Attendees to the 25th annual DEF CON hacking conference discovered weak spots in electronic voting machines that attackers could abuse in future compromises.
For their first-ever Voting Machine Hacking Village, DEF CON’s organizers purchased 30 electronic voting machines off eBay and left them to the mercy of attendees’ hacking skills. Not all of the computer-powered ballot boxes still service voters in today’s U.S. elections. But some do.
That makes the outcome of the Hacking Village all the more concerning.
Within 90 minutes, security researchers began uncovering chinks in the machines’ armor. Some physically broke into the machines with screwdrivers and discovered ports that attackers could leverage to infect the machines with malware. Others searched for admin passwords on Google to see what hidden features they could unlock. One even Rick-Rolled their target machine.
— DEF CON VotingVillage (@VotingVillageDC) July 29, 2017
Perhaps the most significant intrusion came from security researcher Carsten Schurmann, who obtained remote access via RDP to a WinVote machine by exploiting the unit’s poor Wi-Fi security along with a Microsoft vulnerability.
Jeff Braun, who specializes in digital security in Washington DC, told The Register that the Hacking Village’s results point to important shortcomings in the United States’ voting infrastructure:
“Without question, our voting systems are weak and susceptible. Thanks to the contributions of the hacker community today, we’ve uncovered even more about exactly how. The scary thing is we also know that our foreign adversaries – including Russia, North Korea, Iran – possess the capabilities to hack them too, in the process undermining principles of democracy and threatening our national security.”
Still, not everything is doom and gloom.
According to CyberScout’s Eric Hodge, counties can avoid many physical threats posed to electronic ballot boxes if they “store machines, set them up, [and] always have someone keeping an eye on machines,” reports The Hill.
As for over-the-air vulnerabilities, DEF CON is seeking to set up an entire voting network at its next conference to determine if, for example, a remote hacker can abuse a flaw to change votes. (Those in attendance at DEF CON 25 didn’t succeed in achieving this level of interference.) They can then report those vulnerabilities to the Federal Election Commission and/or to individual states, who will hopefully take the flaws to heart and use them to better secure voting machines.
The United States doesn’t need a repeat of its 2016 election. It needs better voting machine security. And it looks like DEF CON attendees are leading the way in bringing about that change.