The toughest thing to convey to newcomers at the DefCon Voting Village in Las Vegas this weekend? Just how far they could go with hacking the voting machines set up on site. “Break things, just try to pace yourself,” said Matt Blaze, a security researcher from the University of Pennsylvania who co-organized the workshop. DefCon veterans were way ahead of him. From the moment the doors opened, they had cracked open plastic cases and tried to hot-wire devices that wouldn’t boot. Within two minutes, democracy-tech researcher Carsten Schürmann used a novel vulnerability to get remote access to a WINVote machine.
The Voting Village organizers—including Harri Hursti, an election technology researcher from Finland, and Sandy Clark from the University of Pennsylvania—had set up about a dozen US digital voting machines for conference attendees to mess with. Some of the models were used in elections until recently and have since been decommissioned; some are still in use. Over three days, attendees probed, deconstructed and, yes, even broke the equipment in an effort to understand how it works and how it could be compromised by attackers. Their findings were impressive, but more importantly, they represented a first step toward familiarizing the security community with voting machines and creating momentum for developing necessary defenses.
“The key is collaboration,” said security researcher Victor Gevers, who cofounded the internet safety and security-focused GDI Foundation and attended the DefCon Voting Village. “I went in dark without any knowledge of these devices and found multiple attack vectors using a computer. Physical security is also seriously lacking, and the firmware and the default settings are below any acceptable standard.”
Release the Hackers
At the end of 2016, an exemption to the Digital Millennium Copyright Act made it legal to hack voting machines for research purposes. The research that existed already showed that in general, US voting machines are dangerously exposed and inadequately secured devices. But where more than a decade of research failed to spur action, Russian election meddling during the 2016 US presidential race finally brought attention to all sorts of exposures in the election process, including in voting machines. The idea of the Voting Village was to let the security hive mind finally begin collective work to solve the problem.
“I want to emphasize that all these machines are known to be hackable,” Hursti said. “This is about education, this is about letting more people have facts and experience.”
The DefCon Voting Village offered a number of voting models, including a notorious decommissioned WINVote machine from Fairfax, Virginia—a model known for having blatant security flaws such as exposed Wi-Fi vote tallying—and Diebold ExpressPoll 5000s. The former is the model that Schürmann hacked in two minutes. From there, people circulated throughout the conference, hacking and resetting machines and opening them up to evaluate the hardware. All the machines were equipped with old, often unpatched operating systems. The devices and peripherals came from eBay and government auctions. One ExpressPoll tablet had 600,000 voter registration records still on it from Tennessee.
“It turned into [an] eight-hour hacking session,” says TJ Horner, a security researcher who worked with friends and new acquaintances on attacking a Diebold machine. “Previously, individual security experts were not able to get their hands on these machines and security audits were likely run on the machines used in elections by large companies, but they were definitely not as thorough or as public as the work we did at the village. It’s important that individuals like us have time with these machines so that we can truly understand and tell everyone [about] the brokenness of these things.”
The hacks encompassed hardware and software alike. Some attendees noticed that it would be easy to pick the locks covering ports and cases on some of the devices, and others focused on getting remote software access to the devices.
Chris Gallizzi, a hardware hacker who works for a video game company, sat down with an ExpressPoll that had been left open with its internal components exposed and starting inspecting the chipset.
“This is pretty surprising,” he said. “I would think that they would hire manufacturers to custom-build these chips, but they’re all standard, off the shelf. For hardcore copyists it would probably take them about three months and maybe $4,000 or $5,000 to make an imposter machine. You could easily make a prototype.”
The Voting Village will grow over the next three years. Organizers plan to create a full voting network, and the workshop already offered a network simulation for voting officials and hackers to defend and train on. Two officials from Brazil’s Superior Electoral Court, the court system that oversees Brazilian elections, attended the village to learn about US voting technology and the diversity of systems the US uses because each state oversees its own elections.
“In Brazil, the voting machines are digital, but they’re totally offline and there’s no touchscreen,” says Rodrigo Coimbra, who works on Brazilian election technology. “The software is developed by the federal government and all machines receive updates every year,” a stark contrast to the scattershot map of vulnerable US machines.
‘The firmware and the default settings are below any acceptable standard.’ — Victor Gevers, GDI Foundation
But the political climate around voting security is tense. State officials fear federal overreach in defense initiatives such as the Department of Homeland Security’s decision to classify voting systems as critical infrastructure. And Republican lawmakers have even proposed defunding the US Election Assistance Commission, the only federal agency that works solely on vote security. But this makes efforts to expand the election security knowledge base even more crucial.
DefCon hopes that the discussion and collaboration that began at the conference will spawn independent projects and further research around the country. For one weekend in Las Vegas, though, a single exchange encapsulated the urgency of turning experimentation into action.
“No one’s going to be able to do that during an election,” one attendee said to a colleague, dismissing an idea at the end of the first day.
The other replied: “Why the fuck not?”