LAS VEGAS – DEF CON 26, building on its work in hacking ballot machines last year, saw three days of probing into various aspects of the end-to-end voting infrastructure in place in the U.S., including a voter registration database and election reporting websites. Several vulnerabilities and exploits came to the fore – prompting push-back from a voting machine vendor and secretaries of state, just as the U.S. prepares for the midterm elections.
The Vote Hacking Village invited attendees – including kids as young as six – to study and identify vulnerabilities in election equipment used around the United States as well as other nations. NSA and former Trump White House Cyber Czar Rob Joyce joined the proceedings, noting from the DEF CON stage in a talk that “there are people who are going to attempt to find flaws in those [election] machines whether we do it here publicly or not. So, I think it’s much more important that we get out, look at those things, and pull on it.”
The Voting Village featured hands-on experience with at least nine types of voting equipment (voting machines, e-poll book system and election-related security appliances), almost all of which are in use in elections today. Participants were able to find or replicate a range of vulnerabilities, including passwords stored on the machines with no encryption to buffer overflows in critical input routines.
Another hacker oddly uncovered 1,784 random files, including MP3s of Chinese pop songs, hidden among the operating system files of another voting machine.
On the defense side, the Voting Village featured a cyber-range for training election officials on how to defend a simulation of a state’s voter registration database from canned attacks and live hackers.
Last year, the cyber range was penetrated in 10 minutes by live hackers; in a bit of good news, this year, it deployed a security code used by foreign military to make it harder to penetrate. Hackers came very close but were unable to crack it.
“It’s been incredible the response we’ve received. We’ve had over 100 election officials come through here and they expressed over and over again how much they have appreciated learning from this opportunity,” said Matt Blaze, another co-founder of the Voting Village.
Exploits Abound
In terms of exploits, white-hats were able to show an array of disturbing hacks; these included everything from prank-level successes (i.e., hacking a voting machine to play gifs and music) to the deeply concerning (participants were able to hack a mock election to give an un-listed candidate the most votes; and an email ballot was altered so that the recorded vote was different from what was selected).
For instance, active Diebold TSX voting machines were found to be running on expired SSL certificates from 2013; and, the Diebold machine locks turned out to be easily hackable. A hacker was able to reprogram a Diebold TSX to play gifs and music after uploading a Linux operating system.
Also, Diebold poll book machines (specifically, the Express Poll 5000) were found to be vulnerable to having their easily accessible memory cards removed from the top of the machine and replaced with a market-purchased copy, pre-loaded with alternative voting poll information. This means that voters that attempt to vote at a polling place may find that they are no longer in the precincts records, or other voters could be added who could then vote in that polling place.
Disturbingly, the hack can easily be performed by a voter within five seconds, using a distraction or by a poll worker with access to all machines.
These machines also keep supervisor passwords on cards listed in plain text (plus, the root password is: “password”); also, they store personal records for all voters, including last four of Social security numbers, address and driver’s license numbers – all without protection by any encryption. The hackers were able to read and write the database inside, using the simple database program SQL lite; although exploiting this vulnerability would require physical access to the pollbooks to make use of the info.
Meanwhile, Election Systems & Software (ES&S) Vote Counter machines, the kind used by counties to count ballots from municipalities, were found to have active ethernet ports, exposing them to several vulnerabilities.
One hacker found that if you remove the back panel on an ES&S m650, one of these ports could be used to completely control the machine; thus, he was able to get serial console access to the machine. Also, the machine is running a version of QNX operating system with no password.
In addition, a zip drive on the front of the machine would allow someone to load a corrupted version of software with no digital verifications by the machine that the update is legitimate; the new software will override the software on the machine. In fact, any file named “update” on an inserted zip disk will immediately be executed at the highest privileged level – regardless of the kind of program it is. In other words, it’s a short-cut method of running arbitrary code.
in the “precocious” column, an 11-year-old was able to hack a replica state-level Secretary of State website within 10 minutes. In all, 39 kids aged 6 to 17 attempted to hack replicas of the websites of six swing states; 35 kids were able to complete an exploit. They tampered with vote tallies, party names and candidate names (including “Bob Da Builder” and “Richard Nixon’s Head”); and changed the total vote counts to numbers like 12 billion.
The kids were given an introductory walkthrough of how to perform an SQL injection, and from there they “ran with it and were able to complete the hacks,” DEF CON media contacts noted.
Tensions Flare
Despite the successful hacks, many in the business of administering elections said that these simulations did not accurately reflect the reality of voting security.
Micah Evans, an IT worker with the Nevada secretary of state’s office, said during a session that the simulated websites that kids hacked were much more porous than the real thing.
“If you’re going to say, ‘We’re going to hack this site with kids,’ you have to put the full disclosure that this is not what our website is,” Evans said. “I’m asking for fairness, and what you’ve mocked up is not fair.”
The National Association of Secretaries of State (NASS) echoed his sentiments, noting in a media statement that the Voting Village was using a “pseudo-environment which in no way replicates state election systems, networks or physical security.”
It said, “Providing conference attendees with unlimited physical access to voting machines, most of which are no longer in use, does not replicate accurate physical and cyber protections established by state and local governments before and on Election Day.”
It should be noted that DEF CON organizers said that most of the infrastructure made available for white-hat probing is in fact in use today.
NASS added, “We are also concerned that creating ‘mock’ election office networks and voter registration databases for participants to defend and/or hack is also unrealistic. It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols.
At least one voting vendor were not shy about pushing back, either, with ES&S issuing a statement of legal concern to DEF CON over its findings and its policy of making equipment available there “potential bad actors, foreign or otherwise,”
“Physical security measures make it extremely unlikely that an unauthorized person, or a person with malicious intent, could ever access a voting machine,” ES&S said in a letter to customers.
Hackers “will absolutely access some voting systems’ internal components because they will have full and unfettered access to a unit without the advantage of trained poll workers, locks, tamper-evident seals, passwords and other security measures that are in place in an actual voting situation,” it said.
DEF CON organizers pointed out that the benefit of pen testing and bug-hunting have been proven in many contexts, and the case is no different here.
“Election officials and senior federal cyber-professionals have reiterated that they cannot defend against the unknown,” said Voting Village co-founder, Harri Hursti. They can only mitigate against vulnerabilities they know about.”
DEF CON, in responding to ES&S’ challenge, also issued a statement saying, “At a time when there is significant concern about the integrity of our election system, the public needs now more than ever to know that election equipment has been rigorously evaluated and that vulnerabilities are not just being swept under the rug.”