Voting Machines Hacked At Defcon

Voting Village was the place to be at Defcon if you are interested in the security of your vote.

The sponsors of the village bought 30 voting machines  – many on eBay.

Full disclosure – some of these models are no longer in use, but others are still in use.

One older (in use until 2014) Winvote machine was hacked in seconds.

One Express Poll machine from the great state of Tennessee still had voter information on it for 600,000 voters, even though the machine was supposedly wiped before being sold.  The data was on a memory card and the Defcon hackers were able to take that card and put it in a card reader and read the data.  That tells me that the data was not encrypted.  WHY???????  In this day and age, why would you not encrypt that data?

Defcon plans to expand Voter Village over each of the next three years.  Hopefully the vendors of these machines will see this as an opportunity to improve their security.

To be fair, these attacks went after individual voting machines so the possibility of massively changing the vote using these techniques is not practical.

On the other hand, these friendly hackers only got to spend about 24 hours with these machines.  If they had as much time as a hacker might have, could they do more damage – ABSOLUTELY.  How much damage?  That is unknown.

More likely, state sponsored hackers would likely go after the state and local vote management organizations such as a Secretary of State.  According to DHS, hackers did  attempt to hack these organizations in over 30 states.  What they have not said is how many of these were successful and what did they succeed at doing.  Stealing data is one thing.  Corrupting data is another thing.  Changing data is yet another thing. Finally, deleting data is yet another possibility.

What we definitely will see over the next few years is more good guys hacking machines to improve security – and more bad guys hacking machines – because they can.  This is definitely a cat and mouse game.

Information for this post came from Wired.

Leave a Reply

Your email address will not be published.