When DEF CON debuted its first-ever Voting Village in 2017, it took just minutes for researcher Carsten Schürmann to crack into a decommissioned WinVote voting system machine via WiFi and take control of the machine such that he could run malware, change votes in the database, or even shut down the machine remotely. Several other researchers were able to break into other voting machines and equipment by pulling apart the guts and finding flaws by hand that year, and then again on other machines in the 2018 event.
The novelty of the live hacking of decommissioned voting machines has worn off a bit now and there weren't many surprises - nor did the organizers expect many - at this year's Voting Village, held at DEF CON in Las Vegas last week. But once again the event shone a white hot light on blatant security weaknesses in decommissioned voting machine equipment and systems.
"DEF CON is not about proving that voting machines can be hacked. They all can be hacked and 30 years from now, those can be hacked, too. It's about making sure we understand the risk," Harri Hursti, Nordic Innovation Labs, one of the founders of the Voting Village, told attendees last week.
Hursti as well as other security experts, government officials, and hackers at this year's event doubled down on how best to secure the 2020 US presidential election: ensuring there's an audit trail with paper ballots; employing so-called risk-limiting audits (manually checking paper ballots with electronic machine results); and proper security hygiene in voting equipment, systems, and applications.
Christopher Krebs, director of the US Department of Homeland Security's Cybersecurity & Infrastructure Agency (CISA) told Dark Reading in an interview at DEF CON that one of his top priorities the past two and half years has been to ensure CISA understands the election jurisdiction community and how best to help them security-wise. Krebs, who joined CISA in 2017, said election security was the last thing he expected to be working on when he took the helm of the agency, and it was eye-opening.
"When you put a local jurisdiction in the far-flung regions of the upper peninsula of Michigan facing the Russian GRU threat ... that's not a fair fight," he told attendees at the Voting Village. "We had to figure out what problems the US federal government can help with from a cyber and physical" perspective to help local and state election bodies," he said.
He pointed to DHS's formation of the Election-ISAC, of which all 50 states are members, and around 1,400 local election jurisdictions have joined. CISA has helped provide training and tabletop exercises: "We're raising the understanding of what bad guys are doing and not" merely providing indicators of compromise, he said.
Krebs said he feels optimistic about the direction CISA's relationship is taking with state and local election officials, but the agency has more work to do: there are some 8,800 voting jurisdictions in the US, so the 1,400 is a drop in the bucket for now. His agency is exploring how to provide "vulnerability management in a box" for these jurisdictions, as well as providing remote penetration testing and helping with coordinated vulnerability disclosure programs.
It's about building confidence and understanding about how best to protect the election, he said. He worries, though, about the threat of disruptive attacks on the 2020 election that could shake trust in the election system. "We need to have resilience in place," he said.
Most election security experts say it's less likely that Russia or another nation-state will attempt a massive attack on the election systems: they worry more about a small attack, disruption, or even appearance of one, that could shake the confidence of the electorate in the system. Hacking the mindset of the electorate, they said, would be a simpler and possibly more effective attack.
Brian Varner, a special projects researcher with Symantec who formerly worked for the National Security Agency, explained that such an operation could begin with a breach and manipulation of election results in cloud-based storage. News outlets poll and pull election results that are stored in cloud buckets, and report them as the polls close. "There's a rush to call it [the election] first. What if I [as an attacker] compromised their cloud services buckets?" Reporting phony results could manipulate voters and instill doubt in the election system, he says.
What the Voting Village Hackers Found
Among the highlights of this year's DEF CON Voting Village findings were the usual poor security features, or lack thereof, of IoT systems:
- Voting machine giant ES&S's Express Poll pollbook uses the vendor's name as the password and stores maintenance credentials in plain text
- ES&S Automark 300 supervisor and admin password was discovered via an Internet search
- Accuvote's Optical Scanner can be opened post-poll closing and allow an attacker to add votes that appear to have been cast during the election timeframe
- Dominion's ImageCast Precint system contains an exposed flash card with a file that could be abused to redirect votes to a different candidate.
Jeff Williams, CTO of Contrast Security, says while the Voting Village is interesting, performing more structured security analysis is more difficult and of course time-consuming. "Anyone can find vulnerabilities [in these systems]. It's not very hard," he said.
But a deeper understanding of an election system security posture is not so straightforward: "I haven't seen a well-developed threat model" for election security, he said. "There's nothing to measure it against, so how do you know if you've addressed every threat?"
That requires writing down a list of those threats and looking at the entire election ecosystem, he said, including how the systems and components are connected, the possible threats to them, and the people who might hack or touch them, including the manufacturers and the volunteers who handle the machines, for example.