DEF CON Voting Village: Its About Risk

DHS, security experts worry about nation-state or other actors waging a disruptive or other attack on the 2020 election to sow distrust of the election process.

When DEF CON debuted its first-ever Voting Village in 2017, it took just minutes for researcher Carsten Schürmann to crack into a decommissioned WinVote voting system machine via WiFi and take control of the machine such that he could run malware, change votes in the database, or even shut down the machine remotely. Several other researchers were able to break into other voting machines and equipment by pulling apart the guts and finding flaws by hand that year, and then again on other machines in the 2018 event.
The novelty of the live hacking of decommissioned voting machines has worn off a bit now and there werent many surprises - nor did the organizers expect many - at this years Voting Village, held at DEF CON in Las Vegas last week. But once again the event shone a white hot light on blatant security weaknesses in decommissioned voting machine equipment and systems.
DEF CON is not about proving that voting machines can be hacked. They all can be hacked and 30 years from now, those can be hacked, too. Its about making sure we understand the risk, Harri Hursti, Nordic Innovation Labs, one of the founders of the Voting Village, told attendees last week.
Hursti as well as other security experts, government officials, and hackers at this years event doubled down on how best to secure the 2020 US presidential election: ensuring theres an audit trail with paper ballots; employing so-called risk-limiting audits (manually checking paper ballots with electronic machine results); and proper security hygiene in voting equipment, systems, and applications.
Christopher Krebs, director of the US Department of Homeland Securitys Cybersecurity & Infrastructure Agency (CISA) told Dark Reading in an interview at DEF CON that one of his top priorities the past two and half years has been to ensure CISA understands the election jurisdiction community and how best to help them security-wise. Krebs, who joined CISA in 2017, said election security was the last thing he expected to be working on when he took the helm of the agency, and it was eye-opening.
When you put a local jurisdiction in the far-flung regions of the upper peninsula of Michigan facing the Russian GRU threat ... thats not a fair fight, he told attendees at the Voting Village. We had to figure out what problems the US federal government can help with from a cyber and physical perspective to help local and state election bodies, he said.
He pointed to DHSs formation of the Election-ISAC, of which all 50 states are members, and around 1,400 local election jurisdictions have joined. CISA has helped provide training and tabletop exercises: Were raising the understanding of what bad guys are doing and not merely providing indicators of compromise, he said.
Krebs said he feels optimistic about the direction CISAs relationship is taking with state and local election officials, but the agency has more work to do: there are some 8,800 voting jurisdictions in the US, so the 1,400 is a drop in the bucket for now. His agency is exploring how to provide vulnerability management in a box for these jurisdictions, as well as providing remote penetration testing and helping with coordinated vulnerability disclosure programs.
Its about building confidence and understanding about how best to protect the election, he said. He worries, though, about the threat of disruptive attacks on the 2020 election that could shake trust in the election system. We need to have resilience in place, he said.
Most election security experts say its less likely that Russia or another nation-state will attempt a massive attack on the election systems: they worry more about a small attack, disruption, or even appearance of one, that could shake the confidence of the electorate in the system. Hacking the mindset of the electorate, they said, would be a simpler and possibly more effective attack.
Brian Varner, a special projects researcher with Symantec who formerly worked for the National Security Agency, explained that such an operation could begin with a breach and manipulation of election results in cloud-based storage. News outlets poll and pull election results that are stored in cloud buckets, and report them as the polls close. Theres a rush to call it [the election] first. What if I [as an attacker] compromised their cloud services buckets? Reporting phony results could manipulate voters and instill doubt in the election system, he says.
What the Voting Village Hackers Found
Among the highlights of this years DEF CON Voting Village findings were the usual poor security features, or lack thereof, of IoT systems:
Voting machine giant ES&Ss Express Poll pollbook uses the vendors name as the password and stores maintenance credentials in plain text
ES&S Automark 300 supervisor and admin password was discovered via an Internet search
Accuvotes Optical Scanner can be opened post-poll closing and allow an attacker to add votes that appear to have been cast during the election timeframe
Dominions ImageCast Precint system contains an exposed flash card with a file that could be abused to redirect votes to a different candidate.
Jeff Williams, CTO of Contrast Security, says while the Voting Village is interesting, performing more structured security analysis is more difficult and of course time-consuming. Anyone can find vulnerabilities [in these systems]. Its not very hard, he said.
But a deeper understanding of an election system security posture is not so straightforward: I havent seen a well-developed threat model for election security, he said. Theres nothing to measure it against, so how do you know if youve addressed every threat?
That requires writing down a list of those threats and looking at the entire election ecosystem, he said, including how the systems and components are connected, the possible threats to them, and the people who might hack or touch them, including the manufacturers and the volunteers who handle the machines, for example.
Related Content:
DARPA To Bring its Smart Ballot Boxes to DEF CON for Hacking
DEF CON Rocks the Vote with Live Machine Hacking
Voting System Hacks Prompt Push for Paper-Based Voting
The ABCs of Hacking a Voting Machine

Last News
▸ DDoS data reveals subtle threats beneath large attacks. ◂ Discovered: 26/12/2024 Category: security	▸ India launched a targeted attack on Pakistan. ◂ Discovered: 26/12/2024 Category: security	▸ Matching Compliance Proof to Risk Controls ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
DEF CON Voting Village: Its About Risk