This piece originally appeared on ABC News on August 10, 2018.
By LEE HARRIS
This year’s DEF CON kicks off Friday in Las Vegas, and hackers will again have access to dozens of pieces of equipment — voting machines and pollbooks widely used in U.S. elections, including several models they haven’t previously attempted to crack.
Children as young as 5 will compete to hack election results websites, and DEF CON has partnered with children’s hacking organization r00tz Asylum to award prizes to the first and youngest kids to breach the sites and hack equipment.
Jake Braun, a former White House liaison for the U.S. Department of Homeland Security, told ABC News that the conference decided to invite young hackers because it would be a “waste of time” to demonstrate that cybersecurity experts can hack election results reporting sites.
“These websites are so easy to hack we couldn’t give them to adult hackers — they’d be laughed off the stage,” Braun told ABC News. “They thought hacking a voter website was interesting 20 years ago. We had to give it to kids to actually make it challenging.”
Joseph Lorenzo Hall, chief technologist at Washington-based nonprofit the Center for Democracy and Technology, said it wasn’t at all surprising that the machines were so quickly breached at last year’s conference — several were broken into within two hours, and all within two-and-a-half days — given that cybersecurity experts have known about most of the weak points for years.
Many of the most common voting machine models are more than 15 years old and run on outdated operating systems such as Windows 2000, meaning that, in some cases “the biggest barrier to hacking them was finding the right pieces of old software,” Hall said.
Braun and Hall joined other technologists to co-author a report following last year’s Voting Machine Hacking Village — the section of the conference devoted to election security — detailing the most glaring weak points the computer scientists discovered in 2017.
In one of last year’s most distressing security breaches, Carsten Schürmann, an associate professor at IT-University of Copenhagen, was able to hack into an Advanced Voting Solutions’ 2000 WinVote machine — a model used in Virginia elections from 2003-2014 — in under 10 minutes.
Even more alarming than the speed of entry: Schürmann penetrated the computer via its Wi-Fi system, using a Windows XP exploit from 2003, meaning that any time the machine was in use, it would have been vulnerable to remote access.
“You can imagine someone driving around with a laptop from polling place to polling place and changing votes on these machines, with no paper trail,” Hall told ABC News.
While it took Schürmann just minutes to hack into the device, he has spent the past year conducting a comprehensive forensic analysis of WinVote Voting Machines, and will give a talk on his findings on Friday, the first day of the conference.
The AVS WinVote model has been put out of use, but experts say that several voting machine models currently in use are susceptible to similar attacks.
“We like to say, the machines and the voter registration databases aren’t connected to the Internet — except for all the times that they are,” Braun told ABC News.
Cybersecurity expert Matt Tait, a fellow at the University of Texas at Austin, explained several disturbing findings on Twitter after the 2017 DEF CON conference.
Braun also noted the concern that many voting machines use computer chips made in China, though he acknowledged that the international supply chain of electronics makes foreign sourcing hard to avoid. Still, having voting machines built in other countries opens up election technology to multiple opportunities for exploitation, he said.
“This strikes at the heart of the idea that you’d need thousands of Russians with physical access to the machines to get into them, when in fact, no, you don’t — you need one Russian to bribe a Chinese manufacturing-plant official, and now all of a sudden they own an entire class of machines nationwide,” Braun said.
“A nation-state actor with resources, expertise and motive, like Russia, could exploit these supply chain security flaws to plant malware into the parts of every machine, and indeed could breach vast segments of U.S. election infrastructure remotely,” the Voting Machine Hacking Village report reads.
Another worrisome discovery: Chinese music files had been downloaded on to one of the voting machines, Braun said.
Although most of the hardware vulnerabilities hackers previously exposed remain unaddressed, this year’s DEF CON will expand its scope to scrutinize “end-to-end” election infrastructure vulnerabilities. In the “Voting Village,” hackers will attempt to corrupt other components of the voting process, such as registration databases and election results reporting websites.
“All the vulnerabilities which were discovered last year are fundamental vulnerabilities in the system itself — vulnerabilities that cannot be fixed without redesigning the whole system, redesigning the hardware,” Harri Hursti, a computer programmer and another co-author of the Voting Village study, told ABC News.
Hursti stressed that making elections fully impenetrable — by using paper ballots, for instance — is the best strategy to prevent future election interference. “White Hat” hackers also advocate using open-source technology and educating election officials to protect against the “people problems” that make systems more susceptible to attack.
For the first time, DEF CON 2018 will feature talks from DHS election officials, alongside cybersecurity experts and programmers.
California Secretary of State Alex Padilla will participate in the conference’s keynote panel on Friday. Alejandro Mayorkas, former Deputy Secretary of Homeland Security, will deliver the afternoon keynote.
As Russian election interference remains in the spotlight and midterm elections loom, the event’s organizers have seen a surge in interest — organizers expect more than 500 election officials to attend their training, which they offer free as a public service. The officials will practice defending voting infrastructure against hackers in real time.