The Def Con Voting Village, which for two years in a row has let conference attendees try their hand at breaching voting machines, has released the report on this year's event. More than 30 voting machines and other pieces of election equipment were available this year and many of them are still used throughout the US. Troublingly, attendees uncovered multiple vulnerabilities, the number and severity of which the report described as "staggering." "What these vulnerabilities in this report and warnings from national security leaders tell us is that this is a severe national security threat," said Voting Village co-organizer Jake Braun.
Among the devices analyzed was the M650 from Election Systems & Software, a machine currently in use in 23 states. The report notes that its vulnerabilities allow it to be remotely hacked through a network attack, and one flaw that was described in a 2007 security report has remained unaddressed. "Because the device in question is a high-speed unit designed to process a high volume of ballots for an entire county, hacking just one of these machines could enable an attacker to flip the Electoral College and determine the outcome of a presidential election," said the Voting Village report.
Another machine, the AccuVote TSx, is used by 18 states, and attendees were able to hack it in just two minutes -- less than the time it typically takes to vote. Additionally, hackers demonstrated how voting smart cards used by voters around the US can be reprogrammed via mobile phone.
At @defcon hacking conference and just learned how easy it is to physically gain admin access on a voting machine that is used in 18 states. Requires no tools and takes under 2 minutes. I'm concerned for our upcoming elections. pic.twitter.com/Kl9erBsrtl
— Rachel Tobac (@RachelTobac) August 12, 2018
ES&S told the Wall Street Journal that "the security protections on the M650 are strong enough to make it extraordinarily difficult to hack in a real-world environment," and that because it uses paper ballots, votes can be audited. It also said it has "been dedicated to the security of our nation's elections since its founding 40 years ago." However, as the Wall Street Journal notes, the company didn't hire a senior cybersecurity official until this April.
This year, the Voting Village also gave kids the chance to hack replicas of states' election websites. Dozens of children were able to do so in less than half an hour, with the fastest exploit taking just 10 minutes.
Voting system vulnerabilities came under the spotlight after the 2016 US election when reports claimed that a number of states' systems were attacked. Alex Padilla, California's Secretary of State, was one of over 100 election officials that attended Def Con this year. He said that while the conference's environment doesn't fully reflect real-world conditions, "we could still learn a lot from friendly hackers." He added, "Their insight can help us stay one step ahead of those who seek to undermine our democracy. It forces us to take second, third and fourth looks at systems. Elections officials must constantly scrutinize, test, adapt and upgrade security measures."