Voting Machines: Still Stupidly Insecure, say Defcon Hackers

Back in August, at DEF CON 27, researchers staged their third-annual hackathon of voting machines. And now, they’ve released the results.

The report makes uncomfortable reading. If you were hoping previous research has made things better, you’re going to be extraordinarily disappointed.

Cybersecurity Live - Boston

We’re doomed. Doomed, I tell ya. In today’s SB Blogwatch, we remember democracy.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: ink.

Vote Early; Vote Often

What’s the craic? Maggie Miller reports—“report details persistent vulnerabilities”:

 U.S. voting systems remain vulnerable to cyberattacks three years after documented efforts to penetrate election machines [to summarize] the findings of the white-hat hacker DEF CON Voting Village. … This year’s event allowed hackers to test voting equipment … certified for use in … U.S. voting jurisdiction[s].

The authors wrote that … many of the election equipment cyber vulnerabilities found were “reported almost a decade earlier.” … Equipment that was tested included those made by leading voting machines companies Election Systems and Software (ES&S) and Dominion Systems.

A spokesperson for ES&S [said] the company “works with federal officials and state and local jurisdictions to ensure risks are minimized and elections continue to be secure.” … A spokesperson for Dominion [said,] “We will review and verify any identified critical security issues and take appropriate steps.”

Sen. Ron Wyden (D-Ore.) … who has been one of the key leaders in pushing for action on election security, cautioned that the time to take action to secure the 2020 elections may have already passed. … “The next few weeks are going to decide if we are actually prepared for 2020.”

And Lily Hay Newman adds, “The results of the 2019 Defcon Voting Village are in—and they paint an ugly picture”:

 In three short years, the Defcon Voting Village has gone from a radical hacking project to a stalwart that surfaces voting machine security issues. [The] findings from this year’s event [iinclude] urgent vulnerabilities from a decade ago that still plague voting machines currently in use … underscoring how slow progress on replacing or repairing vulnerable machines remains.

That includes the ES&S AutoMARK, used in 28 states in 2018, and Premier/Diebold AccuVote-OS, used in 26 states that same year. … The types of vulnerabilities participants found included poor physical security protections that could allow undetected tampering, easily guessable hardcoded system credentials, potential for operating system manipulations, and remote attacks.

The urgent need to fill the election security information gap, and give officials the resources and intelligence they need to conduct accurate, independent elections, has been clear for years. It’s finally starting to gain some mainstream recognition, in large part thanks to the research community and initiatives like the Defcon Voting Village.

O RLY? Cory Doctorow summarizes the “ongoing dismal state of US electronic voting machines”:

 For three years now, cryptographer Matt Blaze [and] colleagues have hosted a Voting Village at Defcon. … All comers are welcomed to try to compromise a variety of voting machines that are in actual use.

Every year, the results are terrifying and horrible, as the grifty tech vendors’ products are revealed to be totally unfit for purpose. This year is no exception.

But Davide Marney complains, “FUD Doesn’t Help”:

 I am a volunteer poll worker in Virginia. … Spreading fear, uncertainty, and doubt does us no favors in actually securing the vote.

If you grant me physical access to a computer of course I will be able to hack into it. … So any so-called “test” that steps outside the real-world constraints of an election is nothing more than FUD.

Actual voting equipment is under very strict chain-of-custody controls. The chain is enforced with laws, procedures, vaults, seals, signed affidavits, multiple, independent witnesses and an entire court system.

You can’t even physically touch the machines. All you can do is fill out a paper form and feed it into a scanner slot. … We need push back against these silly stunts.

Haven’t we heard this before? Martin “drinkypoo” Espinoza is obviously dumb: [You’re fired—Ed.]

 What I find fascinating is Dunning-Krueger. … All the people who think they’re smarter than the people who study this stuff, and then go on to ignore them when they make this same warning every election.

Solution: Outlaw all voting machines? Matt Blaze is one of those smart people who study this stuff:

 While ballot marking devices introduce security risks and tradeoffs that we need to understand better, this is not the most pressing [or] productive election security hill to chose to die on right now. Getting Risk Limiting Audits in every state is.

Even the most rigorously voter-verified paper ballots don’t help if the process that uses them is compromised. … Risk limiting audits [have] gotten very little attention. … This is why I find the activist focus on ballot marking devices so frustrating.

How about a view from overseas? bangskij tries not to sound smug:

 I will never understand this preoccupation with digital voting. It’s ridiculous. It can never be made secure.

Here in Scandinavia everything is online. I do my taxes on my phone. Any government communication of any kind is digital. You can’t even buy a ticket for the bus without the app.

Everywhere I travel is less advanced, including the US. Paying toll money with cash when driving on the toll road. How 1980 is that?! … When I drive on the toll road here a machine takes my picture, send me a bill. A digital bill, appearing in my digital bank account.

But when I go to vote I have to use a pen on a piece of paper, which will be scanned by a machine if my X is nice and clean, and scanned by a human if it isn’t. Because it would take tremendous effort to hack that. And the votes can be counted as many times as you like by any number of different peoples and scanning machines.

Digital voting is joke. A cruel joke. But still a joke.

I don’t see Eric Geller laughing. Instead, he channels Sen. Wyden:

 [I will use the report] as a kind of lodestar. … What I saw this summer — and I have literally been going colleague to colleague to colleague — ought to open everybody’s eyes.

[This is a] four-alarm calamity. [Congress needs to] end the days when the voting machine lobby calls the shots.

[Election interference will] make what happened in 2016 look like small potatoes. … I’m going to take this report and I’m going to get it into the hands of every member of the United States Senate.

Meanwhile, burtosis snarks it up:

 But do you have any idea how hard elections are to rig? We need these machines.
—Some senator somewhere.

And Finally:

Elisabetta’s ink

[Triggers: vocal fry, cooling towers, surface decomposition]

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Def Con

Richi Jennings

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 360 posts and counting.See all posts by richi

API Poll

Step 1 of 5

Do you have an API security project in 2022?