DefCon hackers made short work of voting machines. Now what?
- By Matt Leonard
- Aug 08, 2017
The news coming out of last month’s DefCon hacker conference in Las Vegas was not good for voting machine manufacturers -- and unsettling for election officials.
A "voting village" was set up where hackers tested the security of about a dozen voting machines. They made their way into every single one.
Eric Hodge, director of consulting at CyberScout, helped plan the event. There had been plenty of discussion about the security of these machines, he said. American intelligence officials concluded last year that Russia interfered with the 2016 presidential election, but many state election officials argued that their voting machines were secure because they were not connected to the internet.
The DefCon voting village was set up to actually test the physical machines, which Hodge said never experience much penetration testing. In their testing debut, they didn’t fare too well.
Each system presented different vulnerabilities, Hodge said. Some were running unsupported operating systems, like Windows XP; some had ports where a thumb drive could be plugged in to either upload or download information; and others allowed people to physically lift out the data store and replace it with another. The machines used in the tests were bought off of eBay, and some of the models hacked are no longer in use, but one still had residual voter data on it from a previous election, he said.
Within minutes, some of the machines were hacked. “These guys are good," Hodge said. "But, you know, so are the Russians.”
One of the key takeaways for election officials, he said, is that “these systems aren’t safe just because they’re offline.” Election officials must take steps to ensure they’re using up-to-date technology and follow best practices, such as having a chain of custody for voting data and disabling ports on voting machines, he said.
To mitigate the risk from hacked machines, risk-limiting audits will have to become standard, according to Philip Stark, the associate dean of the Division of Mathematical and Physical Sciences at University of California at Berkeley.
“There is no such thing as unhackable computer technology,” Stark told GCN. “So the only way that you can get some reassurance that computers did the right thing is have a way to make an end run around them and check that they functioned correctly.”
The audit is that check, he said. To implement an audit, a locality must first use paper for its elections. About 25 to 30 percent of U.S. voters vote on equipment that doesn’t create a paper trail, he said, but “ideally, you have voter-marked, optically scanned ballots.”
Even these systems aren’t ideal. Only a few localities -- Travis County in Texas and California's Los Angeles County and San Francisco County -- are in the processes of developing systems that are optimized for these audits, he explained.
Many of the current optical-scan systems don’t report results for individuals ballots, but only result totals for districts, which makes it difficult for officials to match a paper ballot to what the computer marked for the same ballot. Audits are still possible, but it means hand counting a random selection of paper ballots to verify the digital count.
If localities are worried about their current system, Stark suggested they lease an optical-scan system and wait for the market to provide better options.
“I would not invest in a lot of new equipment right now if I were a jurisdiction, because the market is really shifting, and there will be cheaper and more easily maintainable alternatives coming up quickly,” he said.
Those better options may come as localities open source their solutions. Both Los Angeles County and San Francisco County are going to open source their entire systems, Stark said. Travis County is going to open source parts of its system, and Colorado, which is also implementing risk-limiting audits, plans to open source its audit system.
Voting machine manufacturers are also starting to talk about releasing more audit-enabled products, Stark said.
Matt Leonard is a former reporter for GCN.