WASHINGTON — Each of a half-dozen decommissioned machines used by election officials across the United States was compromised by hackers at a Las Vegas conference over the summer, some through previously undisclosed vulnerabilities, a formal review of the results has found.
Organizers of the Voting Village, an open room at the DEF CON cybersecurity conference in August, said Tuesday that hackers there, many of whom had no prior experience with voting equipment, were able to breach each of the five voting machines and the one e-poll book, a device that manages voter registration.
The public hacking event was a first, in part because until a three-year exemption was granted in 2015 US copyright law prohibited tinkering with voting equipment.
“That they found new vulnerabilities is disquieting, but probably not surprising, because the people who have looked at these systems over the years have always been very critical of the standards and the software coding in the architecture of these systems,” Susan Greenhalgh, an elections specialist at the voting equipment watchdog Verified Voting, told BuzzFeed News.
One of the hacked devices was the AccuVote TSx, a touchscreen voting machine created by Premier Elections Solutions, the company formerly known as Diebold. In 2016, versions of that machine were used in some jurisdictions in 20 states, and statewide in Alaska, Georgia, and Utah.
The TSx could be hacked because its executable file, which controls the machine's operation, was connected to a local network — a known vulnerability. But the hackers also found a simple way to disable the machine: Its battery controller could be easily opened and an unsoldered chip could be removed, disabling the machine entirely.
ES&S didn’t respond to a request for comment.
The easiest was the Advanced Voting Systems WinVote, used in Virginia from 2003 until 2015 and regarded as one of the most vulnerable pieces of election equipment used in US elections in recent times. Among its other problems, the WinVote connects over Wi-Fi, a rarity in election machines, and which opens it up to a host of different attacks. A Danish researcher named Carsten Schulman was able to breach the system via Wi-Fi within minutes. He then used Metasploit, a tool used by penetration testers that allows a researcher — or an entry level hacker — to exploit known software vulnerabilities, which an unpatched WinVote system would have, and quickly gain administrative access. From there, he found he was able to change actual votes or shut it down from more than a hundred feet away.
Harri Hursti, a renowned voting machine hacker and founder of Nordic Innovation Labs, who helped organize the DEFCON event, said the existence of the machines’ vulnerabilities were less remarkable than how easily a creative and skilled hacker can breach one.
“It was well established before that all the machines are hackable,” he told BuzzFeed News. “The questions were how fast, and how many new ways people will find? I was surprised how fast the first machines were hacked,” he said. “It all happened in real time.”
Hackers who poked at a sixth machine, an ExpressPoll-5000 model electronic poll book, found several vulnerabilities, including the fact that a memory card that stored all the voter registration information for 643,517 voters in Shelby County, Tennessee, was easily physically removable.
Concern about voting machine insecurities has been high since they became the standard for casting ballots after the confused result in Florida after the 2000 presidential elections. That worry has only grown as more information becomes available about suspected Russian meddling in last year's presidential vote.
The Department of Homeland Security has acknowledged that suspected Russian hackers attempted to breach computer systems in 21 US states ahead of last November's balloting. DHS has said there is no evidence vote totals were changed in that balloting, but it also admits it hasn’t been able to conduct a formal audit.
Those reassurances also are undercut by previous hacks of decommissioned machines in controlled environments.
Hackers at the Voting Village found that they could likely overwrite vote totals on another machine, the iVotronic, by changing the firmware in an accompanying handheld device, known as a Personal Electronic Ballot, that election workers use to operate the machine. The iVotronic, also made by ES&S, were used statewide in South Carolina in 2016, as well as areas in 17 states and Washington, DC.
The Voting Village report also warned of so-called supply-chain vulnerabilities — the possibility that because much of the equipment relies on parts made in adversarial countries like China, there is a constant threat of a foreign government embedding secret vulnerabilities in US voting equipment.
Though DEF CON attendees were able to quickly find so many vulnerabilities in those machines, there has never been a similar, open look at back-end software of the voting process, which assembled and counts voting results.
“There’s never been a test of a complete system,” DEF CON founder Jeff Moss said Tuesday at an Atlantic Council panel addressing the findings.
“I’d love to be able to create any kind of complete system” at the next year’s conference, he said.
Kevin Collier is a cybersecurity correspondent for BuzzFeed News and is based in New York.
Contact Kevin Collier at firstname.lastname@example.org.
Got a confidential tip? Submit it here.