It took security researchers only minutes to gain access to more than a dozen voting machines at last month's DEF CON security conference. The nearly two dozen machines, all purchased from eBay and government auctions, are considered representative of the wide variety of electronic voting systems in use today. One even contained actual voting data from a previous election, exposing another issue: how to delete old data.
The machines were part of a new DEF CON Voting Village in the conference area of Caesars Palace. Other DEF CON villages this year included one each for social engineering, lock picking, IoT, and SCADA systems. The idea was that attendees could walk up and hack the real-world systems that ordinarily would be cost-prohibitive for most researchers.
Matt Blaze, a security researcher from the University of Pennsylvania, co-organized the voting workshop along with Jake Braun. The two convinced Jeff Moss, founder of DEF CON, to include voting machines in this year’s villages after an exemption to the Digital Millennium Copyright Act (DCMA) at the end of 2016 made it legal to hack voting machines for research purposes. A similar DCMA exemption applies to automotive hacking.
Prior to the 2016 presidential election, then DHS Secretary Jeh Johnson elevated voting machines to critical infrastructure status. What that means is that federal dollars can be used to protect these systems. In June 2017, current DHS Secretary John Kelly reaffirmed this status. The results from DEF CON should give DHS and other governments entities just cause to upgrade, if not replace, current systems.
Almost all the devices on display in the Voting Village used outdated software. This includes unpatched versions of software components, such as OpenSSL, within the applications themselves. Some also used Windows XP and CE, two operating systems no longer supported by Microsoft.
One machine, WinVote, running on Windows XP, had the autorun feature enabled. Thus, allowing anyone with physical access to insert a USB and execute malware. The device also a hard-coded Wi-Fi password, in addition to using the now-discredited WEP protocol.
The WinVote machine fell early. It took researcher Carsten Schurmann only 1 hour, 40 minutes, to gain access because (at least in the village) the machine was not securely configured. Rather, it was in its default state. That also implies voting officials using the machine on-site know how to configure it securely which may not always be the case.
For DEF CON, the voting machines were all bought on eBay or from government auctions. Medical devices purchased on eBay have been found to contain sensitive information. So, it’s not surprising that the same was true with voting systems.
The ExpressPoll-5000 electronic poll book, made by Election Systems and Software (ES&S), is used to check in voters on Election Day. One such device at DEF CON still contained the personal records of 654,517 people who voted in Shelby Country, Tennessee, according to Gizmodo. The exposed data included name, address, and birthday, along with political party, physical or absentee status, and whether the voter was asked to provide identification at the polling station. Barbara Simons, who sits on the board of Verified Voting, told Gizmodo that there’s no formal auditing process to determine whether machines are properly wiped. Thus, there's no way to estimate how many machines have been sold that inadvertently contain voter records.
Almost all the devices exhibited vulnerabilities associated with physical access. But, could these devices be targeted remotely? Many of the devices had exposed ports. This suggests that a bad actor could insert a USB with malicious code and somehow gain access.
A few, like the WinVote machine, had wireless access. Schurmann hacked the WinVote machine via the MS03-026 Wi-Fi vulnerability in WinXP using RDP on his laptop. A few systems were also vulnerable to OpenSSL versions that could lead to eavesdropping.
Security experts such as J. Alex Halderman of the University of Michigan and others have stated for years that there needs to be paper trail. Halderman, who studied the voting machines used in Ohio and Florida following the 2000 presidential election, concluded then that there might have been vote tampering in that election. Since the systems he looked at all lacked proper auditing controls, it was hard to prove.
In 2008, California Secretary of State Debra Bowen suspended all voting machines in the state pending a security review. Halderman and other experts made several recommendations that have since been adopted. San Francisco, for example, now uses an optical scanner system. This requires voters to mark a special ballot that is read by an optical scanner. The paper ballots can be used in the event of a recount.
With so many vulnerabilities waiting to be exposed, eager participants in the Voting Village were asked to pace themselves. “It turned into [an] eight-hour hacking session,” TJ Horner told Wired. He attacked a Diebold voting machine, stating, “Previously, individual security experts were not able to get their hands on these machines and security audits were likely run on the machines used in elections by large companies, but they were definitely not as thorough or as public as the work we did at the village. It’s important that individuals like us have time with these machines so that we can truly understand and tell everyone [about] the brokenness of these things.”
Given that voting machines are called on only a few times a year, there is no good reason why the software and hardware cannot be updated. Unlike hospital equipment or SCADA equipment, in which upgrades can pull life-threatening devices off-line for an extended period, updating a voting machine between elections should be a no-brainer. Further, unlike the case in healthcare and SCADA, there are no regulations regarding the best practices for securing voting devices and disposing of their contents once they are no longer used. Implementing regulations around voting machines could go a long way toward easing our concerns about voter fraud using electronic devices.