China Daily Global Edition (USA)
Are hackers a threat ahead of midterms?
LAS VEGAS — Following the world’s largest yearly hacking conventions Black Hat and DEFCON held in Las Vegas this week, the United States has only about 90 days left to get ready for its 2018 midterm elections.
Amid the growing debate over whether electronic voting machines (EVMs) are hackable or not, there is increasing concern about how vulnerable the systems could be to cyberattack.
At Black Hat USA 2018, security researcher Carsten Schuermann discovered the results of a forensic analysis of eight WinVote voting machines that had been used in Virginia elections for more than a decade.
The associate professor at IT University of Copenhagen noted there are actually two problems with insecure voting machines. The first is obvious: The systems can be easily hacked.
“But the other threat is equally important and equally dangerous, and that is the threat of an alleged cyberattack — when people claim there was a cyberattack when there actually wasn’t,” Schuermann said at the conference.
Schuermann said such allegations can disrupt elections and damage the credibility of voting results.
The WinVote voting machine was used extensively in Virginia elections during 2004 and 2015. It has been dubbed the worst voting machine ever.
It runs Windows XP, service pack 0. It is by default Wi-Fi enabled. It uses WEP security, and all WinVote machines appear to use the same password “abcde”.
“That’s not a very secure password,” said Schuermann.
Several states still use voting machines similar to the WinVote.
Now in its second year, organizers of “The Vote Hacking Village” at the DEFCON, which takes place immediately following Black Hat in Las Vegas every year, have packed a conference room at Caesars Palace with voting machines.
The Voting Village has invited attendees to study and identify vulnerabilities in election equipment used around the United States as well as other nations.
This year’s Voting Village featured hands-on experience with at least nine types of voting equipment, almost all in use in elections today.
Thousands of hackers, more than 100 election officials and about 50 children identified and exploited various vulnerabilities within the election ecosystem, according to DEFCON.
After a few hours’ attack on the first day of the course, one hacker was essentially able to turn a voting machine into a jukebox, making it play music and display gifs.
Hackers were also discovering 1,784 files, including mp3s of Chinese pop songs, hidden among the operating system files of another voting machine.
The Voting Village has dramatically expanded this year to include not only more machines but also end-to-end voting infrastructure, including a voter-registration database and election-reporting websites.
“Election cybersecurity has been a national concern since 2016,” an organizer told Xinhua. “These hacks can root out weaknesses in voting machines.”
There is increasing concern about how vulnerable electronic voting machines could be to cyberattack.
Some officials that have flown to the event are becoming increasingly concerned about the threat to November’s midterm elections.
In recent months, the US Congress has failed to pass various bills that would fund election security and infrastructure improvements ahead of the midterms.
At the DEFCON event, nearly 40 child hackers were taking part in a contest to hack the mock versions of election board websites, and most of them were able to tamper with vote tallies.
But the US National Association of Secretaries of State (NASS) criticized creating mock election office networks and voter registration databases for participants to defend and/or hack as “unrealistic”.
“Our main concern with the approach taken by DEFCON is that it utilizes a pseudo environment which in no way replicates state election systems, networks or physical security,” the organization said.
One election machine manufacturer, Election Systems and Software (ES&S), has also raised questions about the value of the Voting Village.
“We at the Voting Village, along with our counsel, remain confident that our activities are lawful and are happy to address any of ES&S legal concerns directly,” DEFCON said in a statement.