This weekend in Vegas, at the annual hackers’ convention, Def Con, hackers were given the chance to test election infrastructure.
At the “voting village”, attendees were given the opportunity to tamper with voting machines. One hacker, with a few hours access, was able to turn a voting machine into a juke box.
Another attendee, Rachel Tobac, shared a video on Twitter showing how easy it actually is to gain access to a voting machine that is used in 18 states. In less than two minutes she had administrative access.
Turns out, as easy as it is, physically hacking machines is the least of the threats to US election infrastructure. The Special Counsel’s investigation into the Russian cyber attack and disinformation campaign in 2016 has resulted in the indictments of 25 Russian nationals. Russian military officers gained access to DNC campaign emails, stole identities, defrauded US citizens, and hacked into a state election board website, before stealing the information of 500,000 voters. Department of Homeland Security officials state that the election websites of at least 21 states were targeted in 2016. At least three congressional candidates have already been targeted in the months before the midterms.
A coordinated information warfare campaign, in which hackers access state election web sites and use stolen or falsified information on social media, would further put our electoral process to the test, CNN reports.
If state election boards were to be targeted in this way, where voter information or voting systems were hacked, and then a coordinated campaign to disseminate or weaponize that information were to follow on social media, it could lead to widespread confusion that could undermine the integrity of an election could ensue, some officials fear.
“Obviously, we look at what happened in 2016 and what we should expect in the future is a two-pronged attack,” says Noah Praetz, the director of elections for Cook County in Illinois.
Praetz says when it comes to the first part of an attack, the targeting of election infrastructure, election officials across the country are taking steps to mitigate against a breach — steps they can take because they are responsible for those systems. But he says when it comes to the second part, the use of hacked material, things get more difficult.
He points out, “what you’ve got, what was clearly a more successful line of attack [in 2016] was this disinformation campaign, and it’s interesting, and it needs to inform what we’re doing, but it’s a really tough place to operate in because we don’t have much, if any, control in there.”
At Def Con, children attendees, ages 6 – 17, were given the opportunity to penetrate mock election board web sites from swing states. The task was given to the children, because, according to Jake Braun, a former White House and public liaison for DHS and one of the event organizers, the adult hackers would find the task boring because it is “so easy”. The kids were able to not only change candidates names (to “Bob Da Builder” and “Richard Nixon’s Head”) but also were able to change vote tallies.
A Washington Post reporter recounts watching the kids at work:
I watched Yonatan Lensky, 11, sneak into a mock website for the state of Pennsylvania, change President Trump’s name to “Mark Albert” and change his vote tally to 999,999,999. Other kids his age found similar exploits, including an 11-year-old girl who changed election results on the mock Florida website within 15 minutes.
Nico Sell, founder of the R00tz Asylum, the nonprofit that hosted the young hackers, said the demonstration underscored the need for officials to address basic flaws in their networks.
“They’re not taking responsibility for being vulnerable. That’s what we can change,” Sell told me at the conference. “This should be a top priority, and this is the lowest hanging, easiest thing to fix in our elections.”
The National Association of Secretaries of State (NASS), a group representing state officials who oversee elections, has criticized the concept of the voting village and says the mock state election sites aren’t representative of the real thing.
“It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols,” the group said in a statement.
More generally, NASS is critical of Def Con’s overall approach. Giving hackers unfettered access to voting machines, which allows hackers at the conference to turn the machines into jukeboxes, for instance, is not based on reality.
“Our main concern with the approach taken by DEFCON is that it utilizes a pseudo environment which in no way replicates state election systems, networks or physical security,” NASS said.CNN
However, Braun refuted the NASS criticism, saying that voting machines can be accessed, physically or otherwise. “It’s not like they are kept in Fort Knox,” he said. Furthermore, he points out that, while voting machines are “air-gapped”, not connected to the internet, they are still vulnerable to being hacked. He pointed to Stuxnet as an example. Stuxnet is a virus that breached Iran’s nuclear systems in spite of those systems being separate from the internet.
The Iranians, Braun explained animatedly, “were developing the bomb and kept their centrifuges in locked concrete vaults buried in the desert in Iran, and, guess what? Hackers were still able to hack into that and blow up the centrifuges pretty much at will. If anybody thinks that hacking this voting equipment is of any less strategic importance to Putin than it was for the people that hacked in to the Iranian nuclear program to do that, then they don’t understand geopolitics.”CNN
Wired reports that while finding bugs and vulnerabilities is important, funding to fix those bugs is essential, calling the lack of funding the biggest election threat.
Election officials can’t act on findings about voting machine and voting infrastructure vulnerabilities, DefCon speakers noted on Friday, if they don’t have the money to replace obsolete equipment, invest in network improvements, launch post-election audit programs, and hire cybersecurity staff. Some progress has come, but not enough, and too slowly.Wired
California Secretary of State, Alex Padilla, the only Secretary of state to attend the conference, has expressed appreciation for the $340 million appropriated by Congress in July but is asking for more resources to be able to implement the needed changes.
“That’s butterfly ballot hanging chad money, not cyberthreats 2016, 2018, 2020 money,” Padilla says. In recent months, Congress has failed to pass various bills that would fund election security and infrastructure improvements ahead of the midterms. And though the bipartisan Secure Elections Act has been steadily gaining momentum in the Senate—and was introduced through a companion bill in the House on Friday—it is likely still months away from potentially becoming law.Wired