Last year, in the wake of the 2016 election hacking and interference, DEF CON, one of the world’s largest hacking conventions, created The Vote Hacking Village (“Voting Village”). During its inaugural event the Voting Village successfully hacked one voting machine in 90 minutes. In less than one day the hackers discovered and exploited vulnerabilities in all five pieces of voting equipment.
In Las Vegas this past weekend, DEF CON 26, brought back the Voting Village for its second year. They expanded its breadth and scope to encompass the entire voting infrastructure. This year’s Voting Village recreated the voting process end-to-end, with a voter registration database, courtesy of the Ohio Secretary of State, equipment from every major election vendor and replicas of the Secretary of State election results websites from 13 presidential battleground states. Voting Village participants uncovered vulnerabilities in all elements of the voting process.
Voter Registration Databases and Electronic Poll Books Have Exploitable Weaknesses
According to DHS officials, in 2016 Russia targeted the voter databases of more than 20 states and breached at least two. (Russia denies these allegations.) While incursions into voter databases can’t change the vote totals, they can potentially remove people from the voter rolls, so those individuals are unable to cast their votes. Such alterations could affect the outcome of an election.
During the conference, the Voting Village trained election officials on techniques to defend voter registration databases from hackers and simulated state-of-the-art attacks.
The Voting Village also released information on vulnerabilities with some electronic poll books.
Here’s the DefCon Voting Machine Hacking Village roundup of discoveries for the day! Day 1 / Part 1 pic.twitter.com/ovQs7uX7jK
— DEFCON VotingVillage (@VotingVillageDC) August 11, 2018
Historically, poll books were hard copy print outs of the voter database used to confirm that a voter is registered to vote. Recently electronic poll books or e-poll books, started replacing the print outs, creating another avenue open to cyberattack. The Express Poll 5000 machines had easily accessible memory cards at the top of the machine that could be replaced in 5 seconds with a another card preloaded with alternative information. Thus, voters could be added or deleted to the voter rolls.
The Voting Village also discovered that these same machines contained the supervisor’s password in plain text, unencoded personal voter records and a root administrative password of “password”.
Voting Machines Have an Array of Security Issues
The voting machines used in the DEF CON Voting Village were secured from every major vendor in the election industry and all the machines apart from one, the Win Vote, are in use today.
Some highlights of the hacking of voting machines include:
- Hacking a mock election so that an un-listed candidate received the most votes
- Hacking a voting machine to play gifs and music
- Discovering 1784 files, including mp3s of Chinese pop songs, hidden among the operating system files of another voting machine
- Hacking an email ballot so that the recorded vote was different from what was selected
Rachel Tobac, CEO of SocialProof Security posted a video showing how to gain admin access to a voting machine in two minutes.
At @defcon hacking conference and just learned how easy it is to physically gain admin access on a voting machine that is used in 18 states. Requires no tools and takes under 2 minutes. I’m concerned for our upcoming elections. pic.twitter.com/Kl9erBsrtl
— Rachel Tobac (@RachelTobac) August 12, 2018
Election Results Websites Are So Vulnerable, Children Can Hack Them
The final component of the voting process hacked by DEF CON attendees was the election results websites. The Voting Village created replicas of state election results websites and held a hacking competition, with children ages 8-16 years old.
Why did the organizer choose to make this a contest for children? Jake Braun, one of the Voting Village’s co-founders told ABC News:
“These websites are so easy to hack we couldn’t give them to adult hackers—they’d be laughed off the stage. They thought hacking a voter website was interesting 20 years ago. We had to give it to kids to actually make it challenging.”
Even with kids at the helm, it only took 10 minutes for one eleven-year-old to hack an election results website. Out of the 39 children that attempted to the hack sites, 35 were successful. Kids altered vote counts and even changed the names of candidates. While none of this would affect the real vote tally, this type of hacking is easy to do and poses the threat of sowing confusion and undermining the public’s faith in the election results.
Voting Village Featured Speakers and Training
In addition to all the hacking opportunities, the Voting Village hosted several notable speakers. A panel of election officials including Alex Padilla, the Secretary of State for California, discussed what steps they are taking to secure elections. Alejandro Mayorkas, former Deputy Secretary of the Department of Homeland Security spoke about national election security. David Sanger, national security correspondent for The New York Times, spoke about threats from sabotage, misinformation and fear.
The Voting Village also offered training for election officials, giving them the unique opportunity to learn from hackers and practice defending a voter registration database.
Matt Blaze, co-founder of the Voting Village said, “It’s been incredible the response we’ve received. We’ve had over 100 election officials come through here and they expressed over and over again how much they have appreciated learning from this opportunity.”
The Voting Village’s Goal is to Promote Election Security and Integrity
By allowing participants at the Voting Village to examine equipment, identify vulnerabilities and report on the results, the Voting Village hopes to raise public awareness about election technologies and encourage vendors to improve the security of their systems.
Per a DEF CON media advisory, “The Voting Village holds a deep commitment to safeguarding democracy and making this research and training available to every election official in the country.” As they did last year, Voting Village organizers plan to make a report of all their findings publicly available.
DEF CON’s Voter Village is Not Without Critics.
The National Association of Secretaries of State (NASS) sent out a press release diminishing the validity of the Voting Village stating, “Our main concern with the approach taken by DEF CON is that it utilizes a pseudo environment which in no way replicates state election systems, networks or physical security”. The release also claimed that “most of the voting systems were no longer in use”. The Voting Village disputes this claim and stated on Twitter that all the voting machines, except one, the WinVote, are currently in use.
— DEFCON VotingVillage (@VotingVillageDC) August 9, 2018
— DEFCON VotingVillage (@VotingVillageDC) August 9, 2018
One of the election vendors, ES&S, also took issue with DEF CON’s approach, sending a memo to its customers that downplayed the relevance of the Voting Village.
Cybersecurity journalist and author, Kim Zetter provided a thorough response to the memo on Twitter.
In advance of the @VotingVillageDC tomorrow, ES&S sent a message to customers today with their comments about the hacking village and the security of their machines. I've pasted their memo below, with some annotation from me. pic.twitter.com/6eQUYuuGJA
— Kim Zetter (@KimZetter) August 10, 2018
Looking Forward to the 2018 Midterms
The Voting Village has exposed multiple weaknesses in our election systems, provided training to election officials and started a dialogue about the current state of election security. Now election officials, voting equipment vendors and legislators need to work together to find solutions and to bolster security in every facet of our election systems. In the case of casting ballots the preferred solution is not more technology, but less. As Voting Village co-founder Matt Blaze noted in a tweet, experts agree that paper ballots and risk limiting audits are the best way to protect our votes. States also need more resources to protect their back-end election database and websites.
Number one question at @VotingVillageDC this week: given how insecure voting systems are, what should we do? Overwhelming consensus among experts:
1 – Paper ballots (precinct-counted optical scan)
2 – Mandatory risk-limiting audits
3 – More resources to protect back-end systems
— matt blaze (@mattblaze) August 13, 2018