Hackers at DefCon conference exploit vulnerabilities in voting machines

Elizabeth Weise | USA TODAY

Show Caption Hide Caption Guests at DefCon hacking conference hack voting machines Guests at this year's Def Con hacking convention in Las Vegas tried to hack voting machines and voter databases.

LAS VEGAS – Hackers 5, voting machines 0.

It took less than a day for attendees at the DefCon hacking conference to find and exploit vulnerabilities in five different voting machine types.

“The first ones were discovered within an hour and 30 minutes. And none of these vulnerabilities has ever been found before, they’ll all new,” said Harri Hursti, co- coordinator of the event.

One group even managed to rick-roll a touch screen voting machine, getting it to run Rick Astley’s song “Never Gonna Give You Up,” from 1987.

The WinVote is now the newest music playing device in the village! #DEFCON #votingvillage pic.twitter.com/litn3YhaOX — DEFCON VotingVillage (@VotingVillageDC) July 29, 2017

The Voting Machine Hacking Village event at the 25th annual DefCon computer security conference ran from Friday to Sunday. Its goal was to educate the computer security community about potential weaknesses of the voting systems used in U.S. elections and get them involved in fixing them.

By all accounts it worked.

“This software just isn’t up to modern standards. It’s not even as strongly protected as a PC,” said Brandon Pfeifer, a security expert who works on embedded aviation systems in Kansas City. He came to the event because voting “has been such a hot topic after the presidential election,” he said.

Conference goers thronged to the room where more than 30 voting machines were laid out in various states of disassembly.

The machines themselves were mostly bought on eBay, said event co-coordinator Matt Blaze, a professor at the University of Pennsylvania and election security expert. Only one of the models has been decommissioned, the rest are still in use around the country, he said.

Ad hoc clusters of attendees hunched around each of them, murmuring quietly as they tested various inputs. Every once in a while, someone would call out for help or advice. “Anybody got a card scanner?” or “Did somebody have the manual for the Diebold?”

Several groups took machines apart, others found ports meant for election officials and plugged computers and testing devices into them to see what the could gain access to. Wireless and networked hacks were also attempted.

But much of the work didn’t involve hacking at all.

“It just took us a couple of hours on Google to find passwords that let us unlock the administrative functions on this machine,” said Pfeifer, whose group was working on a touch screen voting machine. “Now we’re working on where we can go from there.”

The groups weren’t able change votes, noted Hursti, a partner at Nordic Innovation Labs and an expert on election security issues.

“That’s not what we’re trying to do here today. We want to look at the fundamental compromises that might be possible,” he said.

Next year, organizers hope to set up a full end-to-end simulation of a voting network so they can find and report weaknesses. For this year, efforts focused on individual machines.

As of Sunday morning, no one had succeeded in gaining access to a system wirelessly, all the successful exploits required physical access to a machine to gain access.

No one expects that an attack on the U.S. voting system would involve someone taking a screwdriver into the voting booth with them on election day, said Blaze. But the vulnerabilities discovered at the conference could lead to future exploits that don’t require actual physical access – and that might be done on not just one machine but dozens or hundreds.

This is the first time such an open and large-scale hacking of voting machines has been attempted, because until October of 2015 such efforts were illegal under the Digital Millennium Copyright Act. An exemption by the Librarian of Congress now allows good faith efforts meant to find vulnerabilities, leading conference organizers to launch the event.

The dozens of computer scientists and hackers who cycled through the room over the course of the conference aren’t a threat to election systems — the bad guys are, said Barbara Simons, president of Verified Voting, a non-partisan, non-profit organization that advocates for elections accuracy.

“Anything that’s happening in here, you can be sure that those intent on undermining the integrity of our election systems have already done, with all the time and the resources in the world. There are plenty of people with hostile motives and very considerable attack skills out there,” she said.

Concerns about election hacking spiked after U.S. intelligence groups said that Russia had attempted to interfere with the 2016 presidential election.

On June 21, Jeanette Manfra, the acting deputy undersecretary for cybersecurity and communications at the Department of Homeland Security told the Senate Intelligence Committee that the agency had evidence of that election-related systems in 21 states were targeted by cyber attackers and in some cases data was stolen. However no votes were actually changed, she said.

The silver lining to all this had been intense public interest in election protection. A formerly back office issue has been brought to the front, said Simons.

“These are the kinds of people we need to get involved in the effort to strengthen election safety,” she said.