DEFCON Report Illustrates All the Ways Voting Machines Are Completely Hackable

- October 10, 2017

DEFCON, the organization that holds the popular yearly hacker conference in Las Vegas, today issued a report on the findings from the voting machine hacking village.

In a report issued today, DEFCON and its participating partners from the University of Pennsylvania, the Center for Democracy and Technology, Nordic Innovation Labs and the University of Chicago, highlight various issues with voting machines that make them insecure to use for local, state and national elections.

Hacking villages are conference exhibits that allow the hacker community to focus on one particular aspect of hacking or technology in person. For instance, Tesla the electric car manufacturer was featured in a hacking village in a past conference. A Tesla model was placed on the conference floor and allowed hackers to try and compromise the car’s mobility.

This year’s conference held in July hosted 25,000 participants and featured 25 pieces of election systems, including paperless electronic voting machines and electronic poll books.

In a forward to the report Douglas Lute, former NATO ambassador and US Army lieutenant general, wrote that this report “highlights the problems that demand our attention and solutions.”

“This report makes one key point: our voting systems are not secure,” Lute wrote. “Last year’s attack on America’s voting process is as serious a threat to our democracy as any I have ever seen in the last 40+ years—potentially more serious than any physical attack on our Nation [sic].”

Previously any hacking conducted on voting machines was done in “in very limited academic
or industrial settings under strict controls and publications restrictions,” which makes the DEFCON hacking village unique, and at a time when a number of US voting jurisdictions are considering implementing newer electronic voting equipment.

The report calls the results of the hacking exercise “sobering.” Every piece included in the hacking village “was effectively breached in some manner. Participants with little prior knowledge and only limited tools and resources were quite capable of undermining the confidentiality, integrity and availability of these systems.”

As an example, the first machine to be compromised in the event, an AVS WinVote model, “was hacked and taken control of remotely in a matter of minutes, using a vulnerability from 2003.” The report authors state that this machine, during its use from 2003 to 2014, could have been controlled remotely, allowing threat actors to change votes, observe vote results and even incapacitate the machine entirely.

Jeff Moss, founder of DEFCON, spoke at an Atlantic Council event discussing the findings from the conference. Leading up to the event he said, it was initially difficult to obtain voting machines, as manufacturers tightly control them with purchase agreements and non-disclosures. Difficult, he said, until he searched eBay.

“Sure enough, thank you eBay, there were some to be found,” he said, “and they’re not that expensive. They’ve been around for about a decade, so you can get them fairly inexpensively.”

The report he said, is a result of election officials who contacted Moss in a desperate attempt to gain information on the devices and their security. The election officials had a difficult time trusting the machines, but at the same time could not conduct their own security tests.

“This report,” Moss said, “is a culmination of a lot of things. One, it is the first attempt at changing the narrative.”

Mainly, the narrative that voting machines are difficult to hack, that they require physical access or special insider knowledge, falls flat.

“Now people are paying attention,” Moss said. “They weren’t paying attention 10 years ago. I think this really needs to be a discussion at a higher, national security level.”

The report includes four main learning lessons, one of which that calls for needed policy changes. And it notes that the voting village will return to DEFCON in 2018 with improved testing conditions.

To read the entire report, visit the DEFCON site here.

To view the Atlantic Council event, a CSPAN video of it can be found here.