US officials hope hackers at Defcon find more voting machine problems

Better now than during the midterm elections.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
4 min read

A voting machine gets replaced with memes at Defcon after hackers get their hands on it.

Alfred Ng / CNET

This election day, US officials are hoping for a vote of confidence on cybersecurity.

Hackers at the Defcon cybersecurity conference in Las Vegas on Friday took on voting machines again, after showing how easy it was to break into election machines at last year's gathering. This time around, officials from the US Department of Homeland Security were on hand to learn directly from hackers who find problems with election security.

"We've been partners with Defcon for years on a lot of various different issues, so we see a lot of value in doing things like this," Jeanette Manfra, DHS' top cybersecurity official, said at Defcon.

In her speech, Manfra invited hackers at Defcon to come find her afterward to talk more about election security.

"We'd love it if you worked for us," she said. "We'd love it if you worked with us."

Watch this: Hackers take on new voting machines at Defcon

This exercise is particularly relevant given the US midterm elections are just three months away. Election security has become a major concern not just for the US, but democracies around the world. Along with the US, hackers have also targeted elections in France and Kenya.

Cyberattacks against elections threaten trust in politics and leadership, as lawmakers worry that votes can be changed or results altered by hackers. At the Department of Homeland Security's cybersecurity summit in New York in July, US Vice President Mike Pence urged more states to improve their election security.

"It concerns us that many states still don't have concrete plans to upgrade their voting systems, and 14 states are struggling to replace outdated voting machines that lack paper trails before the next presidential election," Pence said.

15 minutes or less

This year's voter hacking village upped the ante, challenging hackers to disrupt the entire voting process -- not just the machines themselves.

That includes from the moment someone registers to vote to when the election results are posted online. At the village, dozens of hackers were plugged into voting machines used in elections around the country. Many were taken apart, with exposed hardware lying around tables.

One machine, a Diebold TSX model that had been brought in from Stark County, Ohio -- a battleground state -- was compromised to show viral reaction GIFs instead of the original voting screen. A hacker who went by "echo2" and declined to give his real name said he put up the GIFs because he was bored. 

He had opened up and closed the machine without showing any signs on the outside. 

"You can mess with the hardware and no one would even notice," the hacker said. "Should you be trusting your vote with these? I don't think so."

On one table, about a dozen hackers had their computers hooked up to machines, experimenting with different lines of code and scanning for other openings they could find.

One group figured out exactly how they could compromise a voting machine within 15 minutes, determining which model the machine was and what software version it was running. It's important for them to find these vulnerabilities to protect elections, Arnold Wynn, a security engineer in the group, said.

"If voters lose confidence in one machine, then they lose confidence in all machines," he said. When asked if he still voted, Wynn said yes while shaking his head with disappointment.

Countdown to Election Day

Local election officials are also at Defcon this year, looking to learn about all the things they should watch out for this November.

Noah Praetz, the director of elections for Cook County, Illinois, said that 2016's hacking revelations meant that election officials are now also responsible for cybersecurity, something that they're not all equipped to deal with.

Amber McReynolds, the director of elections for Denver, agreed. She said election officials have been able to fend off bomb threats and fire hazards, but when it came to cyberattacks, it was a bigger challenge.

"Cyber and technology is not a strength that most of them have," she said.

At least 70 percent of the machines provided this year are also currently being used in US elections, and Defcon has also invited children and teens to hack election tracking websites.  

"The websites are so vulnerable that we couldn't actually give them to the adult hackers, it'd be too easy, they wouldn't find it interesting," Jake Braun, the co-organizer of the hacking village, said. "So we gave it to the children hackers."

His 7-year-old twins are among the kids taking on the challenge, he said.

In a statement, the National Association of Secretaries of State disagreed with the village's hacking efforts, arguing that the village is setting up an unrealistic scenario.

"Providing conference attendees with unlimited physical access to voting machines, most of which are no longer in use, does not replicate accurate physical and cyber protections established by state and local governments before and on Election Day," the organization said.  

Despite the voting machine vulnerabilities being exposed in Defcon, it's not clear whether the exercise will be able to help with the midterm elections in November. Braun said Defcon's report on the voting machines will publish in September, giving election officials two months to fix all the reported security issues.

By comparison, companies are usually given 90 days to fix security vulnerabilities.

Manfra said local officials wouldn't have enough time to make changes based on the report from Defcon. 

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night. 

Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.