackers, cybersecurity professionals, and members of the press gathered together in a Las Vegas hotel to discuss the latest threats facing our digital lives.
But this year’s gathering was different in at least one important way. That’s because, this year, the conference gave attendees a hands-on chance to hack voting machines. Like, the actual machines used in local, state, and federal elections.
And hack them they did.
“These are fundamental design flaws.”
DEF CON’s first Voting Machine Hacking Village, organized by Finnish computer programmer Harri Hursti and University of Pennsylvania professor Matt Blaze, put 20 voting machines in a room and let attendees have at them. People cracked open machines, soldered into circuit boards, and in general broke through the systems that are designed to ensure the legitimacy of our vote.
In three hours, all the machines had been hacked a feat that surprised even Hursti, a man known for having successfully altered recorded votes on a Diebold optical scan voting machine. “[The] first discoveries happened shockingly fast to me,” he told Mashable.
Like so many things, the idea for the Voting Machine Hacking Village, one of many hands-on villages at the conference, started off with nothing more than a casually tossed out idea. According to Jeff Moss, the founder of DEF CON, it was born out of a tweet.
“It started out as a twitter post asking if anyone had a good voting machine hacking talk they could give,” explained Moss on a DEF CON web forum, “and it has ended up as a first year village.”
The organizers had to move quickly. “We pulled this together in five weeks,” noted Hursti.
Possibly as a result, things got off to a rocky start. On July 27, a day before the village was set to open to the public, Hursti confided that there was a problem: The voting machines hadn’t arrived. It seems they had been rerouted to Portland, Oregon, by mistake. When we caught up with Hursti, he was frantically working to get them sent to Las Vegas as soon as possible in order to be ready for the opening day.
Organizers managed to pull it off in time, but the mishap somehow seemed fitting. After all, if the end goal of the village was to find holes in the security of our voting machines, accidentally demonstrating that those same machines can be mysteriously rerouted across the country is just the cherry on top.
The village opened as scheduled at 10:00 a.m. on July 28, and within 15 minutes people had started pouring in. By 11:30 a.m., one participant had wirelessly hacked a WINVote machine. Notably, that specific type of machine was decertified around a year ago, but Hursti cautioned that just because a machine shouldn’t still be in use doesn’t mean it isn’t still in use at least somewhere.
And anyway, it’s not like the 19 other machines fared that much better. “People started doing whatever they thought was the right thing to do,” explained Hursti noting that many of the hackers were just experimenting.
Importantly, all of the different types of voting machines in the village had been hacked at some point in the past, but many of the models remain in use. To make matters worse, according to Hursti the attendees managed to find a “completely new set of vulnerabilities.”
That’s not all they found. One electronic pollbook was chock full of voter registration data.
One of the Express epollbooks at the Defcon voting machine hacking village had 600,000 voter reg records on it from Shelby County, TN
Kim Zetter (@KimZetter) July 30, 2017
Like most of the machines in the village, this one had been purchased off eBay.
We reached out to Election Systems & Software, the company that manufactures ExpressPoll electronic pollbooks, for comment, but have yet to receive a response as of press time.
Of course, there are many different types of voting machines in the U.S., and they generally fall into one of four categories: punch card voting systems, optical scan paper ballot systems, direct recording electronic systems, or other ballot marking devices and systems. Different states tend to have different setups, but according to the Pew Research Center, for the 2016 presidential election, 75 percent of registered U.S. voters lived in districts with either optical-scan ballots (read by machines) or direct-recording electronic systems (think touchscreens).
Basically, these machines are everywhere.
Should we panic?
When we hear that hackers can make quick work of our voting machines, it’s easy to immediately jump to the worst possible conclusion: the election was hacked, your vote was discarded, or total vote counts were changed. And while, sure, we should take the security of our election systems seriously, finding proof of past malfeasance is not what the DEF CON Voting Machine Hacking Village was about.
Instead, according to Hursti, the point was to start a discussion that will hopefully wake the industry up from what he considers to be a decades-long slumber. “Election technology in the U.S. as an industry is still very immature,” Hursti explained. “[It’s at a] place where internet companies were 30 years ago.”
“[The] industry works in denial,” continued Hursti. “I hope this will start an open and honest discussion.”
If the coverage following this year’s DEF CON is any indication, Hursti and his partner Blaze have more than succeeded in doing just that. But that doesn’t mean the work is over. “These are fundamental design flaws,” explained Hursti. He further noted that the exploration of vulnerable voting systems, along with the reporting of any discovered vulnerability to the proper authorities, is going to continue in the months and years to come.
Which, well, should leave us with a bit of hope that at next year’s DEF CON it might take hackers more than just three hours to break into every single voting machine in the house. Cross your fingers, but maybe don’t hold your breath.
More From this publisher : HERE