DefCon Hackers Demonstrate Vulnerabilities Of US Voting Machines

DefCon Hackers Demonstrate Vulnerabilities Of US Voting Machines

Hacking voting machines in U.S. elections is easy, according to some of those who attended the second annual DefCon in Las Vegas over the weekend.

The Huffington Post reported that the event's participants were able to change the software and other features of machines on which Americans will cast ballots in this fall's mid-term elections.

The relative ease with which the equipment was manipulated is ramping up fears that the country's voting systems may be compromised. It is not the first time the concern has surfaced. Several years ago, a former programmer for one of the leading manufacturers of voting machines told a congressional committee that anyone with access to the company's proprietary code could reverse the outcome of a race.

There is considerably more evidence of voting-system vulnerabilities than there is proof of voter fraud. Despite claims by the Trump administration and others, cases involving people voting illegally or multiple times are extremely rare.

DefCon organizers said they conducted the hacking tests to show manufacturers what needs to be done to protect the integrity of their machines. The urgency of addressing the issue is amplified by the mid-terms, which will decide which political party controls the House of Representatives. Republicans might lose their majority in the Senate, as well. Democrats could block much of the president's agenda if they were in charge of either chamber.

The Wall Street Journal reported that one of the manufacturers, Election Systems & Software, assured its customers that interfering in elections is not so simple. The company pointed out in a letter that hackers at the conference could “access some voting systems’ internal components because they (had) full and unfettered access to a unit without the advantage of trained poll workers, locks, tamper-evident seals, passwords and other security measures that are in place in an actual voting situation.”

The National Association of Secretaries of State, which is made up of the nation's top local elections officials, agreed. According to CNN, the organization argued that the hacking at the conference “in no way replicates state election systems, networks or physical security.”

Some NASS members attended DefCon. Noah Praetz, the chief elections officer in Cook County, Ill. (which includes Chicago), said that “obviously, we look at what happened in 2016.” He was referring to Russia's alleged meddling in that year's presidential election, the subject of an ongoing federal investigation by Justice Department special counsel Robert Mueller.

Jake Braun, one of the DefCon organizers, warned that the Russians are studying how to manipulate voting machines in this year's U.S. elections. He criticized the companies that declined to submit their machines to scrutiny at the conference.

Equipment is not the only voting-system element at risk. During one of the DefCon workshops, children between the ages of 8 and 16 had little trouble changing information on replicas of 13 key states' voting results reporting websites. The kids altered the vote totals and results.

“These websites are so easy to hack we couldn't give them to adult hackers — they'd be laughed off the stage,” Braun told ABC News. “They thought hacking a voter website was interesting 20 years ago. We had to give it to kids to actually make it challenging.” Braun is a former White House liaison for the Department of Homeland Security.

Conference organizers explained: “For anyone who knows anything about DefCon, or r00tz, they know that no one would encourage kids to hack real elections. The point of this exercise is: 1) Help get these young hackers involved in civic engagement at an early age; 2) demonstrate how easy it is to change election results online, as has been done for real in Ukraine and Ghana; and 3) learn from creative social engineering ideas these kids think of that none of us would.”

The children competed for $2,500 in cash prizes, which came from part of the funding the Democratic National Committee provided to co-sponsor the conference. Raffi Krikorian, the DNC's top technology officer, told Wired: “We wanted to figure out how we could use this to our advantage.”

Voting systems were under the microscope at the inaugural DefCon in 2017, as well. ProPublica reported that hackers “managed to breach all five models of paperless voting machines, as well as an electronic poll book.” Conference-goers successfully cyberattacked the WINvote machine, a product of Advanced Voting Solutions, in less than two hours.

Last weekend, the event's leaders tweeted: “Every type of machine that will be available at DefCon is in use today. … All (the) machines, with the exception of one, the WINvote, are still in use. This year, we have even more machines, all of which are in use across the U.S. We invite NASS to come learn about the vulnerabilities we find this year, and we invite you to participate next year, because as we know, cyber threats are constantly evolving and becoming more sophisticated.”

Related News