You don’t even have to know much about voting machines to hack some of the systems that are still in use across the country.
A new report published on Tuesday outlines how amateur hackers were able to “effectively breach” voting equipment, in some cases in a matter of minutes or hours, over just four days in July at DEFCON, an annual hacker conference. The report underscores the vulnerability of U.S. election systems. It also highlights the need for states to improve their security protocols after the Department of Homeland Security said Russian hackers attempted to target them during the 2016 election.
“The DEFCON Voting Village showed that technical minds with little or no previous knowledge about voting machines, without even being provided proper documentation or tools, can still learn how to hack the machines within tens of minutes or a few hours,” the report says.
The DEFCON hackers were able to effectively breach six different voting machines in some way, the report says. Programmers were able to access one machine, which was used by Virginia from 2003 until 2014, when it was decertified, in a matter of minutes. After infiltrating the voting equipment, the hackers were able to observe and even change votes in that machine. The group found a universal, unchangeable default password for the machine by simply Googling “admin” and “abcde.” They also successfully breached a e-poll book to access voter information from Shelby County, Tennessee, dating back to about a decade ago. The same kind of e-poll book is used in Ohio, the report notes.
The hackers also discovered that several voting machines had parts manufactured overseas, which could potentially allow hackers to penetrate the machines as they are assembled.
“When successful, phishing can provide inside access to a machine, account, system or network without the hacker actually having physical access to the machine. Information can then be stolen or exploited in some fashion, without the victim ever knowing that entry has occurred,” the report says. “The extensive use of foreign-made computer parts – frankly, as expected given how many commercial computing devices are manufactured overseas – within the machines opened up a serious set of concerns that are very relevant in other areas of national security and critical infrastructure: the ability of malicious actors to hack our democracy remotely, and well before it could be detected.”
In the next elections, just under 64 million voters will vote in jurisdictions that amateur hackers will able to hack at DEFCON, said Warren Stewart, a spokesman for Verified Voting, a group that works on bettering election security. These voters, spread across 26 states, represent just under 33 percent of total registered voters nationwide, he added. Stewart also noted many of the jurisdictions that use more than one voting system and in most cases, paper ballots would be used to vote.
The hackers at DEFCON didn’t have access to all of the safeguards some states have to detect voting irregularities, such as paper audit systems that some states use. They also noted they didn’t have access to backend systems or voter registration information, the kind of data hackers apparently tried to access last year, or source code.
Despite those limitations, Candice Hoke, the founding co-director of Center for Cybersecurity and Privacy Protection at the Cleveland-Marshall College of Law, said the results were concerning.
“While a number of these hacked voting systems are no longer in use, the same all-electronic design with no auditable paper record is the exclusive voting device in 5 States and widely deployed in another 9 States,” she wrote in an email. “The most egregious vulnerability in a voting system ― falsely reporting who won ― can be corrected by using voter-marked paper ballot systems combined with a well-structured audit using random hand counts.”
States have been making some attempts to beef up their electoral security since last year’s reported breaches. Virginia recently announced it will conduct its elections this year using a paper ballot to ensure it is secure. Verified Voting said in a statement it would work with election officials next in New Jersey, which has a gubernatorial election this year, to upgrade and secure voting systems.
But there’s still also considerable confusion about what to do to prevent hacking. The Department of Homeland Security only recently notified the 21 states where they believe Russians attempted to breach election systems, and some states have accused the agency of giving them bad information.