This past weekend Las Vegas played host to the world famous DEFCON hacker conference, an annual gathering which attracts some of the best and brightest minds in the fields of hacking and computer science. However, this years conference was uniquely interesting. In light of the perceived Russian hacking of the US election last year, a popular notion often advanced by left wing Americans and politicians alike, the organizers at DEFCON wanted to discover once and for all how easy or hard it is for hackers to actually corrupt US voting systems.
To put these machines to the test, DEFCON organizers put out 30 different US voting machines and asked anyone attending the event to try their hand at hacking into the machines and corrupting the data. The results were truly disturbing. According to reports, within two hours of opening the doors to the event, hackers were able to gain full control and remote access to these machines in just about 90 minutes.
90 min after doors open: Complete remote control on the operating system level of the Winvote voting terminal (including election data).
— DEFCON VotingVillage (@VotingVillageDC) July 28, 2017
To be more exact, it took approximately one hour and forty minutes to hack into one of the voting machines used in the state of Virginia last year. This was done by security researcher Carsten Schurmann, whom was able to hack into the WinVote voting machines using a 14 year old exploit for WindowsXP, the primary operating system through which the vast majority of these machines operate on.
As reported by Waqas Ahmed, writer for HackRead.com, “to sum up the whole hacking campaign, it can be concluded that the manufacturers of these voting machines are still using Windows XP on the system which provides an attacker to breach the so-called security of these machines by simply entering default username and passwords, just like WannaCry ransomware which infection tens of thousands of Windows based devices in hundreds of countries around the world.”
Greetings from the Defcon voting village where it took 1:40 for Carsten Schurmann to get remote access to this WinVote machine. pic.twitter.com/1Xk3baWdxv
— Robert McMillan (@bobmcmillan) July 28, 2017
According to event organizers, 5 different voting machines from various parts of the United States were made available to the public, including WinVote, Edge, ES7S iVotonic, Diebold TSX, and Diebold Expresspoll 4000. However, within the first three and a half hours of the start of the event, 4 of the 5 machine types had already been fully compromised by hackers. One of the most disturbing pieces of news to come out of the event was that these machines had also been corrupted wirelessly. Disturbing, considering that none of these machines are supposed to allow wireless access in the first place.
Though some of these hackers are currently gathering and organizing their findings to release in a full report sometime next week, a redacted list of notes has been made available. You can find them here: https://github.com/josephlhall/dc25-votingvillage-report/blob/master/notes-from-folks-redact.txt
While the findings from this weekends event were troubling, the silver lining may come in the fact that it was a first step towards solving a very serious problem. In light of the information exposed this weekend, The United States Government and major tech companies alike are going to have to begin a serious overhaul to our electronic voting systems in the future. Believe it or not, DEFCON 2017 was the first time that members of the general public have had an opportunity to test voting equipment without first having to be legally sanctioned by the United States Government to do so.
About the revelations uncovered in regards to US voting systems at this weekends DEFCON conference, as reported by SC Media on July 29th 2017, Matt Blaze, the Director of University of Pennsylvania’s Distributed Systems Lab, pointed out how “Within the first hour and a half, after we opened, people were starting to discover new things about these machines that experts like myself who’ve been looking at these things for 10 years haven’t previously discovered.” Adding that it “goes to show how important it is to have a really broad range of people, a broad community, looking at this kind of technology if you have any hope of wanting to trust it to do something serious.”
Lastly, the vulnerabilities of US voting systems does not prove that Russian actors, or anyone else for that matter, directly hacked the US elections last year. Nor does it serve as proof that US citizens may have had their votes altered at the polls. The information merely indicates that hackers could have done this if they really wanted to. Not to make anyone more afraid than they need to be, but it would not necessarily be the first time this sort of thing has happened and the United States would be far from the first country this has happened within. For example, you might remember this testimony from a few years ago:
Categories: Hacking News