Hacking voting machines takes center stage at DEFCON

DEFCON attendees were successful in hacking voting machines and now that there is proof the systems are insecure, more work needs to be done to change election laws and practices.

LAS VEGAS -- "Anyone who says they're un-hackable is either a fool or a liar."

Jake Braun, CEO of Cambridge Global Advisors and one of the main organizers of the DEFCON Voting Village, said the U.S. election industry has an attitude similar to what had been seen with the air and space industry and financial sectors. Companies in those sectors, Braun said, would often say they were un-hackable their machines didn't touch the internet and their databases were air-gapped --  until they were attacked by nation-states with unlimited resources and organized cybercrime syndicates and they realized they were "sitting ducks."

The fear of threat actors hacking voting machines and tampering with election results has been stoked in the wake of the 2016 U.S. presidential election and growing questions about Russia interference. That false sense of security that governments may have had about election infrastructure received yet another blow at this year's DEFCON, where attendees gathered in the conference's Voting Village to successfully penetrate different types of e-voting machines.

"This idea that's being perpetuated in the elections industry, whether it be government or vendors, that these are un-hackable machines because they don't touch the internet or voter registration databases that are un-hackable because they're air-gapped is just ridiculous. If you said something like that here, you'd be laughed at," Braun told SearchSecurity in an interview at DEFCON. "The sin isn't the fact that some secretary of state or clerk gets hacked or some vendor's machine gets hacked. The sin is not asking for help and saying that you're un-hackable, both of which things are ridiculous."

DEFCON hacking voting machines

Braun said that everyone at DEFCON assumed hacking the voting machines would be successful from the start. Ultimately, Braun said the participants were able to get into two systems an hour and a half after starting, and it has since been reported that all of the machines at DEFCON were hacked in less than two and a half days "without inside or domain-specific knowledge."

"The guys in here literally have the database of a poll book -- they've already accessed it -- and they're able to go in and say people have already voted, so that if you showed up to your precinct it would say you already voted so you couldn't vote," Braun said. "They were able to uncheck people as voting, which would enable people to vote multiple times. They were one of the ones who got in within the first hour and forty minutes."

Hackers were also able to pull off some more unconventional tricks, such as analyzing unintentional radio signals created by the cables connecting a voting machine to a printer, as well as installing Windows Media Player on the AVSWinVote system in order to "Rick-roll" DEFCON attendees by playing Rick Astley's 1980s pop song "Never Gonna Give You Up."

If we don't improve the security of our voting systems, we're basically handing the keys to the backdoor of our democracy over to the Russians and whoever else wants to mess with us.
Jake BraunCEO, Cambridge Global Advisors

Even pulling together the Voting Village proved an impressive feat as Braun said he called Jeff Moss, founder of DEFCON, in February or March 2017 to suggest hacking voting machines. Braun got the go-ahead in April to create the Voting Village where attendees from around the world would be given a chance at hacking voting machines.

"So, all of this came together in about two and a half months. We've got about two dozen machines, a couple poll books, and we got an elections clerk to give us the specs of their network and we built it on a virtual cyber range in there," Braun said. "So, we've got guys and gals who are able to sit there and attack and defend a clerk's network, including voter registration databases and all that stuff."

All of the machines used in this year's DEFCON Voting Village were purchased second-hand, but Braun is optimistic the companies that make official voting equipment will donate systems in future years. Braun said the Voting Village has already been slated as a permanent fixture at DEFCON.

Responding to election hacking

Candice Hoke, law professor and co-director of the Center for Cybersecurity and Privacy Protection, said in a DEFCON talk the laws surrounding investigations of potential election hacking were troublesome.

"In some states, you need evidence of election hacking in order to begin an investigation … This is an invitation to hackers," Hoke said. "We all know in the security world that you can't run a secure system if no one is looking."

Barbara Simons, former president of the Association for Computing Machinery and current board chair for Verified Voting, said the push towards paperless ballots has made it very difficult or impossible for election officials to perform recounts if it suspected there was hacking of voting machines.

"We need to get paper ballots everywhere, but we also need get people to look at them because those paper ballots, by-and-large, are being counted by computers in optical scans, and those computers are computers," Simons said. "We need to get laws passed, or requirements, that after every election, before the votes are certified a manual random post-election ballot audit is conducted as a check against the computers and the scanners."

Simons said there were currently 14 states that have electronic-only voting, meaning there is no way to perform a proper recount and many states have retrofitted electronic voting machines with paper copies printed on thermal rolls, which are typically seen in supermarket receipt printers.

"Those retrofits are really bad designs. Most people don't look at them. They can be very hard to read because the font can be very small. It can be designed to print out everything a voter does with no summary page, making it difficult to see who someone voted for. And they're hard to recount because it's a continuous roll," Simons said. "If you want to count something, the easiest way to do it -- like you do with money or cards -- is you sort it into piles and count each pile. But if it's a continuous roll, you can't do that."

Improving election security

Awareness of election security issues has been on the rise, according to Braun. Outside of the voting machine hacks at DEFCON, the words of General Doug Lute, former U.S. Ambassador to NATO, who spoke at the conference, the various local election officials at DEFCON and former U.S. intelligence chief James Clapper, should help push awareness even more. 

Braun said a common argument from election officials is there is a need for physical access when hacking voting machines, but he noted that a motivated nation-state with enough intelligence operatives could gain that access relatively easily.

"The fact that they can drive around -- they only have to go to a handful of counties around the country -- the machines are kept in warehouses with padlocks, essentially," Braun said.

Braun said there is a need to fundamentally rethink how people are trying to solve this problem. He said that for the last decade or so the focus has been on the approximately 3,000 county clerks and the 50 secretaries of state urging better security, upgrades and audits.

"But the thing is: A) you're not going to get to all of those people and B) actually about 20 percent of them change every year because they're elected or appointed, so you have high levels of turnover. So it's literally an unsolvable problem if you approach it that way," Braun said. "Instead what needs to happen is governors need to take ownership of this."

Braun said state governors were perfectly placed to organize the county clerks and secretaries of state and implement better election security procedures as well as to petition the federal government for more funding and resources to put towards new systems, upgrades and risk limiting audits.

"I think the only way that the governors take ownership of this and work together with Homeland Security is if the national security elite in this country -- leaders in the intelligence community, military, foreign policy -- say what is true, which is that this is a direct existential threat to the United States from a foreign adversary," Braun said. "And if we don't improve the security of our voting systems, we're basically handing the keys to the backdoor of our democracy over to the Russians and whoever else wants to mess with us."

Next Steps

Learn why people are still the biggest flaw in potential election hacking.

Find out why experts say election hacking is not an act of cyberwarfare.

Get info cyberthreats, VEP and other government issues from Nathaniel Gleicher.

Dig Deeper on Security operations and management