It would be easy enough for officials at voting locations to see a hacker connecting something physical to the voting machines, but a wireless attack could allow someone to tamper with the voting machines from afar. Multiple brands of machines were used in the hack session including hardware made by Diebold, Sequoia, and WinVote.
Greetings from the Defcon voting village where it took 1:40 for Carsten Schurmann to get remote access to this WinVote machine. pic.twitter.com/1Xk3baWdxv— Robert McMillan (@bobmcmillan) July 28, 2017
The voting machines were all purchased from eBay or government auctions. According to the hackers, the machines were outdated and ran exploitable software such as unpatched iterations of OpenSSL and Windows XP/CE. Some of the machines also had physically open ports that could be used for the installation of malicious software. One of the WinVote machines used in the hack session, which was previously used in county elections, was hacked via Wi-Fi using the MS03-026 vulnerability.
That vulnerability allowed Carsten Schurmann to access the voting machine from a laptop using RDP. Another of the machines had a potential remote attack vector using an OpenSSL bug CVE-2011-4109. "Without question, our voting systems are weak and susceptible. Thanks to the contributions of the hacker community today, we've uncovered even more about exactly how," said Jake Braun, who sold DEF CON founder Jeff Moss on the idea earlier this year.
"The scary thing is we also know that our foreign adversaries – including Russia, North Korea, Iran – possess the capabilities to hack them too, in the process undermining principles of democracy and threatening our national security."
One bright spot is that the WinVote machine attack wasn't fully secure, the attack would have been detected and logged. It's also worth noting that some of this voting hardware is no longer used in elections, but there is no indication of just how long the equipment has been out of circulation. Participants say that the flaws and hacks resulting from this session does highlight the fact that we need election officials to be very careful with physical and remote security.
"Elections have always been the concern and constitutional responsibility of state and local officials. But when Russia decided to interlope in 2016, it upped the ante," said Douglas Lute, former US Ambassador to NATO and now principal at Cambridge Global Advisors.
"This is now a grave national security concern that isn't going away. In the words of former FBI Director James Comey, "They're coming after America. They will be back."