X

DARPA's $10 million voting machine couldn't be hacked at Defcon (for the wrong reasons)

The voting machine was supposed to be available for hackers to find security flaws. An unexpected bug stopped the experiment from starting until Defcon's last day.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
20190810-163845

Galois's prototype voting machine wasn't available for hackers to test.

Alfred Ng / CNET

For the majority of Defcon, hackers couldn't crack the $10 million secure voting machine prototypes that DARPA had set up at the Voting Village. But it wasn't because of the machine's security features that the team had been working on for four months. The reason: technical difficulties during the machines' setup. 

Eager hackers couldn't find vulnerabilities in the DARPA-funded project during the security conference in Las Vegas because a bug in the machines didn't allow hackers to access their systems over the first two days. (DARPA is the Defense Advanced Research Projects Agency.) Galois brought five machines, and each one had difficulties during the setup, said Joe Kiniry, a principal research scientist at the government contractor.

"They seemed to have had a myriad of different kinds of problems," the Voting Village's co-founder Harri Hursti said. "Unfortunately, when you're pushing the envelope on technology, these kinds of things happen."

It wasn't until the Voting Village opened on Sunday morning that hackers could finally get a chance to look for vulnerabilities on the machine. Kiniry said his team was able to solve the problem on three of them and was working to fix the last two before Defcon ended.

The Voting Village was started in 2017 for hackers to find vulnerabilities on machines that are used in current elections. At the last two Defcons, hackers found vulnerabilities within minutes because the machines were often outdated. The Village shines a necessary light on security flaws for voters as lawmakers seek to pass an election security bill in time for the 2020 presidential election. 

Galois won a $10 million award from DARPA in March to create an open-source voting machine that could prevent hackers from tampering with votes. The machine's prototype allows people to vote with a touchscreen, print out their ballot and insert it into the verification machine, which ensures that votes are valid through a security scan. 

While the voting process worked, the machines weren't able to connect with external devices, which hackers would need in order to test for vulnerabilities. One machine couldn't connect to any networks, while another had a test suite that didn't run, and a third machine couldn't get online. It had been running on and off throughout Defcon, but Galois was more optimistic about Sunday. 

"This is the first day we've had reliability on these machines," Kiniry said. 

The late start is a disappointment for Galois because allowing hackers to find vulnerabilities at Defcon was the entire point of bringing the prototypes to the Voting Village. 

The team built it after looking at voting machine mistakes over the last two decades and created it with security standards comparable to the Department of Defense, Kiniry said in an earlier interview.   

The group wanted people to find vulnerabilities so it could fix issues as the project developed. Galois even added vulnerabilities on purpose to see how its system defended against flaws, WIRED reported

Hursti said that the team was already preparing to bring the project back to Defcon in 2020. The team looked to learn from what went wrong and re-issue the challenge next summer.

"It's miraculous that we were able to get something going on by now," Kiniry said.

Galois hoped that its voting machine prototypes would be the first ones in which hackers at the Village couldn't find vulnerabilities. In a way, it did.