Ride the Lightning

Hacking Our Election Systems? A Piece of Cake

October 3, 2019

Naked Security reported on October 1^st that ethical hackers have proven again that it is easy as pie to hack U.S. election systems which will be used in next year's elections.

Hackers proved this over the course of two and a half days at the Voting Village corner of the DefCon 27 security conference in August.

Hackers easily compromised every single one of the more than 100 machines to which they were given access, many with what they called "trivial attacks" that required "no sophistication or special knowledge on the part of the attacker." They didn't get their hands on every flavor of voting system in use in the country, but every one of the machines they compromised is currently certified for use in at least one voting jurisdiction, including direct-recording electronic (DRE) voting machines, electronic poll books, Ballot Marking Devices (BMDs), optical scanners and hybrid systems.

Physical ports were unprotected, passwords were unset or left in default configurations and security features of the underlying commercial hardware were left unused or even disabled.

They hackers didn't have the resources of a professional lab, and many of the participants were testing systems with which they had no familiarity, working with any tools they could find.

As has been noted by Matt Blaze, a co-founder of the election testing project and a Georgetown University cryptography professor, the meager resources of the Voting Village – a tiny room and eBay – are readily available to foreign adversaries or anyone who seeks to subvert elections:

@mattblaze

"We bought a bunch of surplus voting machines on eBay and put them in a room. I believe many of our foreign adversaries already have eBay capability, so perhaps it would be prudent to use election equipment that can withstand eBay-based threats."

With scant resources, the participants found that in most cases, the vulnerabilities could be exploited surreptitiously, via exposed external interfaces accessible to voters, precinct poll workers or to anybody who has brief physical access to the machines. Many of the machines also have vulnerabilities that leave them persistently open to threats over the long term.

In particular, many vectors for so-called "Advanced Persistent Threat (APT)" attacks continue to be found or replicated. This means that an attack that could compromise an entire jurisdiction could be injected in any of multiple places during the lifetime of the system.

Sen. Ron Wyden, a major backer of boosting election security funding and a lawmaker who chimes in on all things cybersecurity, said the results prove that it's "basically a piece of cake for a relatively savvy hacker to compromise an election and alter votes."

What would fix this?

Voting system security experts say the only real fix is paper ballots. To be more precise, there's an urgent need to ensure that there's a paper trail for every vote. With solely digital voting machines, there's no way to audit the results. Paper ballots can't fix this on their own. They have to be backed up with rigorous post-election audits.

There are a lot of bills seeking to secure elections, but they're being blocked by Senate Majority Leader Mitch McConnell.

McConnell recently endorsed delivering an additional $250 million in federal money to state election officials, but it's a lot less than the $600 million Democrats are looking for, and his proposal lacks mandates about how states must spend the money.

I fear that some people are not invested in securing our elections.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson