<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1678611822423757&amp;ev=PageView&amp;noscript=1">
Defrag This

| Read. Reflect. Reboot.

Election Day 2018 - US Electronic Voting Machines Still Have Security Flaws

Greg Mooney| November 06 2018

| security

defcon-highlights-us-electronic-voting-machines-security-flaws

Today is election day and voters are running to the polls to cast their vote. However, recent reports indicate that US citizens are not particularly confident in the technology used at the ballots. 

According to a recent Pew Research Report, 55 percent of Americans are not confident that the US election systems and technology are secure. This is no surprise considering all the news that US citizens have been trying to dissect for the past two years. What we all know now is that there was interference in the last general election and there probably will be issues of hackers infiltrating the election systems today as well. 

The problem really comes from electronic voting machines since anything that is connected to a computer can technically be hacked. Good news is that many states are adamant about keeping their paper-based voting systems, making those systems a heck of a lot more harder to infiltrate considering that it's an analog system. Bad news is that some states are still using the same electronic voting systems they have used for years, and despite the latest findings at DEF CON over the Summer, they still aren't budging. 

Some states will be using the same electronic voting machines we've been using for years, but are they really safe? Evidence presented at this year's DEF CON hacking conference says no, but what can we do about it? Should we go back to paper-only ballots? The more you peel back the onion that is the voting machine industry, the more you see that too many people have had their hands in this honey pot and that they aren't doing it in the best interests of the people. Since these machines represent the backbone of our democracy, the threat from hacking is real, and should be taken very seriously.

I had the chance to see, in person, dozens voting machines managed by ES&S being hacked away at by righteous security professionals, and it got me a little nervous. Just how protected is our voting process? 

Vulnerabilities in the US Voting Machines

It's not every day you get to see hundreds of talented hackers competing for bragging rights and your occasional bug bounty. Even more unusual is the government's willingness to let these white and black hats take swings at breaking the US voting systems. That's correct. Hackers, or security professionals if you'd prefer, going at it, reverse engineering ballot technology, trying to find even the slightest vulnerability or bug in the tech that protects the backbone of our democracy. 

I'd be lying if I said I didn't find the whole operation slightly unsettling after what transpired in the 2016 elections. There hasn't been any widespread evidence that hackers took control of the ballots in 2016, but with the investigation of Russian interference at the forefront of the news for almost two years now, the fragile state of our democracy is top-of-mind for Americans of all walks of life. Obviously, our votes are important, and so, obviously, we need to be able to trust the tech in place that lets us cast our votes. However, that trust has been hard to find lately, and for good reason. We've known for years now that these machines are vulnerable—Andrew Appel hacked into these machines in just seven minutes back in 2016.

IMG_0062

This was the second year for the Voting Machine Village, and not to take anything away from the other villages at DEF CON I visited, the Voting Machine Hacking Village seemed the most tense, and for obvious reasons, the most popular with press. This makes sense considering the voting machines that were being dismantled and studied happen to be the same voting machines that will be used in the upcoming 2018 midterm elections, in states such as Florida.

As in years before, hackers were able to crack into voting machines, though often not without physical access. This was expected. But what wasn't expected, was that a group of kids aged 8-16 from the r00tz Asylum would also be invited to hack 13 imitation websites linked to voting in presidential battleground states—and would succeed overwhelmingly. In one case, an 11-year-old boy was able to hack a replica of a Florida election website and change voting results in under ten minutes. 

Turns out that the voting machines that voters will be using in November aren't as safeguarded as the government would like us to believe. The problem is this: the government and local election commissions just don't have the capacity, resources (money), and know-how to do cyber security themselves. This isn't news. The government is notorious for spending endless amounts of tax payer money on outside contractors—but you'd think that those contractors could do a little more to inspect the security of the systems they are implementing. 

voting machine-1What really irks me is the website that these systems are posting results to. This sentiment is not only mine, just check out this PBS article. The voting machines are not connected to the actual websites where preliminary results are posted, but just being able to change the results before official results are posted on the website could cause confusion among the media and ultimately the public. We've all seen the elections, the press uses these sites with some confidence to show how the election is going. The accuracy of these preliminary polls are always off a few percentage points, but that's always made clear.

But what if those results posted on government websites are completely off because someone tampered with the results after the fact? You will have candidates believing they won the election when they didn't, refusing to concede and/or arguing for recounts. It's happened before in less extreme circumstances. 

A Brief History of the Diebold Voting Machines

Further investigation into the hardware and software of the voting machines turns up some startling details. The machines have a plaque on them that says "Diebold," i.e., Diebold Election Solutions (DES), who created the voting machines found at DEF CON. DES was a subsidiary of Diebold, but DES was renamed to Premier Electronic Solutions (PES) in 2007.  When you boot up the machines, PES is the name that shows on the screen. This explains the relation between Diebold and Premier Electronic Solutions.  

In 2018, both of these companies are now part of ES&S, which was originally a competing voting machine maker. Ironically, Bob Urosevich was both the founder of ES&S and the first CEO of Diebold. He must not of singed a non-compete. 

ES&S is currently owned by the McCarthy Group, which is your run of the mill capital investment firm. It is my presumption that ES&S is currently responsible for keeping the machines up-to-date, which can be argued that they are not considering they use years-old SSL encryption.

Although it's commonplace, especially in tech used by the government, I find it worrisome that neither Diebold nor Premier Electronics Solutions exist anymore and still use these names on the hardware and software. That's not to say that they don't update these machines, but I find it not dissimilar to a company's finance team using Windows XP on a Compac computer.

ES&S and Diebold were the dominant figures in voting machine technology in the 2000's after Congress and municipalities pushed for a more streamlined approach to voting, as opposed to paper ballots. 

If you want a more in depth history, you can check out Jennifer Cohn's blog post. She has a tremendous job compiling research and trying to bring awareness around the issues of this technology.

Unfortunately, electronic voting technology was pushed too quickly despite warnings from cyber security professionals who testified in the community at the time. To say the least, voting technology has had a very bumpy history and a very uncertain future.

Topics: security

Leave a Reply

Your email address will not be published. Required fields are marked *

THIS POST WAS WRITTEN BY Greg Mooney

Greg is a technologist and data geek with over 10 years in tech. He has worked in a variety of industries as an IT manager and software tester. Greg is an avid writer on everything IT related, from cyber security to troubleshooting.

Free Trials

Getting started has never been easier. Download a trial today.

Download Free Trials

Contact Us

Let us know how we can help you. Focus on what matters. 

Send us a note

Subscribe to our Blog

Let’s stay in touch! Register to receive our blog updates.