US voting systems: Full of holes, loaded with pop music, and 'hacked' by an 11-year-old
Pen and paper is still king in America election security
DEF CON Hackers of all ages have been investigating America’s voting machine tech, and the results weren't great.
For instance, one 11-year-old apparently managed to hack and alter a simulated, albeit deliberately hobbled, Secretary of State election results webpage in 10 minutes.
The Vote Hacking Village, one of the most packed-out locations at this year’s DEF CON hacking conference in Las Vegas, saw many of the most commonly used US voting machines hijacked using a variety of wireless and wired attacks – and replica election websites so poorly constructed they were thought too boring for adults to probe, and left to youngsters to infiltrate.
The first day saw 39 kids, ranging in age from six to 17, try to crack into facsimiles of government election results websites, developed by former White House technology advisor Brian Markus. The sites had deliberate security holes for the youngsters to exploit – SQL injection flaws, and similar classic coding cockups.
All but four of the children managed to leverage the planted vulnerabilities within the allotted three-hour contest. Thus, it really is child's play to commandeer a website that doesn't follow basic secure programming practices nor keep up to date with patches – something that ought to focus the minds of people maintaining election information websites.
(Various folks, including ex-NSA and Immunity Inc founder Dave Aitel, have argued the simulation was likely not particularly realistic.)
DEF CON plans to show US election hacking is so easy kids can do itREAD MORE
The children were able to change vote tallies so that they numbered 12 billion, and rewrite party names as well as the names of candidates. Kids being kids, these latter changes included "Bob Da Builder" or "Richard Nixon's Head" – we spotted the Futurama fan there.
On the adult side, Premier/Diebold’s* TSX voting machines were found to be using SSL certificates that were five years old, and one person managed to, with physical access, upload a Linux operating system to the device and use it to play music, although that hack took a little more time than you’d get while voting.
Diebold’s Express Poll 5000 machines were even easier to crack, thanks to having an easily accessible memory card, which you could swap out while voting, containing supervisor passwords in plain text. An attacker could physically access and tamper with these cards, which also hold the unencoded personal records for all voters including the last four digits of their social security numbers, addresses, and driver's license numbers.
Hackers thus found that by inserting specially programmed memory cards when no election official is looking, they could change voting tallies and voter registration information. And take a guess what the root password was? Yes, “Password” – again stored in plain text.
At @defcon hacking conference and just learned how easy it is to physically gain admin access on a voting machine that is used in 18 states. Requires no tools and takes under 2 minutes. I’m concerned for our upcoming elections. pic.twitter.com/Kl9erBsrtl— Rachel Tobac (@RachelTobac) August 12, 2018
More bizarrely, voting machine manufacturer WinVote’s VoteActive device was found to contain pop music. The machine, which was running Windows XP, could be hacked wirelessly in seconds, and had a music player and CD ripper program built in. It is believed this music stuff was left lying around in unused and unallocated space on the disk.
The village also hosted a mock election between George Washington and Benedict Arnold, which was predictably hacked. Of the ballots cast, America’s first POTUS scored 26 votes, as did infamous traitor Arnold, but the winner was an unplanned candidate: DEF CON’s founder Dark Tangent, aka Jeff Moss, with 61 votes.
The machine's software had been tampered with to insert Moss into the running, and make him win with faked votes. This could be done by infecting an election official's PC so that when the ballot box is set up and programmed from that computer, the voting software is silently altered to later change vote totals and candidates.
It’s the second year DEF CON has hosted the village, and once again voting machines didn’t make the grade. In short: there just isn't enough builtin security to stop people physically meddling with machines at the booths, or before and after polling day. There is little or no verification of the authenticity and legitimacy of the code running on the boxes. Anti-tamper seals on the cases have been shown to be ineffective, too.
It is seemingly impossible to know whether or not you are casting your ballot on a machine that is clean, or has been interfered. It may well not even be obvious to election officials.
And the final numbers on government websites may not be accurate, either. An error regarding the number of registered voters, thus suggesting more people voted than were allowed, on the US state of Georgia's website sparked confusion this month.
Just stole an election at @VotingVillageDC. The machine was an AccuVote TSX used in 18 states, some with the same software version. Attackers don't need physical access--we showed how malicious code can spreads from the election office when officials program the ballot design. pic.twitter.com/wa97HWqlv5— J. Alex Halderman (@jhalderm) August 11, 2018
You can find summaries of the three-day hack-fest here:
With the November elections due, it looks as though, once more, American voters will just have to hope no one is hacking their vote. But some in government have taken an interest.
“It’s been incredible the response we’ve received,” said village cofounder and University of Pennsylvania professor Matt Blaze. “We’ve had over 100 election officials come through here and they expressed over and over again how much they have appreciated learning from this opportunity.”
Fresh from his keynote, former NSA top hacker and White House cyber czar Rob Joyce popped in to chat as well. He praised the work done by those involved, which had been criticised indignantly by some manufacturers before and during the show.
Microsoft: The Kremlin's hackers are already sniffing, probing around America's 2018 electionsREAD MORE
“Believe me, there are people who are going to attempt to find flaws in those [election] machines whether we do it here publicly or not,” he said “So, I think it's much more important that we get out, look at those things, and pull on it.”
Incidentally, on Wednesday, US Republican senators shot down $250m in emergency election security funding proposed by Senator Patrick Leahy (D-VT) – a figure that Hacking Village cofounder Jake Braun told The Register was too small by a factor of 10 if the November elections were to be anywhere close to secure. Cost concerns were cited by the ruling party as a key factor in that decision.
A few days later the President of the Senate, Mike Pence, announced plans for a new super-duper Space Force for orbital warfighting, something the Air Force Space Command already has a firm grip on. The up-in-the-air scheme has an estimated cost of $8bn. ®
* Diebold Nixdorf sold off the US Elections systems Premier division of its business several years ago.
Sponsored: Becoming a Pragmatic Security Leader