A noisy cheer conk out up from the crowd of hackers clustered around the voting machine tucked into the back corner of a casino group discussion elbow room — they’d just managed to load Rick Astley ’s “ Never Gon na Give You Up ” onto the WinVote , effectively rickrolling democracy .
The hack was easy to accomplish . Two of the hackers working on the touchscreen voting auto , who identified only by their first name , Nick and Josh , had make do to establish Windows Media Player on the simple machine and use it to play Astley ’s classic - turn - trolling - track .
The rickroll stunt was just one drudge at the security conference DEF CON , which ran a three - dayVoting Machine Hacking Villageto test the protection of various simple machine and networks used in US elections . By the end of the weekend , every one of the roughly 30 machines at the village , including those used to tabularise votes and to check up on voters in when they go to the pate , had been hacked . Even though several of the exploit ended uppaying testimonial to Astley , they ’re not jokes — they also present a serious lesson about the surety vulnerability in voting machines that leave them clear to meddling and use . And the more vulnerable our ballot infrastructure is shown to be , the less confidence voters may feel .
“ The real takeaway is that you could install any software on this , ” Nick told Gizmodo . “ There ’s no ascendance . ” Nick had plainly connected a keyboard to an exposed USB port wine at the back of the WinVote , which was used in election as recently as 2014 , and was able-bodied to install whatever software he need from there .
The voting small town is the inspiration of a who’s - who tilt of security department expert : DEF CON father Jeff Moss , cryptographer Matt Blaze , information processing system programmer Harri Hursti ( whose hack of Diebold balloting machines in 2005 birth the name “ theHursti Hack ” ) , and others . research worker have been bring out problems with voting system of rules for more than a decade , but the 2016 presidential electioncatapulted their employment into the national spotlight . Now the entire country , and mayhap the world , is compensate attention . But pate worker and former campaign officials say that their primary security concerns still are n’t with ballot machines themselves but with protect voter registration systems and defending against basic phishing attacks like the one used to acquire entry to the Democratic National Committee ’s net .
Meet the machines
“ This is the with child Satan , ” said Joseph Lorenzo Hall , the main applied scientist at the Center for Democracy & Technology , motion dismissively at the WinVote .
The auto contains a cellular modem chip that allows its software to be updated remotely . “ unluckily , it also means that you could lumber into the damn thing from across the street if you know the right credentials , ” Hall explained . “ What ’s hundreds of miles between networked friends ? ”
The WinVote was the first machine to descend , with a hacker achieving remote codification execution on the machine within the first hours of the village . WinVotes weredecertifiedby Virginia ’s election board in 2015 because of their security vulnerability .
American voting organisation are largely cobble together with antiquated engineering . balloting machine can alter by state and county , and have to be certified by the Election Assistance Commission . But other twist , like the electronic opinion poll Good Book used in some jurisdiction to tally in voters at their polling stations , are n’t capable to the authentication process . bestow in the voter registration databases themselves — which werereportedly breached in 39 stateslast twelvemonth — and you have a convoluted and vulnerable organization ripe for flack .
The political machine are mostly new to the drudge at DEF CON . “ They ’re not very much fun , they ’re like very boring ATMs , ” Hall jest . It ’s obvious that election systems are n’t very secure , but it ’s important to sympathize why the security problem exist in the first position , and why they ’re so hard to restore .
The security industry encourages regular package updates to patch bugs and keep simple machine as impenetrable as possible . But update the machines used in ballot organisation is n’t as easy as installing a patch because the machines are subject to strict certificate rule .
Any major software update would require the state to redo its documentation physical process . “ It cost over $ 1 million to get demonstrate , ” Joshua Franklin , a security measures medical specialist with the National Institute of Standards and Technology ’s cybersecurity and concealment app social unit , explained to attendee . Franklin pronounce that even though the Election Assistance Commission ’s most recent election certificate standards were released in 2015 , most state ’s machines are only compliant with standard from 2002 because of the prohibitory costs of updates .
The toll breaks down to about $ 30-$40 per voter , estimate Tom Stanionis , an IT manager for a county election agency in California who take care the settlement in his personal capacity . Most states just do n’t have the money .
“ The realness is , we ’ve known about issue with voting auto for a long time , ” Stanionis told Gizmodo . Since buy brand new scheme is out of the question , Stanionis say most states do their good to protect the system they have , walling them off from the cyberspace and storing them firmly when they ’re not being used .
The rat mogul of decentralised state seller and machines might actually be a good defense during a general election — it would force cyberpunk to successfully target many disparate organisation . “ It would be really hard in most jurisdictions to do anything to affect the voting auto , ” Stanionis say .
hard does n’t stand for impossible , though , and that ’s what DEF CON ’s hackers have set out to prove . If a hacker tucked away in a corner of a Las Vegas casino can interpolate a vote count , then surely a nation - state attacker can too .
“ The thing you have to enquire about any new applied science is , liken with the technology that proceeded it , does this make that threat well-off or harder ? Does it make us better off or worse off ? ” Blaze told attendees . “ Does whatever the technology we ’re using make this scourge an easier menace or a tougher threat ? That ’s the question we have n’t really been sharply asking for very long . ”
Email security and beyond
Robby Mook , the former director of Hillary Clinton ’s presidential movement , is at DEF CON for the first time , and you could kind of tell — he look a bit too fair undercut for a conference often filled with hoodie - fag hackers . But he ’s drive experience being targeted by nation - Department of State hackers that few other attendees can claim .
Although hackers were hard at workplace down the hall figuring out how to castrate ballot tally , Mook say he was still mostly distressed about get campaign workers to fix their e-mail accounts withtwo - component authenticationand stop retaining data for longer than necessary .
“ It ’s much more a subject of polish and education than it is of spending tremendous resources , ” Mook told Gizmodo . “ masses in the security community know a muckle of things instinctually that a campaign professional has never had pic to , ever . ”
Mook , along with former Mitt Romney crusade coach Matt Rhoades and former Assistant Secretary of Defense Eric Rosenbach , launch an initiative at Harvard University earlier this summertime focused on providing surety resources to campaigns and election officials . The Defending Digital Democracy labor receive afounding investmentfrom Facebook , and executive from the social web as well as Google and CrowdStrike are helping prove an selective information share organization that will give political commission and campaigns straightaway access to threat intelligence .
“ If you pull away any campaign manager and say , ‘ Do you want to get hacked ? ’ they ’d say no , ” Mook severalise DEF CON attendees . “ If you asked them , ‘ Have you done everything you may ? ’ they ’d say , ‘ No , but I do n’t really know . ’ ”
Campaigns , along with voter registration databases , are balmy butt for hacker — the events of the last twelvemonth demonstrate that . And as exciting as it is to rupture a voting machine apart , the goal of securing election might be reached faster through school election officials about cybersecurity good practices .
“ The voter adjustment database are becoming a more obvious target , ” Stanionis said . falsify the elector roll to show an incorrect polling location for just a few voter could drastically slacken down the voting summons for many , he explain . If a voter is n’t believed to be in their correct polling place , she ’ll be asked to fill up out a provisional voting , slow down the seam for everyone . Some might get sick of wait and leave .
“ That ’s hack the election but does n’t look illegal from the exterior , ” he said .
These kinds of softer attack hit at public trustingness in election systems . There ’s an amount of mistake that ’s to be bear in any election — a voter might encircle the name of a candidate on their ballot instead of checking the boxwood next to it , or a machine might malfunction on its own — but without voter confidence , all error begin to look nefarious .
“ Perception and realness are linked here . Public confidence in election is what gives government authenticity , ” Blaze said .
Without repair simple problems like two - factor effectuation and more complex one like vulnerabilities in vote - tallying machines , that genuineness is at peril of being lose for undecomposed .
“ The Voting Hacking Village was just the start . This is one conversation that needs to leave Vegas , ” said Jake Braun , the CEO of Cambridge Global Advisors and one of the PDA of the case . “ There are shipway to secure our republic , but we need an organized advocacy campaign . We need to take these lessons back to DC , to province capitals , and to local election boards around the country to bring up change . ”
Update 3:30 p.m. : This story was updated to include citation for a second hack , Josh , who helped rickroll the WinVote machine .
CybersecurityDefconSecurity
Daily Newsletter
Get the good technical school , science , and refinement news in your inbox day by day .
News from the futurity , delivered to your present .
You May Also Like
