For those wondering if our voting machines can pass the security torture tests and prove readiness for November, experts simply laugh. Last year they rapidly learned the answer to that question is resoundingly, “no.” It only took ten minutes for the first breach.
This year’s Defcon 2018 hacker convention will once again offer a voting machine hacking village. Taking what they learned from last year’s experiment, this time the lab is only open to children ages 8 to 16, because adults find it far too easy.
“All the vulnerabilities which were discovered last year are fundamental vulnerabilities in the system itself – vulnerabilities that cannot be fixed without redesigning the whole system, redesigning the hardware,” Programmer Harri Hursti told reporters. He’s one of the co-authors of last year’s Voting Village study report.
There is only one way to make “elections fully impenetrable,” Hursti insists, “using paper ballots.”
According to former White House liaison Jake Braun, it would be a “waste of time” to turn adults loose on the machines again. The U.S. Department of Homeland Security expert is another co-founder of the event and also executive director of the University of Chicago Cyber Policy Initiative.
“These websites are so easy to hack we couldn’t give them to adult hackers – they’d be laughed off the stage,” Braun asserts, “They thought hacking a voter website was interesting 20 years ago. We had to give it to kids to actually make it challenging.”
This year, kids will get to “hack into replicas of the Secretary of State election results websites for thirteen Presidential Battleground States, manipulating vote tallies and election results,” the organizers relate.
Besides trying to hack the websites, researchers are exploiting and exposing “vulnerabilities in devices such as digital poll books and memory-card readers.”
The kinds of things organizers expect to find this weekend “would, in an actual election, cause mass chaos,” Braun believes. “They need to be identified and addressed, regardless of the environment in which they are found.”
The National Association of Secretaries of State is downplaying the horrible prognosis for election hardware. The hacking conference “utilizes a pseudo-environment which in no way replicates state election systems, networks, or physical security,” they assert in a statement.
“Providing conference attendees with unlimited physical access to voting machines, most of which are no longer in use, does not replicate accurate physical and cyber protections established by state and local governments before and on Election Day.”
Voting Village organizers push back on that challenge.
In a statement issued Thursday, the Voting Village vows “every type of machine that will be available at DEF CON is in use today.”
They also mentioned, “with regard to machines no longer in use, as shown in the 2017 Voting Village report, all machines at the Village with the exception of one, the WinVote, are still in use.”
Last year, the big takeaways were that vital components used in the equipment are made by overseas suppliers and could easily have hidden code or backdoors.
Sometimes all it takes is knowing the universal default password for a machine. One model was found to be using “admin” and “abcde” for access security.
The main thing many kept overhearing in 2017 was “wait, it can’t be that simple, can it?”
One Danish researcher sat down with his coffee at the start of the 2017 conference and while the morning speaker was giving his introduction, Carsten Schurmann “remotely accessed a target machine from his seat in the audience.” It took him ten minutes.
The Advanced Voting Solutions’ 2000 WinVote machine he accessed was used up until 2014 in Virginia.
The University of Copenhagen IT professor is back again this year. Since his speed-record breaking breach, he has devoted all his time to “conducting a comprehensive forensic analysis of WinVote Voting machines.” He will present his findings to the conference Friday.
Even though that model has been retired, “several voting machine models currently in use are susceptible to similar attacks.” Braun points out “We like to say, the machines and the voter registration databases aren’t connected to the internet, except for all the times that they are.”
Chief Technologist Joseph Hall imagines “someone driving around with a laptop from polling place to polling place and changing votes on these machines, with no paper trail.”
The machine Schurmann exploited was accessed through Wi-Fi because by design, “any time the machine was in use, it would have been vulnerable to remote access.”
Raffi Krikorian, Chief technology officer of the Democratic National Committee, put up $500 toward the prize money for the child with the “best defensive strategy for states around the country.”
Through a partnership with r00tz Asylum, a nonprofit that provides security training to kids, the DNC wanted to get the kinds of answers they need. “They’re not getting the right advice from the government or any three-letter agencies,” says Krikorian.
What they are hoping to learn are the “creative social engineering ideas these kids think of that none of us would.”