HomeLatest ThreadsGreatest ThreadsForums & GroupsMy SubscriptionsMy Posts
DU Home » Latest Threads » Forums & Groups » Main » General Discussion (Forum) » Every Single Voting Syste...

Tue Aug 1, 2017, 08:26 PM

Every Single Voting System Hacked Within Hours at DefCon's 'Voting Village'

How hackers in Las Vegas over the weekend confirmed what we've been yelling and screaming about for nearly 15 years. Namely, every single computer voting, tabulation and registration system used in the U.S. is absurdly vulnerable to manipulation that would likely go undetected unless hand-marked paper ballots exist and are actually counted, by hand, by human beings. [Audio link to full show posted below at end of article.]

At the annual hackers convention in Vegas known as DefCon, thirty voting system computers (both voting machines and electronic pollbooks) were made available to attendees to crack at will! And, boy howdy, did they! Every single system was reportedly compromised in some fashion by the end of the weekend --- several of them fell within just minutes of opening DefCon's so-called "Voting Machine Hacking Village".

We're joined today for some of the amazing details on what happened in Vegas (in hopes that it doesn't just stay there!) by DR. DAVID JEFFERSON, a longtime computer scientist at Lawrence Livermore National Laboratory and Chair of the Board of Directors at VerifiedVoting.org. Jefferson, who has a been a pioneer in the field of voting system security for some 20 years, serving as an advisor to five successive Secretaries of State in California (both Republican and Democratic) also presented at the wildly popular DefCon "Voting Village".

"It was a wild time, I have to tell ya. This hacking village was set up --- really, in just six weeks it came together --- and in that short a time, they managed to gather all these voting machines," he says. It was quite a contrast from the "cloak and dagger" days when folks like us had to obtain voting machines from secret sources to share with independent investigators in order to have any kind of independent analysis of system vulnerabilities.

"That room was just crowded from morning to night," Jefferson says, describing the room at DefCon. "And the amazing thing is that all of those successful hacks, these were by people who, most of them, had never seen a voting machine before, and certainly not the system sitting in front of them, and they had not met each other before. They didn't come with a full set of tools that were tailored toward attacking these machines. They just started with a piece of hardware in front of them and their own laptops and ingenuity, attacking the various systems. And it was amazing how quickly they did it!"

Jefferson tells me, after all of these years, he is now seeing a major difference among the public, as well as election and elected officials (a number of whom were also in attendance), regarding the decades-long concerns by experts about electronic voting, tabulation and registration systems.

"I am seeing a kind of sea change here. For the first time, I am sensing that election officials, and the Department of Homeland Security, and the FBI, and the intelligence community, and Congress, and the press, are suddenly, after the 2016 election experience, receptive to our message that these systems are extremely vulnerable and it's a serious national security issue. As you know, in a democracy, the legitimacy of government depends on free and fair and secure elections. And people are beginning to realize that we haven't had those for a long time."

He explains how hacking methods attributed by many to Russians following the 2016 elections "are the same methods that anyone on Earth could use --- insiders, criminal syndicates, nation-states other than Russia, as well, or our own political partisans. The fear, of course, is that these hacking attempts will be totally undetectable. But even if they are detectable, it's difficult often to determine who did it, whether it's an insider, or a domestic partisan, or some foreign organization."

He also confirms what I've been trying to point out since the 2016 election, that despite officials continuously claiming that no voting results were changed by anyone, be it Russia or anybody else, "they cannot know that. They simply can't know. Certainly in those states where there are no paper ballots, such as in Georgia, for example, it's impossible for them to know. And even in states where there are, if they don't go back and either recount the paper ballots, or at least recount a random sample of them, no, they can't know either."

"Election officials have fooled themselves into believing the claims of their [private voting machine] vendors that the systems are secure from all kinds of attack. And it's just never been true," Jefferson argues.

But will the weekend's short order hacks of every voting system presented at DefCon actually help the U.S. to finally move toward systems that are overseeable by the public? And what does that mean, exactly? Is replacing old computer election systems --- many of which still run on no-longer-supported software like Windows 2000 --- with new ones the answer? Are paper ballots, which voting systems experts call for, enough? Particularly given that we saw, after the 2016 election, how it's nearly impossible, even for a Presidential candidate, to see those ballots publicly hand-counted ("Democracy's Gold Standard" in order to confirm results?

"We have to change the way we think about securing elections. Instead of trying to harden the voting systems themselves against all forms of attack --- I think that is going to be a hopeless task for as far into the future as computer scientists can see. Instead of hardening those systems themselves, we need to design systems so that after the election is over we can verify that the results were correct. And then if they're not, we have to be able to change the results accordingly. So the emphasis is on detection and correction, not prevention."

I hash all of that out and much more with my friend Dr. Jefferson today, who also details DefCon's plans to make the "Voting Village" a permanent fixture of its annual convention, which just spectacularly wrapped up its 25th year.

Download MP3 or listen to complete show online below...
http://bradblog.com/?p=12238

14 replies, 1131 views

Reply to this thread

Back to top Alert abuse

Always highlight: 10 newest replies | Replies posted after I mark a forum
Replies to this discussion thread

Response to Amaryllis (Original post)

Tue Aug 1, 2017, 08:46 PM

1. Until our votes are guaranteed, democracy is very iffy.

We could all vote for a candidate, and have it not count. Voting integrity
is vital to our nation and our concept of democracy.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Amaryllis (Original post)

Tue Aug 1, 2017, 08:49 PM

2. All software can be hacked. Period.

The question is, were the voting systems hacked in a way that could have been accomplished in a real-world setting, and that would have created systemic changes in the tallies?

The machine visible to members of both parties (and frequently other voters) at all times - in other words if you have to take the machines apart to hack them (frequently the case in the hacks I've seen), it isn't a hack that is useful for interfering with an election.

Did the hacks change the votes in the desired way, without access to details about how the individual ballots were programmed? (All voting machines have generic software - added by the manufacturer. Individual ballots are programmed by each county on top of the generic software - including candidate name and party affiliation). Counties make different choices in how they program their ballots - so any hack would need to be able to be carried out at the manufacturer embedded software level AND predictably change every county (regardless of whether they entered Ds or Rs first, or had included relatively unknown third party candidates to make a difference.

Were the hacks ones that would be transmitted systemically - or would you need an army of hackers, each successfully hacking the machine they were voting on, to change enough votes to change an election?

This is not a real-world voting situation:

"That room was just crowded from morning to night," Jefferson says, describing the room at DefCon. "And the amazing thing is that all of those successful hacks, these were by people who, most of them, had never seen a voting machine before, and certainly not the system sitting in front of them, and they had not met each other before. They didn't come with a full set of tools that were tailored toward attacking these machines. They just started with a piece of hardware in front of them and their own laptops and ingenuity, attacking the various systems. And it was amazing how quickly they did it!"


You don't bring your laptop to the voting booth, or to work and have isolated access to the voting machines.

I do agree that we have to change the way we think about election security. If the physical process is secured, there isn't the opportunity to hack the machines.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Ms. Toad (Reply #2)

Tue Aug 1, 2017, 09:17 PM

3. Some were hacked over wireless

In those cases, no need to be physically attached. Hacks included both voting machines, tabulating systems, and registration data bases. Once hacked, hackers in some cases could change vote counts at will.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to unc70 (Reply #3)

Wed Aug 2, 2017, 12:02 AM

8. Registration databases and voting machines/tabulating devices are two different things.

Voting registration system are often permitted to be connected to the internet and cab have wireless connections. They shouldn't be that open, and the potential to hack the registration systems is a significant problem because those systems control who is permitted to vote, but it is not the same thing as changing votes cast.

Tabulations devices are generally prohibited from having wireless access, or a connection to the internet. The systems they discussed weren't connected to the internet, and didn't have native wireless access.

Neither the article, nor the podcast are clear enough to answer the questions I asked, and neither identify voting machines hacked in a way that could be carried out under standard voting conditions.

The only voting system they mentioned accessing remotely (1) is a machine no longer in use (2) required initial access by attaching external devices to the voting machine. and (3) required leaving a device to enable remote connectivity connected to the machine. The latter two are not a realistic possibility under real-world voting conditions.

I have yet to see any documented hack of a voting machine that can be carried out under real-world voting conditions. But knowing how hacks can be carried out - even when they involve manhandling the machines in ways that are (or should not be) possible with appropriate physical safeguards, it is very useful because it gives election officials useful clues about what to watch for so they can better train the teams who already watch the polling places.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Ms. Toad (Reply #8)

Wed Aug 2, 2017, 01:47 AM

10. Several systems were hacked over wireless

Details are just starting to trickle out from DEF CON. I have watched a couple of videos where they claimed to have wireless hacks of some voting machines, registration systems, and central tabulators. I have yet to see the detailed reports; they usually take a while to become public.

https://www.theregister.co.uk/2017/07/29/us_voting_machines_hacking/

The Register does describe a couple of the systems hacked over wifi. One was a Winvote system that was used in Fairfax, Virginia through 2014. These were among the least secure systems made and were decertified in VA in 2015. Just checked; Winvote are no longer in use in any state.

It is likely that most of the machines at DEF CON have been phased out by local governments. Otherwise, they probably would not have been on eBay. Vendors are reluctant at exposing their machines for testing.

BTW I think hacking voter registration is probably the easiest attack to make.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to unc70 (Reply #10)

Wed Aug 2, 2017, 08:26 AM

11. The winvote is the specific one I mentioned

It is the only one they gave any specific details about.

It is no longer used anywhere. The remote hacking was possible only after the machine was physically manipulated to add wireless capability, according to the only report I could find

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Ms. Toad (Reply #11)

Wed Aug 2, 2017, 09:10 AM

14. Winvote wifi can not be disabled!

No physical access was needed. None!

The Winvote system is notorious for having almost every problem imaginable, all in one system. Everyone really needs to read this entire article to see just how horrible voting systems can be. While other systems might look "less bad" by comparison, that does not mean they should be trusted either.

https://www.wired.com/2015/08/virginia-finally-drops-americas-worst-voting-machines

Although communication between the machines was encrypted, the wireless protocol they used was the notoriously insecure WEP. The FBI had demonstrated in 2005 that it could crack a 128-bit WEP key in about three minutes. But an attacker wouldn't have needed even this much time to attack Virginia's voting machines. By capturing and analyzing just two minutes of wireless traffic between two machines, investigators were able to crack the encryption key. The key turned out to be "abcde."

What's more, investigators found that even when they clicked a button to disable the wireless function in an attempt to close them off from remote attack, the device’s network card was still able to send and receive traffic. Once the encryption key was cracked, an attacker could have joined the wireless network to record voting data as it crossed the network, inject malicious data into the stream, or connect to voting machines to subvert them and an election. How so?


Please read the entire article.


Reply to this post

Back to top Alert abuse Link here Permalink


Response to Amaryllis (Original post)

Tue Aug 1, 2017, 09:17 PM

4. I just can't get all excited and worked up over hacks at a hackers convention.

Not saying our protecting the integrity of our voting system is not paramount, but this ain't gonna convince anyone we have a serious problem.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Hoyt (Reply #4)

Tue Aug 1, 2017, 11:36 PM

5. what will convince them? no one who cares has access to the proprietary machines and paper ballots,

 

such that they could find the evidence necessary, i.e. the smoking gun. that should be considered an unacceptable situation in and of itself; we should not be voting on machines with secret counting software and hardware. seems like you are asking that an impossible standard of proof be met.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to TheFrenchRazor (Reply #5)

Tue Aug 1, 2017, 11:44 PM

7. Every reasonable effort to protect the system is prudent. But I grew up when missing ballot

boxes were common. I suspect there were counting errors and intentional miscounting. There were probably outright intentional misreporting. I don't think hacking the actual voting machines is as easy as some believe, and should be easy to protect if the effort is made.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Amaryllis (Original post)

Tue Aug 1, 2017, 11:43 PM

6. I don't accept that elections officials worry about hacking

More likely they depend on it.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Amaryllis (Original post)

Wed Aug 2, 2017, 01:02 AM

9. Live Free or Diebold

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Amaryllis (Original post)

Wed Aug 2, 2017, 08:34 AM

12. Paper ballots, counted by hand

There is no other system that can be trusted. In the last election there were machines that the makers said should not be used if the seals were broken before hand. The seals were broken before hand and they were used. That was WI I think. Six districts were corrupted.
I am convinced that Hillary was the true winner of the election and that she won it with a bigger popular vote than Obama got in 2012. I think she won WI, MI, FL and PA.
If we do not go to paper ballots counted by hand we are fools. Dip my finger in purple ink...if it is good enough for third world countries it should be good enough for us and NO it is not slower than machine counted votes.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Amaryllis (Original post)

Wed Aug 2, 2017, 08:40 AM

13. And how will this change anything?

Reply to this post

Back to top Alert abuse Link here Permalink

Reply to this thread