Hacker conference report details persistent vulnerabilities to US voting systems

by Maggie Miller - 09/26/19 4:40 PM ET

U.S. voting systems remain vulnerable to cyberattacks three years after documented efforts to penetrate election machines, according to a report released Thursday.

The report is based on the findings of the white-hat hacker DEF CON Voting Village, an annual gathering of hackers that uses election machines to find vulnerabilities that could allow someone to interfere with the voting process.

{mosads}This year’s event allowed hackers to test voting equipment, including e-poll books, optical scan paper voting devices and direct recording electronic voting machines — all certified for use in at least one U.S. voting jurisdiction.

“Voting Village participants were able to find new ways, or replicate previously published methods, of compromising every one of the devices in the room in ways that could alter stored vote tallies, change ballots displayed to voters, or alter the internal software that controls the machines,” the report said.

Despite the “disturbing” findings of the report, the authors wrote that the findings were “not surprising,” particularly in light of the fact that many of the election equipment cyber vulnerabilities found were “reported almost a decade earlier.”

Equipment that was tested included those made by leading voting machines companies Election Systems and Software (ES&S) and Dominion Systems.

A spokesperson for ES&S told The Hill that the company “works with federal officials and state and local jurisdictions to ensure risks are minimized and elections continue to be secure. For example, we encourage all jurisdictions to set the credentials on their pollbook devices to non-default values and change them per election, as well as enable encryption for all devices.”

A spokesperson for Dominion told The Hill that “as we have done in past years, we will review and verify any identified critical security issues and take appropriate steps with state and local election authorities to address them in timely and reasonable fashion.”

The Dominion spokesperson noted that one of its systems, the ImageCast Precinct demo unit, analyzed by DEF CON hackers was “never certified for use,” meaning that it is not in use in any election jurisdiction.

The authors emphasized the need to secure the supply chain involved in building election equipment, noting the vulnerabilities posed by using components originating in foreign countries.

They emphasized there is an “urgent need for paper-ballots and risk-limiting audits.”

The authors also noted that the vulnerabilities found are particularly pressing given the lack of information technology expertise involved in running elections at the state and local level.

“With rapid deployment of new IT technology into the election infrastructure, election offices are especially exposed to remote attack (including by hostile state actors),” the authors wrote. “Unfortunately, very few election offices have the resources to effectively counter this increasingly serious type of threat.”

The report’s release follows the findings of a Senate Intelligence Committee investigation into Russian interference efforts from 2016. The committee found that “as of the end of 2018, the Russian cyber actors had successfully penetrated Illinois’s voter registration database, viewed multiple database tables, and accessed up to 200,000 voter registration records.”

Separately, the 448-page report compiled by former special counsel Robert Mueller also highlighted Russian hacking attempts in the lead-up to the 2016 election, including Russian intelligence officers who “targeted private technology firms responsible for manufacturing and administering election-related software and hardware, such as voter registration software and electronic polling stations.”

Mueller testified before Congress in July that he not only expected the Russians to attempt to interfere in the 2020 U.S. elections, but that they were doing so “as we sit here.”

The findings of the 2019 Voting Village report build on the vulnerabilities found by hackers at past events. In 2018, an 11-year-old was able to hack into a replica of Florida’s voting website and change the election results in less than 10 minutes.

This year’s report was rolled out during an event on Capitol Hill on Thursday, during which Sen. Ron Wyden (D-Ore.) and Reps Jackie Speier (D-Calif.) and John Katko (R-N.Y.) sounded the alarm about existing vulnerabilities in voting systems.

Wyden said that he and Speier would aim to get a copy of the 2019 Voting Village report into the hands of every member of Congress.

Speier said she felt the only way to get certain lawmakers to support legislation on the topic was to “scare the living bejesus” out of them that voting systems can be “rigged against them.”

Wyden, who has been one of the key leaders in pushing for action on election security, cautioned that the time to take action to secure the 2020 elections may have already passed.

”We’ve got a really short time window folks,” Wyden said. “As of today, I am concerned that a window has closed, and certainly the next few weeks are going to decide if we are actually prepared for 2020.”

-Updated at 7:05 p.m. to reflect input from election equipment companies.

Tags cyberattacks Election Security Hackers Jackie Speier John Katko Robert Mueller Ron Wyden Russia