Since the 2000 Bush-Gore election crisis and the hanging-chad controversy, voting machine vendors have been offering touchscreen voting machines as a solution to America’s voting woes — and security researchers have been pointing out that the products on offer were seriously, gravely defective.
Nearly 20 years later, the country’s voting security debt has mounted to incredible heights, and finally, just maybe, the security researchers are getting the hearing they deserve.
This year’s Defcon security conference in Las Vegas sports a “Voter Hacking Village” where surplus voting machines (purchased in secondary markets like Ebay) were made available to security researchers who’d never had an opportunity to examine them, who were then invited to hack them in a timed trial.
The winning team hacked their machine in minutes.
Also, organizers revealed that many of these machines arrived with their voter records intact, sold on by county voting authorities who hadn’t wiped them first.
I was in the room for some of this, and attended some of the excellent accompanying talks. The case for auditing and improving the country’s voting machine security has never been made plainer, or more urgent. This is important work.
One important note: voting machines increasingly use Digital Rights Management (DRM) to restrict software updates, which triggers Section 1201 of the 1998 Digital Millennium Copyright Act (DMCA), under which security researchers face potential criminal and civil penalties for revealing defects in products that are designed to control access to copyrighted works.
The Library of Congress granted a limited exemption to DMCA 1201 for voting machine research in 2015, and are likely to renew that exemption this year — but there’s a (big) catch. The LoC can only grant “use” exemptions, not “tools” exemptions. That means they can immunize you from liability for undertaking an activity (like bypassing DRM to investigate the security of a voting machine), but you still aren’t allowed to share tools (or information that would help make such a tool).
That means that security researchers are allowed to tell you that a voting machine is insecure, but face jail time and huge fines for describing their methodology in the kind of detail that would allow you to independently verify their research. This is a huge problem that acts as a major impediment to securing these machines.
That’s partly why the Electronic Frontier Foundation brought a lawsuit against the US Government to invalidate DMCA 1201. It’s also why we’ve asked the World Wide Web Consortium to amend their existing policies so that its controversial video DRM standard won’t become an impediment to investigating defects in systems that use browsers as their front ends.
This isn’t a mere theoretical risk. One of the tracks at Defcon is called “Skytalks,” and it was founded after a W3C member (Cisco) had a security researcher arrested for going public with his investigation of defects in the company’s products (he’d attempted to raise this alarm internally at Cisco without any luck). At Skytalks, no recording or cameras are permitted, and speakers present anonymously to avoid legal retaliation. The Skytalks presentations are only cursorily described in the program, so vendors don’t get advance warning that their products will be discussed in the room.
Many of the Skytalks presenters revealed defects in systems that used browsers and HTML5 to control them, and showed how the browsers and HTML5 components could be exploited to gain access to the systems they controlled. One talk revealed that the most common medical device used to monitor vital signs during surgeries (also manufactured by a W3C member) could be hacked by attacking its HTML components, so that it would report that a patient’s pulse, oxygen, etc were fine, even as the patient was dying on the operating table.
Browsers are the control surface for an increasing slice of the “Internet of Things” — from voting machines to medical devices to cars — and we can ill afford to create no-go zones within them that can’t be safely audited by security researchers.
While many people at the Voter Hacking Village zeroed in on the weak mechanical lock covering access to the machine’s USB port, Synack worked on two open USB ports right on the back. No lock picking was necessary.The team plugged in a mouse and a keyboard — which didn’t require authentication — and got out of the voting software to standard Windows XP just by pressing “control-alt-delete.” The same thing you do to force close a program can be used to hack an election.
“It’s really just a matter of plugging your USB drive in for five seconds and the thing’s completely compromised at that point,” Synack co-founder Jay Kaplan said. “To the point where you can get remote access. It’s very simple.”
Synack’s team was able to access the voting machine from a mobile app by installing a remote desktop program on it.
Once you’re out of the voting program on the machine, it’s just like any old Windows XP computer, Synack found. In one case study, the company found a poll worker in Virginia had hacked the machine so she could play Minesweeper on it.
Hackers break into voting machines in minutes at hacking competition
[John Bowden/The Hill]
Defcon hackers find it’s very easy to break voting machines
[Alfred Ng/Cnet]