Half of US states using voting machines with a known vulnerability, says report

The security flaw was flagged in 2007.

Marrian Zhou Staff Reporter

Marrian Zhou is a Beijing-born Californian living in New York City. She joined CNET as a staff reporter upon graduation from Columbia Journalism School. When Marrian is not reporting, she is probably binge watching, playing saxophone or eating hot pot.

See full bio

Marrian Zhou

Sept. 27, 2018 11:52 a.m. PT

2 min read

hackers-tweaking-a-voting-machine-to-break-in — Hackers at the Defcon voter hacking village take a look at the software on a voting machine.
Alfred Ng/ CNET

Elections machines used in 26 states and DC remain vulnerable to a cybersecurity flaw that was disclosed in 2007, according to a new report.

The vulnerability in the Model 650 ballot-counting machine made by Election Systems & Software was among several outlined in a Defcon report released Thursday. The report, based on research from this year's cybersecurity conference, called on Congress to regulate basic security standards of the machines.

A flaw in the Model 650's update procedures poses a security risk, according to the report, and was previously identified in a report commissioned by Ohio's secretary of state in 2007. While the 11-year-old flaw requires physical access to the machine, the researchers also found that hackers can gain access to the ballot-counting machines remotely, and hack into them within two minutes.

"The base-level security protections on the M650 are not as advanced as the security protections that exist on the voting machines ES&S manufactures today [because we] discontinued manufacture of those units in early 2008," ESS spokesperson Jill Regester said in an email statement. "Although we believe that the security protections on the M650 are strong enough to make it extraordinarily difficult to hack in a real-world environment and, therefore, safe and secure to use in an election."

Other voting machines showed vulnerabilities at Defcon before as well. It was reported in July 2017 that Advanced Voting Solutions WinVote machines were used in Virginia until 2015 even though the company went out of business in 2007 for lacking security. Hackers try to find cybersecurity flaws in voting machines at the voter hacking village at Defcon every year.

"What these vulnerabilities in this report and warnings from national security leaders tell us is that this is a severe national security threat," said Jake Braun, voting village co-organizer and executive director of the Cyber Policy Initiative at the University of Chicago, in an email statement. "Since it's the federal government's job to protect our country, Congress must act and fund dramatic upgrades to our election infrastructure. Then our national security apparatus, like the Department of Homeland Security and other national security agencies, must step in to secure our elections."

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

Taking It to Extremes: Mix insane situations -- erupting volcanoes, nuclear meltdowns, 30-foot waves -- with everyday tech. Here's what happens.