When the password for a voting machine is “abcde” and can’t be changed, the integrity of our democracy might be in trouble.
The Advanced Voting Solutions WinVote machine, dubbed “America’s worst voting machine,” came equipped with this simple password even as it was used in some of the country’s most important elections. AVS went out of business in 2007, but Virginia used its insecure machines until 2015 before dropping them for scrap metal. That means this vulnerable hunk of technology was used in three presidential elections, starting with George W. Bush’s re-election in 2004 to Barack Obama’s in 2012.
In addition to Virginia, Pennsylvania and Mississippi used the WinVote without knowing all the ways it could be hacked. Unlike other technology — your phone, your laptop, connected cars — security wasn’t really a focus.
Google and Apple invite hackers to find flaws in their code and offer hefty rewards to those who find them. It’s a common practice in the industry. The government’s done it too, with programs like “Hack the Pentagon.”
But opportunities to test how secure our voting machines are from hackers have been rare. Manufacturers like to keep the details of voting machines secret. And they don’t often provide machines for people to test.
That’s why hackers swarmed to the Voter Hacking Village at Defcon in Las Vegas. The massive hacker convention is split into “villages” based on themes such as lock picking, encryption, social engineering and, for the first time, voter hacking.
Defcon received more than 30 voting machines to play with, providing a rare opportunity for hackers to find the flaws in our democracy’s technology. (The organizers didn’t specify how many models the 30 units represented.) Voting technology was elevated into the political spotlight in 2016 as lawmakers raised concerns about Russian hacking and President Donald Trump’s road to the White House.
To be clear, there’s no evidence any votes were hacked during the 2016 presidential election. But there hasn’t been much research on the voting machines to see if it’s possible.
“The exposure of those devices to the people who do bug bounties or actually look at these kind of devices has been fairly limited,” said Brian Knopf, an internet of things security researcher for Neustar, a security analysis company. “And so Defcon is a great opportunity for those of us who hack hardware and firmware to look to these kind of devices and really answer that question, ‘Are they hackable?'”
After just about an hour and a half, the answer was an emphatic “yes.”
In the time it takes to sit through “The Emoji Movie,” you could break into the WinVote machine through its Wi-Fi system, like DemTech’s investigator Carsten Schürmann did on Friday. DemTech is a research project that’s been looking at voting technology in Denmark.
He used a Windows XP exploit from 2003, which the voting machine never patched, and got remote access. That meant he could change the votes from anywhere.
Out of ctrl-alt-del
Synack, a security platform based in San Francisco, had its hands on the WinVote machine months ahead of Defcon. It discovered a host of serious flaws with the system.
While many people at the Voter Hacking Village zeroed in on the weak mechanical lock covering access to the machine’s USB port, Synack worked on two open USB ports right on the back. No lock picking was necessary.
The team plugged in a mouse and a keyboard — which didn’t require authentication — and got out of the voting software to standard Windows XP just by pressing “control-alt-delete.” The same thing you do to force close a program can be used to hack an election.
“It’s really just a matter of plugging your USB drive in for five seconds and the thing’s completely compromised at that point,” Synack co-founder Jay Kaplan said. “To the point where you can get remote access. It’s very simple.”
Synack’s team was able to access the voting machine from a mobile app by installing a remote desktop program on it.
Once you’re out of the voting program on the machine, it’s just like any old Windows XP computer, Synack found. In one case study, the company found a poll worker in Virginia had hacked the machine so she could play Minesweeper on it.
When you’re in the machine, changing votes is as simple as updating an Office document.
It’s like an Excel file in which “you would just change the number and upload it back,” said Anne-Marie Hwang, an intern at Synack, who demonstrated the vote changes.
The voting machine puzzle
Back at the village, once a voting machine was hacked, it could be reset to its original state for the next person to try his or her hand at it. It was like messing up a Rubik’s Cube before passing it to the next person to solve.
On Friday afternoon, a hacker tapped into the Windows XP side of the AVS WinVote machine and installed Windows Media Player on it. He then rickrolled the room by playing Rick Astley’s “Never Gonna Give You Up” on the voting machine.
A hacker calling himself “Oyster” and his team tried to break into a Diebold Nixdorf voting machine on Friday after another team had successfully compromised it.
“I hope that we find a load of vulnerabilities in these just so we can open it up to the public to see how serious the problem is,” he said.
Diebold said it sold its voting machine business in September 2009, and declined to comment for the story.
The village is expected to return to Defcon for the next three years, right up until Trump’s potential re-election campaign. The hackers at Defcon hope by 2020, their exploits will lead to changes in voting booth technology.
“Hacking it is good because it’s able to inform politicians and people in Congress about what they should do with voting machines,” Hwang said. “If no one ever hacked them, we might be still using things like this.”
CNET Magazine: Check out a sample of the stories in CNET’s newsstand edition.
Logging Out: Welcome to the crossroads of online life and the afterlife.