At the DefCon Voting Village in Las Vegas last year, participants proved it was child’s play to hack voting machines: As Wired reported, within two minutes, democracy-tech researcher Carsten Schürmann used a novel vulnerability to get remote access to a WinVote machine.
This year, it was literally child’s play: the DefCon village this past weekend invited 50 kids between the ages of 8 and 16 to compromise replicas of states’ websites in the so-called “DEFCON Voting Machine Hacking Village.”
11-year-old Emmett Brewer is too young to vote, but it turned out that he’s not too young to learn how to change election results on a replica of Florida’s state website… in under 10 minutes, mind you, as the Voting Village announced on Friday:
Here’s the DefCon Voting Machine Hacking Village roundup of discoveries for the day! Day 1 / Part 1 pic.twitter.com/ovQs7uX7jK— DEFCON VotingVillage (@VotingVillageDC) August 11, 2018
The kids were given rudimentary instruction in performing SQL injection attacks: one of the web attacks that refuses to die.
The organizers are still analyzing the results of the project, but they said that they invited the kids to tamper with vote tallies, candidate names, and party names.
Mission accomplished: Nico Sell, the co-founder of the non-profit r00tz Asylum – an organization that teaches kids reverse engineering, soldering, cryptography, and responsible bug disclosure and which helped to organize the event – told PBS News Hour that more than 30 children managed to change state site replicas in under 30 minutes.
And here’s a vote for both gender equality and for there being serious problems with voting technologies: an 11-year-old girl tripled the number of votes on the Florida replica site within about 15 minutes. That’s pretty pathetic, Sell said:
These are very accurate replicas of all of the sites. These things should not be easy enough for an 8-year-old kid to hack within 30 minutes. It’s negligent for us as a society.
All but four of the kids managed to exploit the bugs – which included SQL injection flaws and similar common coding blunders. They changed vote tallies to number 12 billion, rewrote party names, and rechristened candidates. The new names included “Bob Da Builder” and, as a noted thumb’s-up for Matt Groening’s Futurama, “Richard Nixon’s Head.”
The National Association of Secretaries of State (NASS) responded to the news by telling DefCon to bring it on: it’s “ready to work with civic-minded members of the DEFCON community wanting to become part of a proactive team effort to secure our elections,” the association said in a statement.
But NASS isn’t convinced that the success the VotingVillage had in pummeling replica sites reflects reality. From its statement:
Our main concern with the approach taken by DEFCON is that it utilizes a pseudo environment which in no way replicates state election systems, networks or physical security. Providing conference attendees with unlimited physical access to voting machines, most of which are no longer in use, does not replicate accurate physical and cyber protections established by state and local governments before and on Election Day.
It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols. While it is undeniable websites are vulnerable to hackers, election night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results.
Sell disagrees. She told PBS News Hour that the NASS statement shows that secretaries of states aren’t taking the issue seriously. Even if the voting results that can be tampered with aren’t the “real” voting results, she said, the release of bogus results “could cause complete chaos.”
Besides, while the state websites were replicas, the vulnerabilities were not:
The vulnerabilities that these kids were exploiting were not replicas. They’re the real thing.
How do we fix this mess?
On Monday, University of Pennsylvania computer science professor and cryptographer researcher Matt Blaze said that the “overwhelming consensus” among experts is that, for one thing, we need voting systems that are backed up by a paper trail:
Number one question at @VotingVillageDC this week: given how insecure voting systems are, what should we do? Overwhelming consensus among experts:— matt blaze (@mattblaze) August 13, 2018
1 - Paper ballots (precinct-counted optical scan)
2 - Mandatory risk-limiting audits
3 - More resources to protect back-end systems
That, in fact, is what representatives from DefCon and the Atlantic Council concluded in October 2017.
Things have clearly not changed much in the past 10 months. As The Register reports, besides the kids’ success in flipping the replica state sites onto their backs, the results achieved by the adults in Voting Village included:
- Premier/Diebold’s* TSX voting machines were found to be using SSL certificates that were five years old. One participant used physical access to upload a Linux operating system to the device and turn it into a music-playing device. (Somebody did the same to a WinVote last year: In fact, they Rickrolled it.)
- Diebold’s Express Poll 5000 machines were even easier to crack, thanks to having an easily accessible memory card that can be swapped out while voting. The card contains supervisor passwords in plain text, as well as unencoded personal records for all voters, including the last four digits of their taxpayer IDs, addresses, and driver’s license numbers. When election officials aren’t looking, meddlers can insert specially programmed memory cards and thereby change voting tallies and voter registration information. What’s more, the root password was, for the love of Pete, “Password.” Stored in plain text.
More results of three days of picking apart the country’s ramshackle e-voting technologies:
Voting Village Hack roundup, Day 1 / part 2 (of 2) pic.twitter.com/vqAF4RmZ7C— DEFCON VotingVillage (@VotingVillageDC) August 11, 2018
Voting Village discovery roundup, Day 3 (final day). Expect our official report later this year! pic.twitter.com/TGpeCihm13— DEFCON VotingVillage (@VotingVillageDC) August 13, 2018
The upcoming midterm elections are right around the corner in November. Given the slow, slow progress we’ve seen with addressing vulnerabilities in voting technologies, it’s hard to imagine there won’t be election tampering.
But on the plus side, Blaze said that at least election officials were paying attention at DefCon:
It’s been incredible the response we’ve received. We’ve had over 100 election officials come through here and they expressed over and over again how much they have appreciated learning from this opportunity.
…and on the minus side, earlier this month, Republican senators blocked $250m in emergency election security funding proposed by Senator Patrick Leahy.
Hacking Village cofounder Jake Braun said that the sum needed to be 10x that amount to get the November elections “anywhere close to secure,” The Register reports.
Image courtesy of R00tz.org / YouTube.