It’s still child’s play to pick apart election systems that will be used in the 2020 US presidential election, as ethical hackers did, once again, over the course of two and a half days at the Voting Village corner of the DefCon 27 security conference in August.
The results are sobering. This is the third year they’ve been at it, and security is still abysmal.
On Thursday, Voting Village organizers went to Capitol Hill to release their findings, in an event attended by election security funding boosters Sen. Ron Wyden and Rep. Jackie Speier.
In a nutshell: in August, hackers easily compromised every single one of the more than 100 machines to which they were given access, many with what they called “trivial attacks” that required “no sophistication or special knowledge on the part of the attacker.” They didn’t get their hands on every flavor of voting system in use in the country, but every one of the machines they compromised is currently certified for use in at least one voting jurisdiction, including direct-recording electronic (DRE) voting machines, electronic poll books, Ballot Marking Devices (BMDs), optical scanners and hybrid systems.
From the Voting Village press release:
In too many cases physical ports remain unprotected, passwords remain unset or left in default configurations and security features of the underlying commercial hardware are left unused or even disabled.
Same old, same old
During the three years that Voting Village has tested voting system security, there’s been no shortage of warnings about the potential for tampering with any election systems connected to the internet or to any network. The state of election non-security is serious enough that the Defense Advanced Research Projects Agency (DARPA) is working on it: it’s hoping to create an electronic voting system that it hopes will prevent tampering with voting machines at the polls.
In 2017, within two minutes, democracy-tech researcher Carsten Schürmann used a novel vulnerability to get remote access to a WinVote machine at Voting Village. In 2018, an 11-year-old changed election results on a replica of Florida’s state website… in under 10 minutes.
And in 2019, Voting Village participants once again found new ways, or replicated already known techniques, to compromise machines so as to alter vote tallies, change ballots displayed to voters, or tinker with the machines’ internal software.
They did it all with precious little, at that. They didn’t have the resources of a professional lab, and many of the participants were testing systems with which they had no familiarity, working with any tools they could find.
As has been noted by Matt Blaze, a co-founder of the election testing project and a Georgetown University cryptography professor, the meager resources of the Voting Village – a tiny room and eBay – are readily available to foreign adversaries or anyone who seeks to subvert elections:
We bought a bunch of surplus voting machines on eBay and put them in a room. I believe many of our foreign adversaries already have eBay capability, so perhaps it would be prudent to use election equipment that can withstand eBay-based threats. https://t.co/SYsVEH2etX
— matt blaze (@mattblaze) August 27, 2018
With scant resources, the participants found that in most cases, the vulnerabilities could be exploited surreptitiously, via exposed external interfaces accessible to voters, precinct poll workers or to anybody who has brief physical access to the machines. Many of the machines also have vulnerabilities that leave them persistently open to threats over the long term:
In particular, many vectors for so-called “Advanced Persistent Threat (APT)” attacks continue to be found or replicated. This means that an attack that could compromise an entire jurisdiction could be injected in any of multiple places during the lifetime of the system.
Not surprising, but disappointing
The Voting Village report notes that none of this is surprising, but the results are disappointing, given that we’ve known about many of the specific vulnerabilities for over a decade.
As the Washington Post reports, lawmakers who are pressing legislation to get more funding for election security embraced the results, promising to use them to make it personal for every sitting member of Congress. The newspaper quoted Rep. Speier:
The best way we can make the case is by scaring the living bejesus out of every member of Congress that the system can be fixed against them.
Sen. Wyden, a major backer of boosting election security funding and a lawmaker who chimes in on all things cybersecurity, said the results prove that it’s “basically a piece of cake for a relatively savvy hacker to compromise an election and alter votes.”
What would fix this?
Voting system security experts say the only real fix is paper ballots. Or, to be more precise, there’s an urgent need to ensure that there’s a paper trail for every vote. With solely digital voting machines, there’s no way to audit the results.
But as Blaze has repeatedly emphasized, paper ballots can’t fix this on their own. They have to be backed up with rigorous post-election audits:
Why? Because even the most rigorously voter-verified paper ballots don't help if the process that uses them is compromised. Risk Limiting Audits can confirm that the election outcome is correct, but only if we actually conduct them.
— matt blaze (@mattblaze) September 27, 2019
There’s a slew of bills seeking to secure elections, but they’re being blocked by Senate Majority Leader Mitch McConnell. Some of the bills would mandate the fixes recommended by Blaze and other security experts … in exchange for cash.
As the Post reports, McConnell recently endorsed delivering an additional $250 million in federal money to state election officials, but it’s a far cry less than the $600 million Democrats are looking for, and his proposal lacks mandates about how states must spend the money.
Al Stephenson
I think the key here is the hackers were given unrestricted access to these machines. How many IT professionals have their server rooms unlocked and the door open so anyone can come in? Any machine is a potential target if physical security measures are not in place. I do not know of any election system that doesn’t have strict physical safe guards in place such as locks and seals on all voting equipment.
Thu Win (@Tyw77)
Well I think they can probably stream line the process so they can hack while voting.
Or it can be abused by trusted personnel to tamper the result for personal gain.
epic_null
Unrestricted access to one machine can easily allow for building scripts to run on another though, and one group covered earlier was able to bypass the firewall – a move which would essentially give unrestricted nonphysical access. Plus “via exposed external interfaces accessible to voters” implies that the locks and seals don’t block critical physical attack vectors
Some One
The point is, that these machines are wide open and that MANY folks have “unrestricted access” (as described above) to these types of machines. Locks and seals do not help secure a machine once it it connected to a network, which is required to remove and aggregate votes. Ports were left open. Who knows which ones, but with 64k of then on a IP, they probably have the usual set unblocked.. and therefore very easy to hack.
Kyle
I do, the voting machines in my area of south Florida. we have the scantron style machines. the best they have for security is the 90-year-old man (bet his sight isn’t what it used to be). My point isn’t to be disrespectful to the patriot who is watching the machine, but to encourage my state to back him up with some real security.
With my somewhat limited knowledge, I could have gained unrestricted access to the machine simply by bringing my 4-year-old daughter in to distract them and then lifting a table cloth. I think we can do better.
A Concerned Citizen
Thanks for your input, Vlad. We’d still like our voting machines to be more secure though.
Mahhn
You are presuming that every person handling the machines are of impeccable integrity. Not even our senators and congressmen meet that level of trust.
Paul Ducklin
Many countries in which elections actually mean anything, and where elections can be considered free and fair, have independent electoral commissions that try pretty darn hard to follow the processes and procedures that give reliable results even if some of the people involved in supervising a ballot are crooked. All voting protocols need checks and balances against ‘persons not of impeccable integrity’. Bruce Schneier once did an analysis of the voting system used in the Holy See for electing a new head of state (i.e. the Pope) – it’s a fun-yet-serious read.
Mahhn
If they really do fix the voting machines, we’ll know because a lot of people write in Mickey Mouse, which should show in the results. But really, so long as the two private groups D & R (in the US) control the election process, it’s just a formality.
I had high~ hopes that Defcon looking at voting systems would help, but it’s fallen of Def-ears.
Anon
Exactly. “In a nutshell: in August, hackers easily compromised every single one of the more than 100 machines to which they were given access.” This becomes a “No duh” mention they could hack it. If you give a hacker physical access to something they re going to break the crap out of it no matter what it is. Especially with enough time. How about give them a remote access address and nothing else and see where that gets them. Then maybe I’d see some logic to this.
rrogers31
Good question? Does anybody have a quantitative answer? Although I think that the reference to business systems is irrelevant since the dangers are inexpressibly worse. Untrusted voting systems can finish destabilizing already unsteady social systems. Which is what some actors want!
But nobody is going to like the next war though; cyber or physical!
rrogers31
I wouldn’t be surprised to see a market in voting machine hacking, on a machine by machine basis, on the “Dark Web” soon. I trust (?) that Sophos would inform us.
Paul Ducklin
Yes, we’ll tell you – asssuming [a] it happens and [b] we become aware of it. Lots of corners of the Dark Web are quite different from ‘Silk Road’ style sites, which are comparatively easy – by design – for anyone who’s keen enough to find and peruse. Many closed forums go out of their way to be hard to inspect, let alone to infiltrate. You might need to show show fluency in a specific language; to be introduced by an existing trusted member; and to build up cybercriminality credibility over an extended period of time. (When you read about the amount of work that goes into some of the busts we write about, and the time often needed to build a case that is solid enough to convince a prosecutor to look at… that’s not because cops are slow or igorant but becausse it’s hard!)
James Donald Bishop
Colorado voting machines (at least, Jefferson County) are not connected to the internet. They print a paper ballot, which ther voter can examine and, if necessary, correct. The paper ballot is what’s counted. All actions must be signed by election judges from two different parties.