There has been a lot of rumor and speculation about the 2016 U.S. presidential election and the possibility that the results were manipulated or hacked in some way. While investigations continue and there is no hard evidence I am aware of that any successful hack of a voting machine played a role in the 2016 election, a report from DefCon illustrates that hacking voting machines is, in fact, a very real possibility.
“DEFCON 25 Voting Machine Hacking Village: Report on Cyber Vulnerabilities in U.S. Election Equipment, Databases, and Infrastructure” is the culmination of activities and research conducted during DefCon 25 in Las Vegas this past summer. Information security experts, developers and researchers had the opportunity to try and hack or compromise the various voting machines and election systems used in counties across the country. Over the course of the weekend, every single voting machine in the Voting Machine Hacking Village was compromised. All of them.
How is that possible? How have we managed to allow the integrity of our votes be tampered with by placing our faith in technologies that are inherently insecure?
Tom Conklin, head of security and compliance at Vera, suggests that the findings are somewhat expected. “The report is frightening, but not all that surprising when we have seen that even ATMs are hacked on a regular basis. If huge banks can’t secure ATMs, how do we expect much smaller electronic voting machine companies to secure their machines?”
It is worth noting that the attacks on these voting machines required physical access to the machine. In other words, they aren’t the sort of attacks you can execute remotely from Russia. Conklin stresses, however, “It’s incredibly difficult to secure hardware that an attacker has physical access to. As the report mentions, you can’t just focus on physical or application security but need to look at external risks like supplier risk.”
Cylance has been highlighting the risks of insecure voting machines since before the 2016 election. In one instance, its researchers were able to demonstrate a compromise of a Sequoia AVC Edge Mk1 voting machine. Cylance was able to reflash the firmware of the PCMCIA card and directly manipulate the voting tallies stored in memory on the machine. Researchers could also cause a vote for one candidate to be credited to a different candidate by altering elements of the display.
“This report validates what Cylance showed last year,” explains Malcolm Harkins, chief security and trust officer for Cylance. “Yes, it is quite possible to hack a voting machine.”
Harkins adds, “However, the real issue is less about where a component or piece of hardware is created and more about how it’s validated. Location of creation does not equal trust. We need to focus on whether manufacturers have an adequate security development life cycle to validate that they are minimizing or eliminating the potential for vulnerabilities in the hardware and software components.”
Douglas Lute, a retired lieutenant general who served in the U.S. Army and former ambassador to the United Nations, wrote a foreword for the DefCon report. In it, he states:
This report makes one key point: our voting systems are not secure. Why is this so serious? Why must we act now? Why is this a national security issue? First, Russia has demonstrated successfully that they can use cyber tools against the US election process. This is not an academic theory; it is not hypothetical; it is real. This is a proven, credible threat. Russia is not going away. They will learn lessons from 2016 and try again. Also, others are watching. If Russia can attack our election, so can others: Iran, North Korea, ISIS, or even criminal or extremist groups. Time is short: our 2018 and 2020 elections are just around the corner and they are lucrative targets for any cyber opponent. We need a sense of urgency now. Finally, this is a national security issue because other democracies – our key allies and partners – are also vulnerable.
“We live in a time when cyberattacks are a powerful way for other nations to infiltrate and weaken our country,” says Sameer Bhalotra, co-founder and CEO of StackRox, who served as senior cybersecurity director under the Obama administration. “The DefCon Voting Machine Hacking Village and corresponding report illustrates how the security community can play a vital role by documenting the problems with election equipment and the possible resulting attacks. It is a good time for our security community to collaborate to fix these issues before the next election.”