How easy would it be to hack into a voting machine? Based on what we heard from hackers and security experts, a little too easy!
This week, thousands of Americans went to the polls to vote in local and state elections, with thousands more set to vote next year for the 2018 Midterms. As Americans go to the polls, many of them will be welcomed by a familiar sight of the electronic voting machine. Since the passage of the Help America Vote Act in 2000, electronic voting machines have proliferated greatly in all 50 states. In most polling sites, these electronic voting machines have now become common place, replacing the old paper ballot standard. Even if polling places are continuing to use paper ballots, many of them are sent through an electronic reader, tabulating the votes.
Yet with Russia’s meddling of last year’s presidential contest, many have started to worry about the cyber-security of electronic voting machines. So we asked ourselves; how easy would it be to actually hack a voting machine in the US? From what we found out, easier than you might think.
We Weren’t the Only Ones Wondering How Hackers Could Access a Voting Machine
— Bradley Barth (@BBB1216BBB) July 28, 2017
Every summer since 1993, hackers would descend on Las Vegas, Nevada and essentially “talk shop.” DEF CON is a yearly hacking conference where attendants talk about technology and the potential hacking of various technologies ranging from Wi-Fi connected refrigerators to the latest cyber-security software. Attendees at DEF CON include all walks of life ranging from journalists to cyber-security experts to your run-of-the-mill bedroom hackers. Basically everyone is welcome except federal authorities when in 2013 Jeff Moss – DEF CON founder and organizer – asked them to stay away from the hacker conference. However in this past DEF CON, many were interested particularly in one of the newer events; the Voting Machine Village.
The Voting Machine Village worked like this; the DEF CON organizers were able to obtain a number of current US voting machines and attendants were told to experiment with various methods to hack into them. Moss told USA Today that the event was to raise awareness of the problem and to figure out what the actual status of voting machine security.
Based on conversations within the DEF CON forums, many had no idea how bad the problem of voting machine security actually was. While there were news reports and studies that questioned the cyber-security of these machines, no one really knew for sure. As one black hat hacker – who requested anonymity, so we’ll call him Julio in this piece – told us, “these [voting] machines were always looked to be easy targets, but no one knew for certain… most of that assumption came from the outdated software that many of the machines had.”
Voting Machines in the US Have Always Been Behind the Tech Curve
Even before reports surfaced that Russia had meddled with the 2016 US elections, there have always been fear with academics and intelligence agencies over the security of many electronic voting machines in the US. Most of the fears had to do with the outdated technology that most of these electronic machines were based on.
A study by the Brennan Center for Justice had found that in 2016, electronic voting machines in 43 states were utilizing technology that was over ten-years-old. While it’s a fair question to ask whether that actually matters – after all, most government agencies aren’t paragons of cutting edge technology, yet are efficient enough to work – the study does point-out that many voting machines are starting to fail due to their age. Most electronic systems are meant to have a cycle of 3-5 years, but with some voting machines being 10+ years, functionality like degrading touch-screens and failing motherboards have started to become an issue. With many of the voting machine companies going out of business, this makes it incredibly hard to service machines when they go down.
Even if you were to overlook that the general wear-and-tear of these machines as a major concern, there are still major problems regarding older technology, when it comes to cyber-security. Businesses generally do software updates every year, or whenever tech companies like Microsoft or Apple issue a critical update. The software in voting machines generally aren’t updated at a similar rate. There have been reports that many machines still run on older operating systems like Windows XP or Windows 2000; operating systems that are no longer being updated by Microsoft. This leaves many voting machines extremely vulnerable to cyber-attacks, especially if they’re connected online; which considering the majority of machines have to be able to pull-and-send data from various locations, most of them are.
This lack of technological advancement has led many to question the cyber-security of these machines, specifically when it comes their vulnerability of being hacked. Considering outside entities – like the Russian government – have been looking at ways to subvert the electoral process through a cyber-attack, we started to ask an important question:
How easy would it be to hack into a voting machine?
So Theoretically, How Easy Is It to Hack into a Voting Machine?
— Edward Snowden (@Snowden) November 7, 2016
If multiple academic papers are to be believed, it’s disturbingly easy!
Even before DEF CON had officially tried to crack the security on a group of electronic voting machines, multiple research papers had studied the potential vulnerabilities of these ballot boxes. In 2006, a group of computer scientists at Princeton University conducted a security study on Diebold AccuVote voting machines, that included an assessment on their hardware and software. They found that the Diebold voting machines could be hacked relatively easily – within one minute(!!) – with access to the machine’s memory card. If a hacker could get access to the system’s memory card, malicious code could potentially be installed to the system’s software which if designed properly would modify vote totals creating false voting results! What’s worse, the attack could potentially go undetected by booth workers and machine technicians, because of how engrained the malicious code would get at a system’s level.
For those that aren’t familiar with Diebold voting machines, they’re currently one of the largest voting machine manufacturers in the US under the name Premier Election Solutions. If the Diebold name sounds familiar, it’s because back in the mid-2000’s, reports like the one from Princeton University were breaking out over the lack of security among Diebold voting machines. The story in fact became so big that some states started dropping the Diebold machines over their lack of software security, with even California decertifying Diebold’s GEMS version 1.18.19 over their dropping of ballots during the tabulation process!
In the 2000’s, voting machine companies like Premier Election Solutions (formally Diebold Election Systems) had tried to refute the allegations of security vulnerabilities, even trying to suppress internal memos that talked about various security flaws in those very machines. Due to this push-back by voting machine companies, many of these security flaws not only still exist, but new ones have surfaced because of technological advances over the last decade.
In a 2016 study by the Institute for Critical Infrastructure Technology (ICIT) – a cyber-security think tank – they found that most modern voting machines had even more vulnerabilities due to advances in wireless technology. Making matters worse, many voting machine manufacturers and voting officials have created a false sense of security by believing their systems are both complex and secure. However, based on past studies and the results of DEF CON’s Voting Machine Village, this proved to be a false assumption.
Hackers at DEF CON Were Able to Hack into a Voting Machine in Under 35 Minutes
Greetings from the Defcon voting village where it took 1:40 for Carsten Schurmann to get remote access to this WinVote machine. pic.twitter.com/1Xk3baWdxv
— Robert McMillan (@bobmcmillan) July 28, 2017
The importance of DEF CON’s Voting Machine Village can’t be undersold. Many security studies regarding voting machines up until this point have either been done in a vacuum of a university setting or have been talked about in a theoretical manner. In contrast, DEF CON’s Voting Machine Village involved actual hackers trying to break into these machines. There’s a real world aspect to DEF CON that makes their results that much more credible in terms of real world application.
— Matthijs Pontier (@Matthijs85) July 29, 2017
As the above headline suggests, it didn’t take long for the hackers at the DEF CON event to do some legitimate damage to these voting machines. At the Voting Machine Village, 30 electronic voting machines were set up to simulate a presidential contest, with hackers able to physically take apart machines. As you may guess, it didn’t take long for the vulnerabilities of these systems to peak through. Based on the results from the event, Julio said two definite conclusions can be determined: (1) that the voting machines were woefully out-of-date creating multiple paths for various vulnerabilities and (2) these machines have an embarrassingly low level of security. Many black hat hackers like Julio had always assumed voting machines to be easily hackable, but how lax their security systems actually were took everyone by surprise!
The voting machines at the event ranged from a wide array of voting machine manufacturers that included Sequoia, Winvote, and even Diebold machines. While a number of studies had proved that physically hacking voting machines made them susceptible to a number of security threats, one of the biggest surprises that came from the event was the ability to wirelessly hack a voting machine through a Wi-Fi connection!
The "security" of these WINvote machines is so bad. Running WinXP, autorun enabled and hard-coded WEP wifi password. pic.twitter.com/AlOiAPcRra
— Victor Gevers (@0xDUDE) July 28, 2017
Julio told us using a common Wi-Fi vulnerability in Windows XP or utilizing an OpenSSL bug helped many hackers get remote access to the machines fairly easily. The added concern of remote hacking creates another dimension to voting machine security that some experts hadn’t considered. After all, it’s one thing to be able to hack a machine through physical access, it’s entirely another to do it over a great distance. In the past, researchers and security experts had always acknowledged the threat of remote hacking as a theoretical possibility, but proving the ability to hack a voting machine without physically coming in contact with it is an entirely new concern.
Sadly though, history has shown that voting machine companies have little-to-no reason to change how they tabulate votes. Considering the voting machine space is only dominated by a handful of companies, their willingness to build-up security on these machines looks to be low, considering everyone is content with their current security measures. As Julio explained, “the real fear here is that when they finally decide to strengthen their security protocols on these [voting] machines, it might be too late. Because if a machine does get hacked, there’s a good chance that they won’t even know about it.”
(Photo Credit: Pixabay.com, Brennan Center for Justice)