DEFCON 26, building on its work in hacking ballot machines last year, saw three days of probing into various aspects of the end-to-end voting infrastructure in place in the U.S., including a voter registration database and election reporting websites. Several vulnerabilities and exploits came to the fore – prompting push-back from a voting machine vendor and secretaries of state, just as the U.S. prepares for the midterm elections.
The Vote Hacking Village invited attendees – including kids as young as six – to study and identify vulnerabilities in election equipment used around the United States as well as other nations. NSA and former Trump White House Cyber Czar Rob Joyce joined the proceedings, noting from the DEF CON stage in a talk that “there are people who are going to attempt to find flaws in those [election] machines whether we do it here publicly or not. So, I think it’s much more important that we get out, look at those things, and pull on it.”
The DEFCON Voting Village featured hands-on experience with at least nine types of voting equipment (voting machines, e-poll book system and election-related security appliances), almost all of which are in use in elections today. Participants were able to find or replicate a range of vulnerabilities, including passwords stored on the machines with no encryption to buffer overflows in critical input routines.
Another hacker oddly uncovered 1,784 random files, including MP3s of Chinese pop songs, hidden among the operating system files of another voting machine.
On the defense side, the Voting Village featured a cyber-range for training election officials on how to defend a simulation of a state’s voter registration database from canned attacks and live hackers.
Last year, the DEFCON cyber range was penetrated in 10 minutes by live hackers; in a bit of good news, this year, it deployed a security code used by foreign military to make it harder to penetrate. Hackers came very close but were unable to crack it.
“It’s been incredible the response we’ve received. We’ve had over 100 election officials come through here and they expressed over and over again how much they have appreciated learning from this opportunity,” said Matt Blaze, another co-founder of the Voting Village.
In terms of exploits, white-hats were able to show an array of disturbing hacks; these included everything from prank-level successes (i.e., hacking a voting machine to play gifs and music) to the deeply concerning (participants were able to hack a mock election to give an un-listed candidate the most votes; and an email ballot was altered so that the recorded vote was different from what was selected).
For instance, active Diebold TSX voting machines were found to be running on expired SSL certificates from 2013; and, the Diebold machine locks turned out to be easily hackable. A hacker was able to reprogram a Diebold TSX to play gifs and music after uploading a Linux operating system.
Also, Diebold poll book machines (specifically, the Express Poll 5000) were found to be vulnerable to having their easily accessible memory cards removed from the top of the machine and replaced with a market-purchased copy, pre-loaded with alternative voting poll information. This means that voters that attempt to vote at a polling place may find that they are no longer in the precincts records, or other voters could be added who could then vote in that polling place.
Disturbingly, the hack can easily be performed by a voter within five seconds, using a distraction or by a poll worker with access to all machines.
These machines also keep supervisor passwords on cards listed in plain text (plus, the root password is: “password”); also, they store personal records for all voters, including last four of Social security numbers, address and driver’s license numbers – all without protection by any encryption. The hackers were able to read and write the database inside, using the simple database program SQL lite; although exploiting this vulnerability would require physical access to the pollbooks to make use of the info.
Meanwhile, Election Systems & Software (ES&S) Vote Counter machines, the kind used by counties to count ballots from municipalities, were found to have active ethernet ports, exposing them to several vulnerabilities.
One hacker found that if you remove the back panel on an ES&S m650, one of these ports could be used to completely control the machine; thus, he was able to get serial console access to the machine. Also, the machine is running a version of QNX operating system with no password.
In addition, a zip drive on the front of the machine would allow someone to load a corrupted version of software with no digital verifications by the machine that the update is legitimate; the new software will override the software on the machine. In fact, any file named “update” on an inserted zip disk will immediately be executed at the highest privileged level – regardless of the kind of program it is. In other words, it’s a short-cut method of running arbitrary code.
in the “precocious” column, an 11-year-old was able to hack a replica state-level Secretary of State website within 10 minutes. In all, 39 kids aged 6 to 17 attempted to hack replicas of the websites of six swing states; 35 kids were able to complete an exploit. They tampered with vote tallies, party names and candidate names (including “Bob Da Builder” and “Richard Nixon’s Head”); and changed the total vote counts to numbers like 12 billion.
Read the complete article at threatpost.com
Tara Seals covers a variety of cybersecurity topics for threatpost.com.