US Defense Advanced Research Projects Agency (DARPA) researchers will set up three new smart electronic ballot-box prototypes at DEF CON's famed Voting Village next week in Las Vegas, but they won't be challenging hackers at the convention to crack them: They'll be helping them do so.
"We are providing the source code specifications, tests, and actually even providing participants at DEF CON with an easy way of actually putting their own malicious software into [the devices]," explains Daniel Zimmerman, principal researcher with Galois, a DARPA contractor working on the project. "We're not daring them but actually helping them break this."
DARPA's smart ballot box is the Defense Department agency's prototype, featuring a secure, open source hardware platform that could be used not only in voting platforms, but also in military systems. It's part of a broader DARPA project called System Security Integrated Through Hardware and Firmware (SSITH), which is developing hardware security architectures and tools that are better protected from hardware vulnerabilities exploited in software. DARPA ultimately hopes to build secure chip-level processors that thwart hardware hacks as well as software-borne attacks.
Zimmerman, whose team is developing methods and tools to measure the security of the processors, says the smart ballot box prototypes at DEF CON are a way for DARPA to get a broader evaluation of just how secure the processors really are. "This goes beyond 'yes, it's secure, or no, it's not,'" he explains. The project is aimed at getting as comprehensive a security analysis of the technology as possible, meaning "a wider range of people being able to hammer on these systems to try to find flaws," Zimmerman adds.
The DEF CON demonstrations are the start of a two-year public evaluation of the processors, he says. The team will release the source code and hardware specifications this week. "The source code will be out, the hardware specs will be out there," he says, and by the end of the year, a "low-cost version of [the ballot box prototype] you can buy and hack at home."
The smart ballot box, which is about the size of a two-drawer filing cabinet with a letter-sized printer lid on top, runs on a small embedded RISC 5 processor with a FreeRTOS-based custom software app. There's a separate touch screen where "voters" mark their votes, and a connected printer spits out the ballots. The touch screen and printer aren't part of the hacking experiment: just the ballot box.
The smart ballot box reads the barcoded ballots to determine whether they are valid for the "election." It allows voters to confirm their votes and either cast or ditch (aka "spoil") them. "We're not doing an end-to-end verifiability crypto system this year," notes Zimmerman, but instead, a more visible verification process so participants can see the operation. DARPA instead is employing basic cryptography for the system to accept ballots.
He says hackers at DEF CON could, for example, try to compromise the ballot box to accept duplicate ballots or spoiled ballots. Or they could fool the box into reading a different result than the actual one on the ballot. "We will have a reporting system that takes the output from the ballot box and uses it to compute the election results so they then can be compared with pieces of paper in the ballot box," he says.
But the DARPA smart ballot box is not anything close to a real prototype product or system. It's all about providing an interesting system to hack and find holes. "This was never intended to be a viable product; we're trying to be very clear about that," he says. And each of three ballot boxes will be based on a different SSITH processor that DARPA has built.
Election systems are in the hot seat now, so putting out prototypes for that area is likely to attract more researchers than a less familiar military system might, he notes.
It Took a Village
DEF CON's wildly popular Voting Village first debuted in 2017, a year after the 2016 US presidential election was rocked by Russia's online meddling campaign, raising concerns over how a nation-state or other threat actor could disrupt or tamper with election systems and voting machines. The Voting Village has served as a hands-on workshop, of sorts, for hackers or burgeoning hackers to take a crack at decommissioned voting systems, equipment, and simulated election websites. In the very first year, participants found two zero-day flaws within the first 90 minutes the event began.
There were 30 pieces of voting equipment in the room, including Sequoia AVC Edge, ES&S iVotronic, Diebold TSX, WinVote, and Diebold Expresspoll 4000 voting machines. In 2018, there was even more voting machine equipment - and successful hacks - as well as a replica database that housed the real, publicly available state of Ohio voter registration roll. One attendee was able to break through two layers of firewalls in front of the server but ultimately couldn't pull the data.
DARPA's open source hardware, not surprisingly, is expected to be the hot feature of the Village this year. While the SSITH processors are unlikely to see the light of day in today's commercial - and mostly proprietary - voting machines and election equipment in the foreseeable future, the project has security experts calling for more open voting system architectures.
"As far as open source hardware, I think it probably has a long way to go before we see it" in elections or other computing environments, notes Zimmerman.
Carsten Schuermann, an election security expert who famously hacked a WinVote voting machine at the very first DEF CON Voting Village, says open source is key to ensuring transparency of voting systems. He says he isn't sold that open source systems necessarily mean better security, but they would provide election and government officials with better insight into how secure the voting and election equipment they buy and use really are.
"I believe voting machine vendors usually are trying to do their best [with security] within the budget they have, and they also do the minimum thing to satisfy the requirements the government gave them," says Schuermann, who is an associate professor at the IT University of Copenhagen.
Like other experts, he worries about public confidence in election systems and their outcomes, especially in the wake of the 2016 US election. If vendors are keeping experts in the dark on their security, it can cause mistrust among the electorate, according to Schuermann.
Microsoft, meantime, has built an open-source election system software development tool called ElectionGuard, which employs vote verification via encryption methods so voters can confirm their votes were counted and election officials can verify results. The vendor demonstrated a prototype voting system last month and already has inked partnerships with voting system vendors such as Smartmatic and Clear Ballot. It also said Dominion Voting Systems is "exploring" using ElectionGuard in its products.
ElectionGuard is not scheduled or expected to be part of the DEF CON Voting Village as of this posting. The full Voting Village schedule has not yet been released.