Hackers breach dozens of voting machines brought to conference

LAS VEGAS — One of the nation’s largest cybersecurity conferences is inviting attendees to get hands-on experience hacking a slew of voting machines, demonstrating to researchers how easy the process can be.

“It took me only a few minutes to see how to hack it,” said security consultant Thomas Richards, glancing at a Premier Election Solutions machine currently in use in Georgia.

The DEF CON cybersecurity conference is held annually in Las Vegas. This year, for the first time, the conference is hosting a "Voting Machine Village," where attendees can try to hack a number of systems and help catch vulnerabilities.

ADVERTISEMENT

The conference acquired 30 machines for hackers to toy with. Every voting machine in the village was hacked.

Though voting machines are technologically simple, they are difficult for researchers to obtain for independent research. The machine that Richards learned how to hack used beneath-the-surface software, known as firmware, designed in 2007. But a number of well-known vulnerabilities in that firmware have developed over the past decade.

“I didn’t come in knowing what to expect, but I was surprised by what I found,” he said.

He went on to list a number of actions he hoped states would take to help secure machines, including increasing testing opportunities for outside hackers and transparency in voting machine design.

Speakers and organizers said they hoped the village would raise awareness about election machine security issues within the cybersecurity community.

And they hope that the attendees, many of whom are election experts, will pressure states to do more to protect those systems.

“There’s so much misinformation about voting machines on the internet,” said Harri Hursti, cofounder of Nordic Innovation Labs, who helped organize the event.

“The Village was announced last minute. But in the forums, people were active, looking to understand the problem. The changes have to start somewhere. This year it’s in this room, next year it will be a bigger room.”

Though many activists ask for auditable voting machines that don't leave a paper trail, Hursti said there were no commercially available machines he would recommend. 

There is also debate within the cybersecurity community over the extent of the threat from voting machines that haven't been secured.

Eric Hodge, director of consulting at CyberScout and a consultant for Kentucky’s Board of Elections, said that with proper security processes in place, the threat to large elections is minimal.

Taking care to properly “store machines, set them up, [and] always have someone keeping an eye on machines,” he said, can mitigate a wide array of security problems.

That is because voting machines are not connected to the internet and systems used to set them up should, in principle, not invite hackers in.

Voting machines are also bought and used county-to-county across the U.S., making it harder to tamper with a national election result.

“Unless it’s an election in Delaware or Rhode Island, it would be difficult to hack machines in every county,” Hodge said.

Hursti, though, worries that states might not follow best practices.

He also worries that in national elections likely to be close, hackers might target one or two key counties to swing a result.

But he also believes that the elections most at risk are not on a national scale.

“Follow the money,” he said. “On the other end of the ballot, that’s where the money is — banks and roads.”

DEF CON's Voting Machine Village is the first time most researchers there have had access to voting machines. But attendees had high hopes.

“The best possible outcome is that the village results in a book of vulnerabilities to share with the [Federal Election Commission], states and other firms like ours,” said Hodge.

“Once researchers know, there will be pressure for changes.” 

Updated 9:09 p.m.