Vertical markets, Content

U.S. Election Voting Machines: Def Con Hacker Findings

Voting machines used by dozens of states can be easily and repeatedly hacked, potentially corrupting millions of votes in the 2020 election, a recent report said.

Many of the voting systems' vulnerabilities date to machines still in play from a decade ago. You’d think the open doors would have been closed by now but government turnstiles move slowly. Three months ago, the House of Representatives passed the Securing America’s Federal Elections Act (SAFE) mandating the use of individual, durable, voter-verified paper ballots and post-election audits. The proposed legislation, one of two House-introduced bills to resist security problems that plagued the 2016 Presidential election, is unlikely to receive an up or down vote on the Senate floor.

But outside pressure on lawmakers may be mounting. Now a group of white-hat security experts participating in the Def Con Voting Village event operating on orders to expose voting system weaknesses that could be exploited by those trying to muddy U.S. elections, has shown that machines used in more than half of U.S. states in 2018 are readily vulnerable to hacking. (Note: Delaware, Georgia, Louisiana, New Jersey and South Carolina had no auditable paper trails in the 2018 midterm elections.)

The macro findings...

Commercially available voting system hardware used in the U.S. remains vulnerable to attack.

The Voting Village hackers found new way to “replicate previously published methods, of compromising every one of the devices in the room” that could change vote tallies, ballots or manipulate the machines’ software, the authors wrote. This despite the participants having no prior knowledge of the voting systems and only the hacking tools at their immediate disposal.

“It is well known that current voting systems, like any hardware and software running on conventional, general purpose platforms, can be compromised in practice,” the report said. There is an urgent need for paper ballots and risk limiting audits. Right now and for the foreseeable future there are no computerized voting devices that effectively resist known, practical forms of malicious tampering, the authors said. However, “certain classes of voting equipment can still be used to conduct high-integrity elections, in spite of their vulnerabilities, by conducting statistically rigorous post-election audits.”

New ballot marking device products are vulnerable.

A ballot marking device (BMD) records votes on physical ballots. In general, ballot marking devices only allow the voter to record votes on ballots that are then stored and tabulated elsewhere. The Voting Village hackers did not give a thumbs up to ballot marking machines. “The security implications of ballot marking devices should be further studied,” researchers said in the report. “Current and proposed next-generation ballot marking devices have not been designed with security considerations in mind,” they said.

Infrastructure and supply chain issues continue to pose significant security risks.

Because local election offices are often under-staffed and under-funded many rely on third-party contractors to configure and maintain their election systems. “With rapid deployment of new IT technology into the election infrastructure, election offices are especially exposed to remote attack, including by hostile state actors,” the report said.

What now?

The researchers concluded that the test results “demonstrated vulnerabilities inherent in the election environment” and revealed the “enormity of the task” to secure the country’s election systems. The report offers three recommendations:

  • Nationwide deployment of mandatory post-election risk-limiting audits.
  • Nationwide deployment of voter-marked paper ballot systems.
  • Dramatically increased funding and other resources to help local election officials protect their IT infrastructure from foreign state actors and other threats.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.