State Authorities Downplay DefCon Voting Machine Hacks

White-hat hackers have found vulnerabilities in US voting systems for a second year running at the DefCon hacking conference’s second annual Voting Village.

But government authorities criticised the event as unecessarily highlighting supposed risks while presenting an inaccurate image of the security measures in place to protect such systems.

Vote hacking has taken on more urgency since alleged Russian interference in the 2016 US presidential election, which included the exposure of emails from the Democratic National Committee (DNC). Russia denies being behind that and other hacks.

The US is also preparing for midterm elections, putting added pressure on authorities to ensure voting system security.

Sabotage

At the conference, hackers were able to sabotage the software used in some voting machines.

They discovered physical network ports that should not have been left active, passwords stored on systems without encryption and vulnerabilities in critical software components.

One hacker uncovered more than 1,700 unecessary files within the operating system of a voting machine, including MP3s of Chinese pop songs, according to reports.

Aside from pranks such as hacking machines to play animated GIFs and music, participants were also able to hack a mock election, giving an unlisted candidate the most votes.

An email ballot was also altered so that the vote recorded was different from what users selected.

In one case, a Diebold poll book machine, the Express Poll 5000, was found to have an easily accessible memory card. A hacker was able to remove it, replacing it with a copy pre-loaded with arbitrary poll information, in other words modifying the list of who is and isn’t permitted to vote at that location.

Election Systems & Software (ES&S) Vote Counter, used to count ballots from municipalities, were found to have active Ethernet ports that could be accessed by attackers to carry out a variety of exploits.

‘Pseudo-environment’

The hackers’ exploits are intended to point out specific flaws in order to pressure voting machine makers to fix them, and states to buy newer, more secure systems, DefCon’s organisers say.

But public authorities contested the value of the event’s results,  emphasising that real-world voting machines are surrounded by many layers of security that are absent at DefCon.

The National Association of Secretaries of State (NASS) called the Voting Village a “pseudo-environment which in no way replicates state election systems, networks or physical security”.

“Providing conference attendees with unlimited physical access to voting machines, most of which are no longer in use, does not replicate accurate physical and cyber protections established by state and local governments before and on Election Day,” the association said in a statement.

The group said it was concerned the mock election networks set up for testing by the event were “unrealistic”, since many states use unique networks with custom-built databases.

In a letter to customers, ES&S also downplayed the significance of the DefCon event.

DefCon participants “will absolutely access some voting systems internal components because they will have full and unfettered access to a unit without the advantage of trained poll workers, locks, tamper-evident seals, passwords, and other security measures that are in place in an actual voting situation,” the company said in the letter.

“Physical security measures make it extremely unlikely that an unauthorised person, or a person with malicious intent, could ever access a voting machine,” the firm wrote.

ES&S said in a separate statement that the letter was sent in response to inquiries by customers about what equipment would be tested at DefCon and what results they should expect.

DefCon said the event was a way of ensuring legitimate issues are not left unadressed.

“At a time when there is significant concern about the integrity of our election system, the public needs now more than ever to know that election equipment has been rigorously evaluated and that vulnerabilities are not just being swept under the rug,” the conference said in a statement.