DefCon event shows how easy it is to hack voting systems
Officials need to rethink their use of digital voting systems.
It's no secret that it's possible to hack voting systems. But how easy is it, really? Entirely too easy, if you ask researchers at this year's DefCon. They've posted a report detailing how voting machines from numerous vendors held up at the security conference, and... it's not good. Every device in DefCon's "Voting Machine Hacking Village" was compromised in some way, whether it was by exploiting network vulnerabilities or simple physical access.
Multiple systems ran on ancient software (the Sequoia AVC Edge uses an operating system from 1989) with few if any checks to make sure they were running legitimate code. Meanwhile, unprotected USB ports and other physical vulnerabilities were a common sight -- a conference hacker reckoned that it would take just 15 seconds of hands-on time to wreak havoc with a keyboard and a USB stick. And whether or not researchers had direct access, they didn't need any familiarity with the voting systems to discover hacks within hours, if not "tens of minutes."
The report writers reach a few conclusions. To begin with, it's clear that dedicated hackers would have no trouble getting in -- if neophytes can hack a system after a brief learning curve, it'd be a walk in the park for state-sponsored hackers. They also warn that foreign components or software could add to the risk by giving ne'er-do-wells a chance to slip in malware that compromises an entire platform. And crucially, politicians, non-government groups and other experts should be involved to make sure that voting system security is treated seriously.
The question is, will the right people listen? It's hard to say. Key US officials did visit the voting machine village, including Homeland Security officials and Congress members like Rep. Jim Langevin and Rep. Will Hurd. And some states are already aware of security risks: Virginia is replacing one of the machines hacked at DefCon. The problem is that many politicians not only didn't attend, but are sometimes clueless about security. A truly comprehensive fix would involve a major, nationwide rethink of election security practices, and that may not happen so long as many of those in power don't take the problem seriously.
