DEF CON 2017 – Are voting systems secure? In August 2016, the FBI issued a “flash” alert to election officials across the country confirming that foreign hackers have compromised state election systems in two states.
Although the US largely invested in electronic voting systems their level of security appears still not sufficient against a wide range of cyber attacks.
During an interesting session at the DEF CON hacking conference in Las Vegas, experts set up 30 computer-powered ballot boxes used in American elections simulating the Presidential election. Welcome in the DEF CON Voting Village!
At the 1st ever Voting Village at #DEFCON, attendees tinker w/ election systems to find vulnerabilities. I'm told they found some new flaws pic.twitter.com/VpYPXANUMT
— Bradley Barth (@BBB1216BBB) July 28, 2017
The organization asked the participant to physically compromise the system and hack into them, and the results were disconcerting.
“We encourage you to do stuff that if you did on election day they would probably arrest you.” John Hopkins computer scientist Matt Blaze said,
Most of the voting machines in the DEF CON Voting Village were purchased via eBay (Diebold, Sequoia and Winvote equipment), others were bought from government auctions.
In less than 90 minutes hackers succeeded in compromising the voting machines, one of them was hacker wirelessly.
“Without question, our voting systems are weak and susceptible. Thanks to the contributions of the hacker community today, we’ve uncovered even more about exactly how,” said Jake Braun, cybersecurity lecturer at the University of Chicago.
The analysis of the voting machines revealed that some of them were running outdated OS like Windows XP and Windows CE and flawed software such as unpatched versions of OpenSSL.
Some of them had physical ports open that could be used by attackers to install malicious applications to tamper with votes.
Even if physical attacks are easy to spot and stop, some voting machines were using poorly secured Wi-Fi connectivity.
The experts Carsten Schurmann at the DEF CON Voting Village hacked a WinVote system used in previous county elections via Wi-Fi, he exploited the MS03-026 vulnerability in Windows XP to access the voting machine using RDP.
Greetings from the Defcon voting village where it took 1:40 for Carsten Schurmann to get remote access to this WinVote machine. pic.twitter.com/1Xk3baWdxv
— Robert McMillan (@bobmcmillan) July 28, 2017
Another system could be potentially cracked remotely via OpenSSL bug CVE-2011-4109, it is claimed.
huge cheer just went up in @votingvilllagedc as hackers managed to load Rick Astley video onto a voting machine #defcon25 pic.twitter.com/3Gf56wTT2w
— kate conger (@kateconger) July 29, 2017
The good news is that most of the hacked equipment is no longer used in today’s election.
(Security Affairs – voting machines, hacking)