Hackers exploit vulnerabilities in voting machines
But they weren’t able to change any votes
Hackers 5, voting maLAS VEGAS chines 0.
It took less than a day for attendees at the DefCon hacking conference to find and exploit vulnerabilities in five different types of voting machine.
“The first ones were discovered within an hour and 30 minutes. And none of these vulnerabilities has ever been found before; they’re all new,” said Harri Hursti, co-coordinator of the event.
One group even managed to rick-roll a touch screen voting machine, getting it to run Rick Astley’s pop song Never Gonna
Give You Up from 1987. The Voting Machine Hacking Village event at the 25th annual DefCon computer security conference ran from Friday to Sunday. Its goal was to educate the computer security community about potential weaknesses of the voting systems used in U.S. elections and get them involved in fixing them. By all accounts it worked. “This software just isn’t up to modern standards. It’s not even as strongly protected as a PC,” said Brandon Pfeifer, a security expert who works on embedded aviation systems in Kansas City, Mo.
Conference goers thronged to the room where more than 30 voting machines were laid out in various states of disassembly.
The machines themselves were mostly bought on eBay, said event co-coordinator Matt Blaze, a professor at the University of Pennsylvania and election security expert. Only one of the models has been decommissioned; the rest are still in use around the country, he said.
Ad hoc clusters of attendees hunched around each of them, murmuring quietly as they tested various inputs. Every once in a while, someone would call for help or advice.
Several groups took machines apart, others found ports meant for election officials and plugged computers and testing devices into them to see what they could gain access to. Wireless and networked hacks also were attempted. But much of the work didn’t involve hacking at all.
“It just took us a couple of hours on Google to find passwords that let us unlock the administrative functions on this machine,” said Pfeifer, whose group was working on a touch screen voting machine. “Now we’re working on where we can go from there.”
The groups weren’t able to change votes, noted Hursti, a partner at Nordic Innovation Labs and an expert on election security issues.
“That’s not what we’re trying to do here today. We want to look at the fundamental compromises that might be possible,” he said.
Next year, organizers hope to set up a full end-to-end simulation of a voting network so they can find and report weaknesses. For this year, efforts focused on individual machines.
No one expects that an attack on the U.S. voting system would involve someone taking a screwdriver into the voting booth with them on Election Day, Blaze said. But the vulnerabilities discovered at the conference could lead to future exploits that don’t require actual physical access — and that might be done on not just one machine but dozens or hundreds.
This is the first time such an open and large-scale hacking of voting machines has been attempted, because until October 2015 such efforts were illegal under the Digital Millennium Copyright Act. An exemption by the Librarian of Congress now allows good faith efforts meant to find vulnerabilities, leading conference organizers to launch the event.
The dozens of computer scientists and hackers who cycled through the room over the course of the conference aren’t a threat to election systems — the bad guys are, said Barbara Simons, president of Verified Voting, a non-partisan, non-profit organization that advocates for elections accuracy. “Anything that’s happening in here, you can be sure that those intent on under- mining the integrity of our election systems have already done, with all the time and the resources in the world,” she said. “There are plenty of people with hostile motives and very considerable attack skills out there.”
Concerns about election hacking spiked after U.S. intelligence groups said Russia had attempted to interfere with the 2016 presidential election.
On June 21, Jeanette Manfra, the acting deputy undersecretary for cybersecurity and communications at the Department of Homeland Security, told the Senate Intelligence Committee the agency had evidence that election-related systems in 21 states were targeted by cyber attackers and in some cases data was stolen. However, no votes were actually changed, she said.