Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:40 PM
Connect Directly

DEF CON Voting Village: It's About 'Risk'

DHS, security experts worry about nation-state or other actors waging a disruptive or other attack on the 2020 election to sow distrust of the election process.

When DEF CON debuted its first-ever Voting Village in 2017, it took just minutes for researcher Carsten Schürmann to crack into a decommissioned WinVote voting system machine via WiFi and take control of the machine such that he could run malware, change votes in the database, or even shut down the machine remotely. Several other researchers were able to break into other voting machines and equipment by pulling apart the guts and finding flaws by hand that year, and then again on other machines in the 2018 event.

The novelty of the live hacking of decommissioned voting machines has worn off a bit now and there weren't many surprises - nor did the organizers expect many - at this year's Voting Village, held at DEF CON in Las Vegas last week. But once again the event shone a white hot light on blatant security weaknesses in decommissioned voting machine equipment and systems.

"DEF CON is not about proving that voting machines can be hacked. They all can be hacked and 30 years from now, those can be hacked, too. It's about making sure we understand the risk," Harri Hursti, Nordic Innovation Labs, one of the founders of the Voting Village, told attendees last week.

Hursti as well as other security experts, government officials, and hackers at this year's event doubled down on how best to secure the 2020 US presidential election: ensuring there's an audit trail with paper ballots; employing so-called risk-limiting audits (manually checking paper ballots with electronic machine results); and proper security hygiene in voting equipment, systems, and applications.

Christopher Krebs, director of the US Department of Homeland Security's Cybersecurity & Infrastructure Agency (CISA) told Dark Reading in an interview at DEF CON that one of his top priorities the past two and half years has been to ensure CISA understands the election jurisdiction community and how best to help them security-wise. Krebs, who joined CISA in 2017, said election security was the last thing he expected to be working on when he took the helm of the agency, and it was eye-opening.

"When you put a local jurisdiction in the far-flung regions of the upper peninsula of Michigan facing the Russian GRU threat ... that's not a fair fight," he told attendees at the Voting Village. "We had to figure out what problems the US federal government can help with from a cyber and physical" perspective to help local and state election bodies," he said.

He pointed to DHS's formation of the Election-ISAC, of which all 50 states are members, and around 1,400 local election jurisdictions have joined. CISA has helped provide training and tabletop exercises: "We're raising the understanding of what bad guys are doing and not" merely providing indicators of compromise, he said.

Krebs said he feels optimistic about the direction CISA's relationship is taking with state and local election officials, but the agency has more work to do: there are some 8,800 voting jurisdictions in the US, so the 1,400 is a drop in the bucket for now. His agency is exploring how to provide "vulnerability management in a box" for these jurisdictions, as well as providing remote penetration testing and helping with coordinated vulnerability disclosure programs.

It's about building confidence and understanding about how best to protect the election, he said. He worries, though, about the threat of disruptive attacks on the 2020 election that could shake trust in the election system. "We need to have resilience in place," he said. 

Most election security experts say it's less likely that Russia or another nation-state will attempt a massive attack on the election systems: they worry more about a small attack, disruption, or even appearance of one, that could shake the confidence of the electorate in the system. Hacking the mindset of the electorate, they said, would be a simpler and possibly more effective attack.

Brian Varner, a special projects researcher with Symantec who formerly worked for the National Security Agency, explained that such an operation could begin with a breach and manipulation of election results in cloud-based storage. News outlets poll and pull election results that are stored in cloud buckets, and report them as the polls close. "There's a rush to call it [the election] first. What if I [as an attacker] compromised their cloud services buckets?" Reporting phony results could manipulate voters and instill doubt in the election system, he says.

What the Voting Village Hackers Found

Among the highlights of this year's DEF CON Voting Village findings were the usual poor security features, or lack thereof, of IoT systems:

  • Voting machine giant ES&S's Express Poll pollbook uses the vendor's name as the password and stores maintenance credentials in plain text
  • ES&S Automark 300 supervisor and admin password was discovered via an Internet search
  • Accuvote's Optical Scanner can be opened post-poll closing and allow an attacker to add votes that appear to have been cast during the election timeframe
  • Dominion's ImageCast Precint system contains an exposed flash card with a file that could be abused to redirect votes to a different candidate.

Jeff Williams, CTO of Contrast Security, says while the Voting Village is interesting, performing more structured security analysis is more difficult and of course time-consuming. "Anyone can find vulnerabilities [in these systems]. It's not very hard," he said.

But a deeper understanding of an election system security posture is not so straightforward: "I haven't seen a well-developed threat model" for election security, he said. "There's nothing to measure it against, so how do you know if you've addressed every threat?"

That requires writing down a list of those threats and looking at the entire election ecosystem, he said, including how the systems and components are connected, the possible threats to them, and the people who might hack or touch them, including the manufacturers and the volunteers who handle the machines, for example.

Related Content:


Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/13/2019 | 6:11:42 AM
Nice post. 
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-22
AtomXCMS 2.0 is affected by Incorrect Access Control via admin/dump.php
PUBLISHED: 2020-10-22
AtomXCMS 2.0 is affected by Arbitrary File Read via admin/dump.php
PUBLISHED: 2020-10-22
A Cross Site Scripting (XSS) issue was discovered in the search feature of DedeCMS v.5.8 that allows malicious users to inject code into web pages, and other users will be affected when viewing web pages.
PUBLISHED: 2020-10-22
An issue was discovered in fs.com S3900 24T4S 1.7.0 and earlier. The form does not have an authentication or token authentication mechanism that allows remote attackers to forge requests on behalf of a site administrator to change all settings including deleting users, creating new users with escala...
PUBLISHED: 2020-10-22
ImageMagick 7.0.10-34 allows Division by Zero in OptimizeLayerFrames in MagickCore/layer.c, which may cause a denial of service.