Hackers invited to break into US voting machines to find election vulnerabilities
Tens of thousands of hackers from around the world were granted access to US voting machines at the Def Con convention in Las Vegas and tested them for hours to find vulnerabilities.
On Friday, Caesar’s Palace in Las Vegas was packed with hackers from around the world, where they studied and practiced hacking everything from Twitter accounts to self-driving cars, during the annual Def Con convention.
This was the first year in the convention’s 25-year history that included an interactive area on voting machines. The “hacker voting village” gave hackers the ability to break into more than 30 popular voting machines as well as voter databases in a bid to discover vulnerabilities that could be exploited to alter the results of an election.
A first for @defcon Try new things. pic.twitter.com/XJecEzA0Z7
— Jim Nitterauer (@JNitterauer) July 28, 2017
"We encourage you to do stuff that if you did on election day they would probably arrest you," Matt Blaze, a professor at the University of Pennsylvania and one of the event’s organizers, said, according to Reuters.
Jake Braun, a former White House liaison to the Department of Homeland Security and another one of the event’s organizers, told Reuters that he hopes the convention will dispel claims from many of the companies that make the machines that they are “unhackable.”
“There’s been a lot of claims that our election system is unhackable. That's BS,” Braun said. “Only a fool or liar would try to claim that their database or machine was unhackable.”
"All of these machines are known to be hackable. This is about education." #VotingVillage@defcon
— DEFCON VotingVillage (@VotingVillageDC) July 28, 2017
Over the weekend, hackers have the opportunity to tinker with voting machines that are still used in US elections. Hackers have the freedom to test how the machines can be manipulated remotely or physically through their hardware.
Machines in the #VotingVillage include: Sequoia AVC Edge, ES&S iVotronic, Diebold TSX, Winvote, and Diebold Expresspoll 4000
— DEFCON VotingVillage (@VotingVillageDC) July 28, 2017
According to the official Twitter page of the event, one hacker was able to gain complete remote control of the operating system of a WINVote machine, including election data, in around an hour and a half.
Greetings from the Defcon voting village where it took 1:40 for Carsten Schurmann to get remote access to this WinVote machine. pic.twitter.com/1Xk3baWdxv
— Robert McMillan (@bobmcmillan) July 28, 2017
90 min after doors open: Complete remote control on the operating system level of the Winvote voting terminal (including election data).
— DEFCON VotingVillage (@VotingVillageDC) July 28, 2017
The "security" of these WINvote machines is so bad. Running WinXP, autorun enabled and hard-coded WEP wifi password. pic.twitter.com/AlOiAPcRra
— Victor Gevers (@0xDUDE) July 28, 2017
...But I thought no voting machines had wireless access? Oops. #VotingVillage
— DEFCON VotingVillage (@VotingVillageDC) July 28, 2017
Hackers also posted updates that they were able to break into Diebold machines and e-polling software within an hour.
Voter database where 1=0?? #VotingVillagepic.twitter.com/ECyuWiGTUv
— DEFCON VotingVillage (@VotingVillageDC) July 28, 2017
On the e-pollbook front: internal data structure already discovered and reverse engineered within an hour. #VotingVillage
— DEFCON VotingVillage (@VotingVillageDC) July 28, 2017
At one point, the organizers set up a competition, splitting the group into a blue team that defended a mock Board of Elections network and voter registration database, and a red team that attempted to breach them.
Harri Hursti officially starting the voting machine hacking competition #defcon25pic.twitter.com/yCLpt7DYqo
— Alfredo Ortega (@ortegaalfredo) July 28, 2017
Hackers at the event also heard from security experts and others who are working to keep election systems safe from outside influence.
"The link between the voter and elected officials cannot be broken" Amb Lute @defcon#votingvillagepic.twitter.com/M72fTwEUej
— DEFCON VotingVillage (@VotingVillageDC) July 28, 2017
Fmr. US-NATO Amb. Doug Lute: "Thanks @defcon@thedarktangent & hacker community for raising critical nat sec issue w/the @VotingVillageDC
— DEFCON VotingVillage (@VotingVillageDC) July 28, 2017
David Jefferson, talking about the complexity of election information systems @VotingVillageDCpic.twitter.com/ZXygBegCGd
— Joseph Lorenzo Hall (@JoeBeOne) July 28, 2017
Blaze said that he hopes the event will also raise awareness about the vulnerabilities of voting machines, and the need for more security.
This year's voting machine village seems like the most important and consequential thing Defcon has ever done.
— Ryan Lackey (@octal) July 28, 2017
"You never know what that kind of a spark will ignite. My hope is that we’ll see a broadening of the community of people interesting in improving the security of our election system,” Blaze said, according to USA Today.
