Hackers cracked into a wide array of voting equipment Def Con’s Voting Village, an event held Friday at Caesar’s Palace in Las Vegas, Nevada.
Last year, conference goers hacked five machines and an e-poll book of registered voters. This year, in addition to voting machines, tabulators and smart card readers were available for hacking.
Websites weren’t off limits, either. An 11-year-old hacked into a replica of the Florida secretary of state’s office site in 10 minutes and changed the results there. In real life, such an attack might create confusion, but it would not effect the actual vote tally of an election.
Election stakeholders last year were caught by surprise by the hacking frenzy at the Voting Village, but they were prepared for it this time around.
One of the largest providers of election equipment in the United States, ES&S, sent an email to its customers advising them that it was highly unlikely that any hacker would be able to get the physical access to a voting machine that a Def Con attendee could get at the conference.
The National Association of Secretaries of State, which represents local officials overseeing elections in the states, expressed similar sentiments, arguing that the unlimited physical access Def Con attendees got to voting machines, many no longer in use, did not replicate real-world election conditions.
However, the weaknesses Def Con hackers exposed should not be ignored, security experts warned.
“These hacks pose a tremendously significant threat to election systems,” said John Cassidy, CEO of Alexandria, Virginia-based King & Union, maker of a cybersecurity analysis collaboration platform.
“They illustrate just how poorly security has been considered in many of these systems,” he told the E-Commerce Times.
While the Def Con hacks required manual access to the voting machines, it is highly likely hackers already know of other vulnerabilities that do not require that kind of access, Cassidy said.
More Than Machines
“Def Con demonstrates how vulnerable the system is,” remarked Avivah Litan, a security analyst at Gartner, a research and advisory company based in Stamford, Connecticut.
“It’s just amazing the country is so lax at responding to this. We don’t have any national response that’s meaningful,” she told the E-Commerce Times. “Hacking elections has become a partisan issue.”
As the 11-year-old’s hack illustrated, more than voting machines are at risk.
“There are many different attack vectors,” Litan said. “It’s the tabulation systems, the absentee balloting systems and the system management systems.”
Making matters worse is the lack of central control over voting systems.
“Even when weaknesses are exposed, the only people who can fix them are at the local level,” Litan explained. “The Feds don’t have any jurisdiction, and local people won’t let anyone into their systems because of partisan concerns.”
Lax Cyber Hygiene
Although the focus on election meddling has been at the national level, local elections might be better targets for foreign hackers, observed Major General Earl Matthews, USAF (Ret.), chief strategy officer of Verodin, a McLean, Virginia-based maker of a platform for measuring cybersecurity effectiveness.
An attack on a presidential election is a high-impact event, but it has a low likelihood of success, he told the E-Commerce Times. That contrasts with hacking a local election, where the impact would be lower, but the likelihood of success would be higher.
“While not highlighted in the media as much as national election attacks, influencing local, state and congressional elections will be valuable to attackers,” Matthews said. “Those attacks are more likely to succeed without being noticed.”
The cyber hygiene surrounding electronic voting machines hasn’t changed drastically in more than a decade.
“The good guys and bad guys alike have had plenty of time to discover, and potentially exploit, vulnerabilities in the systems and processes underlying democracy around the world,” Matthews noted.
Despite proven vulnerabilities and a demonstrative lack of security, manufacturers and officials have not improved electronic voting systems, according to Matthews.
The combination of “a lack of basic security processes, such as penetration testing and security-by-design, and comprehensive physical access controls has resulted in halfhearted security, which enables an attack,” he said.
“Voting machines become easier to compromise as vulnerabilities are discovered and left unpatched,” Matthews continued, “and most of the time the concern doesn’t arise until election time, and then it’s too late to remedy.”
The security of the election infrastructure needs the same attention that protection of the nation’s critical infrastructure has been getting, maintained Eddie Habibi, CEO of PAS, a provider of security software for industrial control systems, based in Houston, Texas.
“Similar attention must be given to election voting machines to ensure every vote counts, and it counts only once,” he told the E-Commerce Times.
“The confidence of the voting public in our western democracy is essential to our confidence in the government and in the rule of law,” Habibi continued. “To that end, voting machines should be considered essential systems and be proactively protected against any kind of attack, domestic or foreign.”
Return to Paper
Because of the difficulties of ensuring the security of electronic voting devices, there has been a call from some quarters to return to paper ballots.
“Paper ballots have first-degree integrity because they can be manually recounted and depend on a trusted chain of custody,” Matthews said, but a paper ballot system offers challenges of its own.
“This is still not perfect,” he added, “as there have been numerous reported cases of election officials altering ballots, removing ballot boxes, or otherwise compromising the paper trail.”
Voter registration lists stored on computer systems also must be protected, Gartner’s Litan added.
“Everyone who is entitled to vote should be able to vote, and there should be no tinkering with the registration databases,” she said. “We already know the Russians are in those databases and may be stealing identities to cast fake votes, or deleting people from the rolls.”
A return to total paper balloting would not be a wise move, however, according to Mounir Hahad, head of the threat lab for Juniper Networks based in Sunnyvale, California.
“We don’t want to wipe decades of progress,” he told the E-Commerce Times, “because we’re choosing not to handle security risks properly.”