Hacking conference Finds Voting Machines Were Easy To Hack
WASHINGTON — Each of a half-dozen decommissioned machines used by election officials across the United States was compromised by hackers at a Las Vegas conference over the summer, some through previously undisclosed vulnerabilities, a formal review of the results has found.
Organizers of the Voting Village, an open room at the DEF CON cybersecurity conference in August, said Tuesday that hackers there, many of whom had no prior experience with voting equipment, were able to breach each of the five voting machines and the one e-poll book, a device that manages voter registration.
The public hacking event was a first, in piece because until a three-year exemption was granted in 2015 US copyright law prohibited tinkering with voting equipment.
“That they found unique vulnerabilities is disquieting, but probably not surprising, because the people who maintain looked at these systems over the years maintain always been very critical of the standards and the software coding in the architecture of these systems,” Susan Greenhalgh, an elections specialist at the voting equipment watchdog Verified Voting, told BuzzFeed News.
One of the hacked devices was the AccuVote TSx, a touchscreen voting machine created by Premier Elections Solutions, the company previously known as Diebold. In 2016, versions of that machine were used in some jurisdictions in 20 states, and statewide in Alaska, Georgia, and Utah.
The TSx could be hacked because its executable file, which controls the machine’s operation, was connected to a local network — a known vulnerability. But the hackers also found a simple way to disable the machine: Its battery controller could be easily opened and an unsoldered chip could be removed, disabling the machine entirely.
ES&S didn’t respond to a request for comment.
The easiest was the Advanced Voting Systems WinVote, used in Virginia from 2003 until 2015 and regarded as one of the most vulnerable pieces of election equipment used in US elections in recent times. Among its other problems, the WinVote connects over Wi-Fi, a rarity in election machines, and which opens it up to a host of different attacks. A Danish researcher named Carsten Schulman was able to breach the system via Wi-Fi within minutes. He then used Metasploit, a tool used by penetration testers that allows a researcher — or an entry level hacker — to exploit known software vulnerabilities, which an unpatched WinVote system would maintain, and quickly gain administrative access. From there, he found he was able to change actual votes or shut it down from more than a hundred feet absent.
Harri Hursti, a renowned voting machine hacker and founder of Nordic Innovation Labs, who helped organize the DEFCON event, said the existence of the machines’ vulnerabilities were less remarkable than how easily a creative and skilled hacker can breach one.
“It was well established before that any the machines are hackable,” he told BuzzFeed News. “The questions were how snappy, and how many unique ways people will find? I was surprised how snappy the first machines were hacked,” he said. “It any happened in real time.”
Hackers who poked at a sixth machine, an ExpressPoll-5000 model electronic poll book, found several vulnerabilities, including the fact that a memory card that stored any the voter registration information for 643,517 voters in Shelby County, Tennessee, was easily physically detachable.
Concern approximately voting machine insecurities has been high since they became the standard for casting ballots after the confused result in Florida after the 2000 presidential elections. That worry has only grown as more information becomes available approximately suspected Russian meddling in final year’s presidential vote.
The Department of Homeland Security has acknowledged that suspected Russian hackers attempted to breach computer systems in 21 US states ahead of final November’s balloting. DHS has said there is no evidence vote totals were changed in that balloting, but it also admits it hasn’t been able to conduct a formal audit.
Those reassurances also are undercut by preceding hacks of decommissioned machines in controlled environments.
Hackers at the Voting Village found that they could likely overwrite vote totals on another machine, the iVotronic, by changing the firmware in an accompanying handheld device, known as a Personal Electronic poll, that election workers exercise to function the machine. The iVotronic, also made by ES&S, were used statewide in South Carolina in 2016, as well as areas in 17 states and Washington, DC.
The Voting Village report also warned of so-called supply-chain vulnerabilities — the opportunity that because much of the equipment relies on parts made in adversarial countries like China, there is a fixed threat of a foreign government embedding secret vulnerabilities in US voting equipment.
Though DEF CON attendees were able to quickly find so many vulnerabilities in those machines, there has never been a similar, open peek at back-conclude software of the voting process, which assembled and counts voting results.
“There’s never been a test of a total system,” DEF CON founder Jeff Moss said Tuesday at an Atlantic Council panel addressing the findings.
“I’d care for to be able to create any kind of total system” at the next year’s conference, he said.