Pwned: DEF CON Hackers Crack US Voting Machines In Just 90 Minutes

diebold 1
Election hacking is a real concern these days, and Microsoft recently helped cripple Russian hacking group called "Fancy Bear" after the group pulled off the DNC hack last year. A group of hackers at DEF CON 2017 had a bunch of voting machines to play with and they found some exploits that could allow potential tampering with the voting system. Word from the hackers looking for exploits is that it took less than 90 minutes for the first cracks on the "secure" voting hardware to turn up. According to participants in the so-called Voting Village, the security on the machines was low and eventually a wireless hack was unearthed.

It would be easy enough for officials at voting locations to see a hacker connecting something physical to the voting machines, but a wireless attack could allow someone to tamper with the voting machines from afar. Multiple brands of machines were used in the hack session including hardware made by Diebold, Sequoia, and WinVote.

The voting machines were all purchased from eBay or government auctions. According to the hackers, the machines were outdated and ran exploitable software such as unpatched iterations of OpenSSL and Windows XP/CE. Some of the machines also had physically open ports that could be used for the installation of malicious software. One of the WinVote machines used in the hack session, which was previously used in county elections, was hacked via Wi-Fi using the MS03-026 vulnerability.

That vulnerability allowed Carsten Schurmann to access the voting machine from a laptop using RDP. Another of the machines had a potential remote attack vector using an OpenSSL bug CVE-2011-4109. "Without question, our voting systems are weak and susceptible. Thanks to the contributions of the hacker community today, we've uncovered even more about exactly how," said Jake Braun, who sold DEF CON founder Jeff Moss on the idea earlier this year.

"The scary thing is we also know that our foreign adversaries – including Russia, North Korea, Iran – possess the capabilities to hack them too, in the process undermining principles of democracy and threatening our national security."

One bright spot is that the WinVote machine attack wasn't fully secure, the attack would have been detected and logged. It's also worth noting that some of this voting hardware is no longer used in elections, but there is no indication of just how long the equipment has been out of circulation. Participants say that the flaws and hacks resulting from this session does highlight the fact that we need election officials to be very careful with physical and remote security.

"Elections have always been the concern and constitutional responsibility of state and local officials. But when Russia decided to interlope in 2016, it upped the ante," said Douglas Lute, former US Ambassador to NATO and now principal at Cambridge Global Advisors.

"This is now a grave national security concern that isn't going away. In the words of former FBI Director James Comey, "They're coming after America. They will be back."