Tensions Flare as Hackers Root Out Flaws in Voting Machines (#GotBitcoin?)
Defcon hack-a-thon conference aims to help test election security, but makers of voting equipment raise doubts. Tensions Flare as Hackers Root Out Flaws in Voting Machines
Hackers at the Defcon computer security conference believe they can help prevent manipulation of U.S. elections. Some election officials and makers of voting machines aren’t so sure.
That tension was front and center at Defcon’s second-annual Voting Village, where computer hackers are invited to test the security of commonly used election machines. Organizers see the event as an early test of U.S. election security and a counterpunch to potential outside interference. On the first day of the event, which runs through Sunday, hackers were able to swap out software, uncover network plug-ins that shouldn’t have been left working, and uncover other ways for unauthorized actors to manipulate the vote.
These hacks can root out weaknesses in voting machines so that vendors will be pressured to patch flaws and states will upgrade to more secure systems, organizers say.
Yet some manufacturers and security experts believe the hack-a-thon is unlikely to uncover the type of real-world issues that would come up in an election.
“Anybody could break into anything if you put it in the middle of a floor and gave them unlimited access and unlimited time,” said Leslie Reynolds, executive director of the National Association of Secretaries of State.
Election Systems & Software LLC, a leading manufacturer of voting equipment, was reluctant to have its systems tested at the conference. The company played down the expected findings from the event in a letter to customers. Hackers “will absolutely access some voting systems internal components because they will have full and unfettered access to a unit without the advantage of trained poll workers, locks, tamper-evident seals, passwords, and other security measures that are in place in an actual voting situation.”
Kathy Rogers, senior vice president of government relations for ES&S, said the letter was sent “in response to numerous inquiries by our customers as to what equipment might be at Defcon and what they might expect.”
In the letter, ES&S also warned election officials ahead of the conference that unauthorized use of its software violated the company’s licensing agreements, according to a copy of the letter viewed by The Wall Street Journal. Voting Village organizer Jake Braun disagreed with this interpretation of the agreements.
The states and vendors are making a mistake by not participating in the voting village, which amounts to a thorough security test for any machine involved, Mr. Braun said. “This is not a cyber-mature industry,” he said.
Some state and local election officials at the conference said the companies that sell voting equipment are more interested in maintaining their profit margins than improving the security of their machines.
ES&S had two employees attend Defcon to “learn about any ideas for enhancements to voting security,” Monica Tesi, a spokeswoman for the company, said. Making voting equipment available to “potential bad actors, foreign or otherwise,” could harm national security, Ms. Tesi said, adding that Defcon has no security or identity requirements and that anyone who pays the $280 registration fee can enter.
Dominion Voting, another voting machine maker, declined to comment and wouldn’t say whether it had employees present at the hacking conference.
Mr. Braun disputed the assertion that the Voting Village hacking could threaten national security, saying it would be naive to assume that Russia wasn’t already looking for voting system flaws. “I think it would be a national security threat not do so it,” said Mr. Braun. Representatives for Defcon didn’t immediately respond on Sunday when asked to comment on ES&S’s criticism of its security policies.
Election cybersecurity has been a national concern since 2016, when Russian-government hackers allegedly broke into systems at the Democratic National Committee, launched an influence campaign on Facebook Inc.’s social network, and targeted more than 20 voter registration systems, government officials say.
Russia has repeatedly denied interfering in the election.
Earlier this month, senior intelligence officials in the Trump administration warned that Russia was again engaging in “pervasive” efforts to interfere in the November elections.
In March, Congress appropriated $380 million to shore up the nation’s election systems—money that has now been allocated to 50 states and five territories to pay for improved election equipment, and security training and testing, according to the Election Assistance Commission, the agency responsible for disbursing the funds.
Jeanette Manfra, a senior cybersecurity official at the Department of Homeland Security, said that security researchers at Defcon were doing important work by finding vulnerabilities in voting systems that could be used by bad actors. But she said she sympathized with concerns from election officials that the vote-hacking village could unintentionally lower public confidence in American elections—considered a chief goal of Russian interference.
“You want companies to be building more secure products, but at the same time the public doesn’t necessarily know the full picture,” Ms. Manfra said. “If all you are saying is, ‘Look, even a kid can hack into this’, you’re not getting the full story, which can have the impact of having the average voter not understanding what is going on.”
“It’s really, really difficult to actually manipulate the vote count itself,” she said.
But it’s still worth uncovering any potential security flaws in these machines, because there are plenty of others—organized criminals for example—who might want to throw an election, said Joseph Lorenzo Hall, chief technologist with the nonprofit Center for Democracy & Technology.
“Everybody’s talking about Russians, but we have to be clear that there are other threats here,” said Mr. Hall on Friday while mingling with hackers at the Defcon Voting Village. It’s a conference room deep in the bowels of Caesars Palace—littered with voting machines, memory cards and scanners.
A few minutes later, Mr. Hall stopped talking and cast a wary eye over at two attendees who were examining a big gray vote scanning machine in the corner of the room. He was worried they might plug it in and fire up its powerful engine without supervision. “We’re OK with destructive testing of these things. I just don’t want you to hurt yourself,” he said. “There are things that will take your fingers off in there.”
Grade Schoolers Hack Into Election Websites In Under 10 Minutes
Proving you don’t have to be Russian to influence an election, 50 American kids wreaked havoc on a group of voting websites.
On Friday, an 11-year-old boy hacked into a Florida state election website and changed the voting results in under ten minutes. And no, he wasn’t Russian. He was one of 50 kids attending DEFCON 26, a giant hacking convention, and was participating in an event called the “Voting Machine Hacking Village.” Luckily, the website wasn’t real ⏤ it was a replica ⏤ but the point was the same nonetheless. If kids can change election results, the integrity of our elections is probably not safe.
During that event, the 50 kids all tried to hack over a dozen imitation websites that were designed to impersonate election sites in battleground states. Most of the kids, who were all between the ages of 8 and 16, managed to crack the sites in under 30 minutes and were able to alter party and candidate names, as well as tweak the candidates’ vote counts.
In response to the news, the National Association of Secretaries of State responded with concern but naturally expressed some doubt that what they did could successfully be done on the real websites. At least they hope not, for the sake of their jobs.”It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols,” the statement read.
Voting Machine Used in Half of U.S. Is Vulnerable to Attack, Report Finds
The flaw in Election Systems & Software’s Model 650 high-speed ballot-counting machine was detailed in 2007.
Election machines used in more than half of U.S. states carry a flaw disclosed more than a decade ago that makes them vulnerable to a cyberattack, according to a report to be delivered Thursday on Capitol Hill.
The issue was found in the widely used Model 650 high-speed ballot-counting machine made by Election Systems & Software LLC, the nation’s leading manufacturer of election equipment. It is one of about seven security problems in several models of voting equipment described in the report, which is based on research conducted last month at the Def Con hacker conference.
The flaw in the ES&S machine stood out because it was detailed in a security report commissioned by Ohio’s secretary of state in 2007, said Harri Hursti, an election-security researcher who co-wrote both the Ohio and Def Con reports. “There has been more than plenty of time to fix it,” he said.
While the Model 650 is still being sold on the ES&S website, a company spokeswoman said it stopped manufacturing the systems in 2008. The machine doesn’t have the advanced security features of more-modern systems, but ES&S believes “the security protections on the M650 are strong enough to make it extraordinarily difficult to hack in a real world environment,” the spokeswoman said via email. The machines process paper ballots and can therefore be reliably audited, she said.
The Def Con report is the latest warning from researchers, academics and government officials who say election systems in the U.S. are at risk to tampering. Earlier this month, the National Academies of Sciences, Engineering, and Medicine recommended U.S. states move away from voting machines that don’t include paper ballots. And senior intelligence officials have described Russian efforts to interfere in the 2018 midterm elections as deep, real and ongoing.
Voting security took on new urgency following the 2016 election. Russian hackers were accused by U.S. intelligence agencies of probing the election infrastructure of at least 21 states, breaching a small number of voter-registration databases, and promoting divisive propaganda on social media.
Moscow denies the allegations. U.S. officials say there is no evidence vote tallies were manipulated.
ES&S has said it considers cybersecurity a top priority and has never experienced a breach. However, the company didn’t employ a senior cybersecurity official until April. It said the 2016 election raised the specter of cybersecurity to a new level.
The Def Con report was written by participants in a “Voting Village” last month at the conference, in which hackers were invited to test the security of commonly used election systems.
Many flaws listed in the report can only be exploited when an attacker gets physical access to machines. However, the report describes two techniques hackers could leverage to get remote access and, for example, change a vote count.
To leverage the 11-year-old flaw, hackers need to save malicious files on a storage drive that is then plugged into a machine. Mr. Hursti said he believes that because the removable devices used by these machines are no longer manufactured and commonly bought on sites such as eBay , it is possible for a hacker to sell an infected disk.
Model 650 vote counts could also be modified remotely via a networking bug, the report says.
In a close race, vote tampering could be devastating, Mr. Hursti said. “If you make a small modification in a small number of counties, that’s enough to swing the state,” he said.
ES&S has said Def Con, which is open to anyone, isn’t an appropriate venue for security research and that information gleaned about its systems could be misused.
In an interview last month, Christopher Wlaschin, ES&S’s vice president of systems security, said there is value in so-called white hat, or ethical, hacking. “What I’m not in favor of is submitting hardware and software and source code to anonymous people,” he said.
Tensions between ES&S and Def Con organizers has made coordinating security work ahead of the November midterm elections more difficult, according to federal officials.
ES&S has said it works closely with state and local officials who want to replace existing machines. Last year, ES&S granted a loan to Virginia so it could quickly swap out paperless machines weeks ahead of a gubernatorial election, the company said.
Election security researchers and politicians aren’t convinced ES&S is doing enough. The company hasn’t adopted common internet security standards that secure against phishing attacks and make it harder to intercept messages, according to staffers for Sen. Ron Wyden (D., Ore.). The U.S. issued a directive last year requiring all agencies to adopt such standards.
In a statement, Mr. Wyden said the security failings raise questions about ES&S’s commitment. “It’s like going to a restaurant—if the bathroom’s dirty, you start to wonder what the kitchen looks like,” he said.
The ES&S spokeswoman said the company “has been dedicated to the security of our nation’s elections since its founding 40 years ago and proactively evolves security practices as threats evolve.”
Your questions and comments are greatly appreciated.
Monty H. & Carolyn A.Go back