Hackers attending DEF CON 25 earlier this year effectively breached every single piece of electronic equipment made available for study at the event's Voting Machine Hacking Village, according to a new report that underscores the vulnerabilities in U.S. electoral infrastructure. Furthermore, many of the machines were found to contain components manufactured in foreign countries, suggesting that U.S. election technology is potentially susceptible to supply chain attacks executed by hostile nations.
Co-authored by the Hacking Village's organizers, the report was officially unveiled on Tuesday at a panel discussion held at the Washington DC headquarters of the Atlantic Council. The prestigious international affairs think tank is one of several organizations that will join DEF CON in forming a new coalition tasked with shoring up voting technology. The coalition will be officially convened by the Center for Internet Security (CIS) and its members will include the National Governors Association, the National Conference of State Legislatures, the New America Foundation, the University of Chicago, the University of Maryland, the University of Texas San Antonio, and Nordic Innovation Labs.
As part of this initiative, the CIS and its partners will developed a best practices handbook for securing U.S. elections infrastructure that will complement similar efforts by the Department of Homeland Security, National Institute of Standards and Technology, and Elections Assistance Commission, according to a CIS press release.
“There's an urgent need and opportunity to bring together interested groups to collaborate in identifying best practices for election infrastructure...” said John Gilligan, chairman and interim CEO at CIS.
"This is not simply a cybersecurity issue, but one of the most pressing national security concerns eating at the bedrock of our democracy," said Frederick Kempe, Atlantic Council, president and CEO.
DEF CON 25's Voting Machine Hacking Village provided mainstream hackers with an unprecedented opportunity to legally tinker with electoral technology that is typically difficult to obtain, as well as to publicly share any vulnerabilities they discovered. Despite a lack of time, resources and familiarity with the equipment, the hackers managed to crack the various machines and analyze their internal mechanisms rather easily, the report states.
For instance, the AVS WINVote, a Direct Recording Electronic (DRE) touchscreen voting machine that Virginia decertified in 2015 due to security problems, was hacked and remotely controlled via Wi-Fi within minutes by exploiting a vulnerability dating back to 2003. "...The entire time this machine was used from 2003-2014 it could be completely controlled remotely, allowing changing votes, observing who voters voted for, and shutting down the system or otherwise incapacitating it."
Additionally, researchers found that the WINVote offered poor physical security and contained an "unchangeable, universal default password" that was easily found via a Google search.
What's worse, machines that are still actively used in U.S. elections were also demonstrated to be vulnerable. For instance, hackers studying the ES&S iVotronic found that the some of the DRE machines' Personal Electronic Ballots, which are similar to portable memory packs, did not have their security fuses blown. Therefore, the chips could be easily analyzed and interacted with, potentially allowing an attacker to manipulate vote totals. Indeed, a group of researchers was able to extract firmware from one of the chips and decompile its coding into source code.
Moreover, some machines were found to contain components that were manufactured in China and other foreign nations. Such supply chain practices could pose a danger.
"...A nation-state actor with resources, expertise and motive – like Russia – could exploit these supply chain security flaws to plant malware into the parts of every machine, and indeed could breach vast segments of U.S. election infrastructure remotely, all at once," the report reads.
Vulnerabilities were not just limited to actual voting machines either. While examining a Diebold ExpressPoll 5000 electronic poll book that was used to check in voters in Tennessee, hackers found voter file data from 2008 that was never removed from the device. The unencrypted personal information included the names, addresses, dates of birth, home addresses, and driver's license numbers of more than 654,000 voters from Shelby County.