The toughest thing to convey to newcomers at the DefCon Voting Village in Las Vegas this weekend? Just how far they could go with hacking the voting machines set up on site. "Break things, just try to pace yourself," said Matt Blaze, a security researcher from the University of Pennsylvania who co-organized the workshop. DefCon veterans were way ahead of him. From the moment the doors opened, they had cracked open plastic cases and tried to hot-wire devices that wouldn't boot. Within two minutes, democracy-tech researcher Carsten Schürmann used a novel vulnerability to get remote access to a WINVote machine.

The Voting Village organizers—including Harri Hursti, an election technology researcher from Finland, and Sandy Clark from the University of Pennsylvania—had set up about a dozen US digital voting machines for conference attendees to mess with. Some of the models were used in elections until recently and have since been decommissioned; some are still in use. Over three days, attendees probed, deconstructed and, yes, even broke the equipment in an effort to understand how it works and how it could be compromised by attackers. Their findings were impressive, but more importantly, they represented a first step toward familiarizing the security community with voting machines and creating momentum for developing necessary defenses.

"The key is collaboration," said security researcher Victor Gevers, who cofounded the internet safety and security-focused GDI Foundation and attended the DefCon Voting Village. "I went in dark without any knowledge of these devices and found multiple attack vectors using a computer. Physical security is also seriously lacking, and the firmware and the default settings are below any acceptable standard."

Release the Hackers

At the end of 2016, an exemption to the Digital Millennium Copyright Act made it legal to hack voting machines for research purposes. The research that existed already showed that in general, US voting machines are dangerously exposed and inadequately secured devices. But where more than a decade of research failed to spur action, Russian election meddling during the 2016 US presidential race finally brought attention to all sorts of exposures in the election process, including in voting machines. The idea of the Voting Village was to let the security hive mind finally begin collective work to solve the problem.

"I want to emphasize that all these machines are known to be hackable," Hursti said. "This is about education, this is about letting more people have facts and experience."

The DefCon Voting Village offered a number of voting models, including a notorious decommissioned WINVote machine from Fairfax, Virginia—a model known for having blatant security flaws such as exposed Wi-Fi vote tallying—and Diebold ExpressPoll 5000s. The former is the model that Schürmann hacked in two minutes. From there, people circulated throughout the conference, hacking and resetting machines and opening them up to evaluate the hardware. All the machines were equipped with old, often unpatched operating systems. The devices and peripherals came from eBay and government auctions. One ExpressPoll tablet had 600,000 voter registration records still on it from Tennessee.

"It turned into [an] eight-hour hacking session," says TJ Horner, a security researcher who worked with friends and new acquaintances on attacking a Diebold machine. "Previously, individual security experts were not able to get their hands on these machines and security audits were likely run on the machines used in elections by large companies, but they were definitely not as thorough or as public as the work we did at the village. It's important that individuals like us have time with these machines so that we can truly understand and tell everyone [about] the brokenness of these things."