Hackers at DEF CON, one of the nation’s largest cybersecurity conferences, successfully breached the software of U.S. voting machines within 90 minutes, exposing the glaring security vulnerabilities of the U.S. voting infrastructure.
“It took me only a few minutes to see how to hack it,” said Thomas Richards, a security consultant from Georgia.
30 computer-powered ballot boxes used in U.S. elections were set up. Hackers competed to access them by physically breaking them open and hacking them remotely. The conference organizers purchased the machines, manufactured by companies including Diebolds, Sequoia, and Winvote equipment, over eBay or at government auctions.
Some devices had remote ports, which could be used to insert devices containing malicious software. Some ran very outdated software, such as unpatched versions of OpenSSL and Windows XP and CE. Some of the machines included poorly secured Wi-Fi connectivity. According to The Register,
A WinVote system used in previous county elections was, it appears, hacked via Wi-Fi and the MS03-026 vulnerability in WinXP, allowing infosec academic Carsten Schurmann to access the machine from his laptop using RDP. Another system could be potentially cracked remotely via OpenSSL bug CVE-2011-4109, it is claimed.
We’re told the WinVote machine was not fully secured, and that the intrusion would have been detected and logged, so don’t panic too much. And not all the attacked equipment are used in today’s elections.
— Bradley Barth (@BBB1216BBB) July 28, 2017
“There’s so much misinformation about voting machines on the internet,” said Harri Hursti, cofounder of Nordic Innovation Labs, who helped organize the event. “The Village was announced last minute. But in the forums, people were active, looking to understand the problem. The changes have to start somewhere. This year it’s in this room, next year it will be a bigger room.”
Greetings from the Defcon voting village where it took 1:40 for Carsten Schurmann to get remote access to this WinVote machine. pic.twitter.com/1Xk3baWdxv
— Robert McMillan (@bobmcmillan) July 28, 2017
“Without question, our voting systems are weak and susceptible. Thanks to the contributions of the hacker community today, we’ve uncovered even more about exactly how,” said Jake Braun, the Chief Executive Officer of Cambridge Global Advisors and Managing Director of Cambridge Global Capital, who designed the event.
If proper security processes are in place, says Eric Hodge, the Director of Consulting at CyberScout and a consultant for Kentucky’s Board of Elections, the threat to large elections is minimal. Properly storing machines, properly setting them up and having someone close by to monitor them at all times can mitigate many security problems. He notes that voting machines are not connected to the internet and systems used to set them up should ward off hackers. It’s also difficult to tamper with the results of a national election because voting machines are also bought and used county to county across the country.
“Unless it’s an election in Delaware or Rhode Island, it would be difficult to hack machines in every county,” Hodge said.