One of the nation’s largest cybersecurity conferences is inviting attendees to get hands-on experience hacking a slew of voting machines, demonstrating to researchers how easy the process can be.
“It took me only a few minutes to see how to hack it,” said security consultant Thomas Richards, glancing at a Premier Election Solutions machine currently in use in Georgia.
The DEF CON cybersecurity conference is held annually in Las Vegas. This year, for the first time, the conference is hosting a “Voting Machine Village,” where attendees can try to hack a number of systems and help catch vulnerabilities.
The conference acquired 30 machines for hackers to toy with. Every voting machine in the village was hacked.
Though voting machines are technologically simple, they are difficult for researchers to obtain for independent research. The machine that Richards learned how to hack used beneath-the-surface software, known as firmware, designed in 2007. But a number of well-known vulnerabilities in that firmware have developed over the past decade.
“I didn’t come in knowing what to expect, but I was surprised by what I found,” he said.
He went on to list a number of actions he hoped states would take to help secure machines, including increasing testing opportunities for outside hackers and transparency in voting machine design.
Speakers and organizers said they hoped the village would raise awareness about election machine security issues within the cybersecurity community.
And they hope that the attendees, many of whom are election experts, will pressure states to do more to protect those systems.
“There’s so much misinformation about voting machines on the internet,” said Harri Hursti, cofounder of Nordic Innovation Labs, who helped organize the event.
“The Village was announced last minute. But in the forums, people were active, looking to understand the problem. The changes have to start somewhere. This year it’s in this room, next year it will be a bigger room.”
Though many activists ask for auditable voting machines that don’t leave a paper trail, Hursti said there were no commercially available machines he would recommend.
There is also debate within the cybersecurity community over the extent of the threat from voting machines that haven’t been secured.
Eric Hodge, director of consulting at CyberScout and a consultant for Kentucky’s Board of Elections, said that with proper security processes in place, the threat to large elections is minimal.
Read the complete article at thehill.com
Joe Uchill is a cybersecurity reporter for The Hill.