Report details election vulnerabilities uncovered at DEFCON
- By Matt Leonard
- Oct 12, 2017
When attendees at the July DEFCON conference breached every poll book and voting machine that event organizers had in the Voting Machine Hacking Village, elections officials took notice.
A new report from DEFCON, the National Governors Association, the Atlantic Council, the Center for Internet Security and a number of universities and top technology vendors provides a more detailed look at just how vulnerable the entire U.S. election system – equipment, databases and infrastructure -- is to hacking and urges policymakers to shore up security gaps.
Vulnerabilities start with an insecure supply chain. Many parts used in voting machines are manufactured overseas, and the report authors suggested that bad actors could compromise the equipment “well before that voting machine rolls off the production line.”
Voting Village participants found voting machines with universal default passwords and ones that broadcast their own Wi-Fi access point, which would allow hackers to connect. Once hackers gained access, they could escalate their privileges so they could run code, change votes in the database or turn the machine off remotely. Additionally, unprotected, uncovered USB ports provided easy inputs for thumb drives or keyboards
Other issues uncovered showed that removing one chip could cause the entire machine to fail and revealed the use of an 8-bit cipher in firmware, which the report said is known for being insecure.
Voting Village organizers also had reported that an improperly decommissioned poll book still had voter information on it. It was used to check in voters at the poll, and it retained personal information on it for 654,517 Shelby County, Tenn., voters from 2008.
The report concluded that even hackers with few resources and little experience with voting machines could compromise the systems – including those not connected to the internet – and undermine the integrity of elections.
Organizers said they believe the demonstration "was vital to growing the base of knowledge, expanding the circle of stakeholders beyond hackers, and shining a national spotlight on the serious cybersecurity weaknesses of U.S. election infrastructure."
In 2018, DEFCON hopes to expand the event beyond hands-on hacking of voting equipment to feature:
- A closed-loop system on which an entire mock election can be run using actual voting technologies.
- An election tech range where election officials and voting system manufacturers can demonstrate their solutions and test their technology.
- Election tech challenges to secure votes cast by absentee ballot, email, fax and web.
“It is imperative that leaders at the federal, state and local level come to understand this threat as a national security imperative and work together – leveraging the support of the national security and cybersecurity community – to better defend and protect the vote from cyberattacks in the upcoming elections in 2018 and 2020,” the report said.
As a result of the report's findings, the CIS announced that it was joining forces with private and public partners -- including the Department of Homeland Security and the National Institute of Standards and Technology -- to start bringing needed changes to voting infrastructure.
CIS Chairman and Interim CEO John Gilligan said at an Atlantic Council event announcing the release of the report that his organization would be working toward creating a best practices handbook for elections infrastructure.
States are still in the early stages of addressing elections vulnerabilities, according to Timothy Blute, the program director for the homeland security and public safety division of the National Governors Association.
“We’re going to look at the recommendations and try and provide some wisdom, based on our experience, as to what the roles governors and senior policy makers may be and then identify ways in which we can facilitate that,” Blute told GCN.
Some states, like Virginia, have already taking steps to mitigate problems in upcoming elections. The Department of Elections is requiring 22 localities to get rid of touchscreen machines before its next statewide election Nov. 7.
Matt Leonard is a former reporter for GCN.