Report: US Voting Machines Still Prone to HackingDEF CON Voting Village Study Highlights Security Loopholes in Voting Machines
U.S. voting machines remain susceptible to tampering, hacking and other security vulnerabilities despite warnings from ethical hackers and security researchers in the lead-up to the 2020 U.S. Presidential election, according to a recent report by the DEF CON Voting Village.
The third-annual report is based on access that ethical hackers and cybersecurity researchers were given to 100 different certified voting machines during the DEF CON conference in Las Vegas in August. The conclusions were released at event on Capital Hill on Sept. 26.
Each piece of voting equipment examined during this exercise is used in at least one voting jurisdiction within the U.S., according to the report. As the 2020 U.S. Presidential election looms closer, the DEF CON report attempts to highlight some of the significant security flaws found in these machines as well what can be done to bring more awareness to the vulnerabilities inherit in these machines.
"Since the U.S. presidential election in 2016, there has been a heightened interest in election hacking," the report notes. "The Voting Village has served as an open forum to identify vulnerabilities within the U.S. election infrastructure and to consider solutions to mitigate these vulnerabilities."
The DEF CON report comes at a time when some federal officials and lawmakers are trying to raise more concern about the voting systems within the U.S. In July, the U.S. Senate Intelligence Committee released a report that found Russian-backed hackers attempted to targeted election systems and infrastructure in all 50 states in the run-up to the 2016 Presidential election (see: Russia Targeted All 50 States During 2016 Election: Report).
The event, which took place between Aug. 8 and 9, including attempts to hack several different types of voting machines, including direct-recording electronic voting machines, which enable the voters to cast their vote with a touch; electronic poll books; ballot-marking devices used for selecting the candidates from a screen; as well as other key machines used during various stages in the election process, according to the report.
In most cases, the researchers were able to hack into these machines with ease, using either new or previously known methods to alter data stored within the vote tallies, change the candidate options on the ballot display and gain access to the internal software controls, the report notes.
The study also finds that many voting machines continue to have vulnerabilities that were first reported decades ago. In addition, many of these vulnerabilities are the types that advanced persistent threat groups with ties to nation-states could actively exploit and gain persistence within these machines, the report notes.
"It is well known that current voting systems, like any hardware and software running on conventional general-purpose platforms, can be compromised in the notice," the DEF CON report states. "However, it is notable and especially disappointing that many of the specific vulnerabilities reported over a decade earlier are still present in these systems today."
Need for Paper-Based Ballots
During the event, the DEF CON organizers tested a combination of electronic, paper-based and hybrid versions of several certified-voting machines. The report finds, however, that older, paper-based devices proved to more secure from malicious hacks as well as other security vulnerabilities.
In the case of electronic and hybrid devices, the report notes the primary security challenge stemmed from software and hardware configurations, including poor password settings, and exposed ports and USB slots making the system prone to targeted attacks. Further, the researchers found that continued reliance on standard, off-the-shelf voting devices that are PC compatible remain vulnerable to malicious actors.
For instance, in the case of Toshiba's ES&S Electronic Pollbook System, which was one among the testing device used at the event, researchers point out that that the device features such as a built-in printer and a smart card reader that makes the equipment for susceptible to attacks.
"The ports outside the mount are accessible to voters and poll workers without any physical locks or mechanicals support for tamper-evident steal," the report notes about the Toshiba machine. "This machine can also be booted from a version of Linux, allowing the attacker to access data on the device without encountering any Windows OS-based defenses."
In addition, the presence of weak security protocols from third-party machine vendors and lack of security preparedness among poll staffers proved to be another challenge to securing the voting process, the report finds.
An example is the ES&S Automark, a ballot-marking device used in special elections in 2018. The researchers note that embedded Windows operating system used in this machine was last updated in 2007, making it susceptible to crashing as well as tampering by someone from the outside, the report notes.
"Because the opera ting system is not hardened, an attacker can, before the machine boots up, drop malware on to the device after holding the 'screen' button for five seconds," the researchers write.
"The reason for the machine crashing would not be obvious to nontechnical people, such as the volunteers helping to run the polls, thereby creating an effective denial of service attack which would be hard to remotely diagnose," the report adds.
Incidents such as these make switching to paper ballets or creating a paper trail essential to mitigating threats.
"This is an increasingly urgent matter, especially as foreign state actors (which may be highly motivated to disrupt our elections and which enjoy especially rich resources) are recognized as part of the threat to U.S. election integrity," the report notes.