Election hackers have spent years trying to bring attention to flaws in election equipment. But with the world finally watching at DEFCON, the world’s largest hacker conference, they have a new struggle: pointing out flaws without causing the public to doubt that their vote will count.
This weekend saw the 26th annual DEFCON gathering. It was the second time the convention had featured a Voting Village, where organizers set up decommissioned election equipment and watch hackers find creative and alarming ways to break in. Last year, conference attendees found new vulnerabilities for all five voting machines and a single e-poll book of registered voters over the course of the weekend, catching the attention of both senators introducing legislation and the general public. This year’s Voting Village was bigger in every way, with equipment ranging from voting machines to tabulators to smart card readers, all currently in use in the US.
In a room set aside for kid hackers, an 11-year-old girl hacked a replica of the Florida secretary of state’s website within 10 minutes — and changed the results.
Before Russian hackers targeted the 2016 US election process, hacking voting equipment was a niche issue. The Voting Village has changed that. “As far as broad social impact,” said Jeff Moss, DEFCON’s founder, “it is Voting Village” that has achieved the most notoriety in the conference’s history.
But that attention has brought pushback. The day before the conference began, ES&S, one of the largest providers of election equipment in the US, sent an email to its customers assuring them that while “attendees will absolutely access some voting systems internal components ... Physical security measures make it extremely unlikely that an unauthorized person, or a person with malicious intent, could ever access a voting machine,” the company said.
The National Association of Secretaries of State, the group that brings together each state’s top election official, issued an unusually testy statement against the Voting Village. “Our main concern with the approach taken by DEFCON is that it uses a pseudo environment which in no way replicates state election systems, networks, or physical security,” it said.
“Providing conference attendees with unlimited physical access to voting machines,” NASS said, “does not replicate accurate physical and cyber protections established by state and local governments before and on Election Day.”
The conflict brings into sharp relief the contrast between how cybersecurity research is usually conducted and the stodginess of government-approved election vendors and their customers.
“I think the statement was misguided,” said Matt Blaze, a veteran election security researcher who helped organize the Voting Village. “It’s only through scrutiny that we’re going to have confidence in elections. That said, the fact that a system has vulnerabilities in it, even incredibly serious vulnerabilities, is not the same as saying any given election has been tampered with.”
“There’s an interesting paradox.” Blaze said. “We know these systems are wildly insecure, and there’s been precious little evidence of these vulnerabilities so far being exploited in real elections. I think we’ve been very lucky, and I think there’s a little bit of a ticking time bomb here.”
Since October 2016, when intelligence agencies first put forth a statement warning that Russia was attempting to interfere in the US election, the US government has walked a tightrope between warning that Russia was trying various tactics to influence the outcome and insisting that everyone’s vote was counted accurately. While a number of Russian tactics with a range of effects have been exposed — hacking and leaking Democrats’ emails, scanning state voter registration databases, and sending phishing emails to county employees — there is, as numerous agencies have repeatedly stated, no known evidence of foreign hackers ever changing a US vote tally. One of Russia’s fundamental goals with such attacks, analysts stress, is undermining Americans’ faith in democracy itself.
“You have to balance raising awareness of vulnerabilities and pushing vendors to make more secure projects, which is a lot of what DEFCON is trying to do, with the ability for vendors to react to that,” said DHS’s top cybersecurity official, Jeanette Manfra, who spoke at the conference Friday. “And we have to explain that no, these are physically secure up until Election Day, then they’re wiped. There are all these other compensating controls that are in place.”
“If you’re saying ‘even a kid can hack into this,’ you’re not getting the full story, which can have the impact of the average voter not understanding,” Manfra told BuzzFeed News.
In the most fundamental sense, security researchers work by throwing the book at a piece of software, poking and prodding for any obscure or overt flaw in a program, usually causing developers to issue regular patches as vulnerabilities are discovered. Conferences like DEFCON provide a platform for both critical research and “stunt hacking,” flashy tricks that are often simple but designed to catch the broader public’s attention.
But that process is anathema to voting equipment manufacturers for a number of reasons. Vendors have to follow some government guidelines and undergo certain audits, but they’re largely unaccountable to the public. Patching voting equipment that isn’t connected to the internet is difficult for many counties with little technical expertise, and vendors fall back on how unlikely it is that a registered poll worker or an elected official would have the time it takes to tamper with a voting machine. The vendors also point out that even if someone had the time to work a hack, the overall US election system is decentralized enough that as unlikely as hacking one machine is, a coordinated effort to hack them in bulk is even less likely.
Copyright laws have previously made it difficult for researchers to legally acquire voting equipment to test it. With an incentive to assure customers that their product isn’t dangerous, vendors have historically lied outright about vulnerabilities they deemed unlikely to cause problems in the real world.
One hacker at this year’s village, who requested anonymity because he didn’t want to tie his research to his day job as a programmer, took a Diebold TSX voting machine — versions of which are in use in at least some areas of 20 states — and turned it into a jukebox that played music from its tinny speakers and a display for an Illuminati GIF he found online.
The trick, he found, was noticing that while the machine has tamper-resistant seals that would likely alert poll workers that somebody had tried to alter a voting file, he could access the operating system itself without any apparent effect on the machine. So he replaced what that machine was running, Windows 4.1, with Linux, where he could hook up his own laptop and display whatever he wanted.
The procedure took a few hours, he said, and it would be extremely difficult to pull off in the real world, but in theory, it could be done by someone with basic hacker skills and access to voting machines in storage.
“Obviously, it’s a long shot that people would tamper with these in a warehouse,” he said. “I chose to do this because I thought it was hilarious, but obviously there are serious implications.”
In another area of DEFCON, organizers set up a semicircle of computers preloaded with copies of secretaries of states’ websites to allow young children to try to alter the appearance of a vote result. While such an attack wouldn’t change actual votes, simply changing the appearance could cause havoc on Election Day, and reflects a tactic Russia did employ in Ukraine in 2014.
Notably, the kids were instructed to use a simple database hacking tactic called SQL injection, the same tool the US has said Russian hackers used when targeting state voter registration databases in the summer of 2016.
Within a few minutes, Audrey, 11, had figured it out, and made it appear that libertarian candidate Darrell Castle had won Florida’s presidential vote in 2016.
“Basically what you’re doing is you’re taking advantage of it being not secure,” she explained.
Once she accessed that vote database, it was quick: “It took maybe a minute or so, because I’m a fast typer,” she told BuzzFeed News. “You can [subtract] points, you can do whatever you want.”
Florida's Secretary of State stressed that changing the appearance of the vote on a website isn't the same as changing actual votes.
In a statement to BuzzFeed News, spokesperson Sarah Revell said that “the election night reporting website is only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results.”
Story updated with Florida Secretary of State's comment.