Researchers Assembled over 100 Voting Machines. Hackers Broke Into Every Single One.
A cybersecurity exercise highlights both new and unaddressed vulnerabilities riddling US election systems.
Al Vicens September 27, 2019
A report issued Thursday by some of the country’s leading election security experts found that voting machines used in dozens of state remain vulnerable to hacks and manipulations, warning that that without continued efforts to increase funding, upgrade technology, and adopt of voter-marked paper ballot systems, “we fear that the 2020 presidential elections will realize the worst fears only hinted at during the 2016 elections: insecure, attacked, and ultimately distrusted.”
The 47-page report is the product of researchers who organized a shakedown of voting machines at the annual DefCon conference, one of world’s biggest information security gatherings frequented by hackers, government officials, and industry workers. First incorporated into DefCon in 2017 with the aim of improving voting machine security, this year’s version of the now-annual “Voting Machine Hacking Village” assembled over 100 machines and let hackers loose to find and exploit their vulnerabilities. While election officials have criticized the effort’s utility as a testing ground, deriding it as a “pseudo environment,” some have seen value in letting machines’ flaws become more known and potentially lead to security improvements.
“Once again, Voting Village participants were able to find new ways, or replicate previously published methods, of compromising every one of the devices in the room,” the authors wrote, pointing out that every piece of assembled equipment is certified for use in at least one US jurisdiction. The report’s authors, some of whom have been involved with election machine security research going back more than a decade, noted that in most cases the participants tested voting equipment “they had no prior knowledge of or experience” in a “challenging setting ” with less time and resources than attackers would be assumed to marshal.
The report urges election officials to use machines relying on voter-marked paper ballots and pair those with “statistically rigorous post-election audits” to verify the outcome of elections reflects the will of voters. The authors also warn that supply chain issues “continue to pose significant security risks,” including cases where machines include hardware components of foreign origin, or where election administrators deploy foreign-based software, cloud, or other remote services. The report lands as officials in several states are working to upgrade election equipment, and as lawmakers in Washington, D.C. debate federal election security legislation and funding.
Ultimately, the report notes flaws that have been acknowledged for years.
“As disturbing as this outcome is, we note that it is at this point an unsurprising result,” the authors conclude. “However, it is notable—and especially disappointing—that many of the specific vulnerabilities reported over a decade earlier…are still present in these systems today.”