Las Vegas, NV – The Voting Machine Hacking Village at this year’s DEFCON 26 hacking conference was crowded with hackers of all ages proving just how vulnerable the US voting system is to data tampering.
Hackers demonstrated that practically anyone with a screw driver, flash card, and willpower can easily hack into, and alter results from, Diebold Express Poll 5000 voting machines. In theory, any willing person could just walk into a voting booth, unscrew the side panel, access the memory card, place a new one into the machine, reboot the machine and use the default root password (“password“) to access the admin panel. Even some children managed to hack into and alter a simulated election results website in a matter of minutes.
In a more bizarre twist, Harri Hursti, co-organizer of Voting Hacking Village, told Unicorn Riot that hackers who had accessed one voting machine found Chinese music hidden in WinVote software. Hursti stated the hackers also confirmed that the Chinese music was on all the WinVote election booth software of the same model. Previously, WinVote was certified as meeting the Voting Systems Standards of 2002. Thousands of machines running WinVote software were used during elections in multiple US states as recently as 2014.
Unicorn Riot talked with Hursti about the Voting Machine Hacking Village, and what it seeks to expose about the sorry state of election security in the US.
Hackers were also able to tamper with the election results by altering the tallies into the billions (though that would be obvious), and even rewrite party names as well as the names of candidates (see below).
Just stole an election at @VotingVillageDC. The machine was an AccuVote TSX used in 18 states, some with the same software version. Attackers don’t need physical access–we showed how malicious code can spreads from the election office when officials program the ballot design. pic.twitter.com/wa97HWqlv5
— J. Alex Halderman (@jhalderm) August 11, 2018
Responsible election officials and technologists agree, you can’t mitigate risks you don’t know about. Once again @defcon #votingvillage attendees shed needed light on the steps needed to secure the electoral process. https://t.co/IQW3KuSsCi
— EFF (@EFF) August 13, 2018
At the HOPE (“Hackers on Planet Earth“) conference earlier this summer, Unicorn Riot attended a talk by researchers at Nordic Innovation Labs who had run the Vote Hacking Village at DEFCON. They demonstrated by anyone could easily conceal voting machine tampering by easily ordering new seals. Looking back on the impact of their December 2007 report, spanning 316 pages with two or three vulnerabilities per page, the panelists said that very few of the documented problems had been solved since it was published.
Written by Andrew Neef & Rachel Weiland