Maksim Kabakou - Fotolia
DEF CON report: Election equipment plagued by 10-year-old flaw
The DEF CON report from the 2018 Voting Village paints a troubling picture for election equipment vendors, including a machine with a flaw known since 2007 left unpatched.
Year two of the DEF CON Voting Village expanded on the scope of the security research project, but the event's security report shows similar failings by election equipment vendors and an urgent need for paper ballots.
The Voting Village at DEF CON 26 in Las Vegas included more than 30 pieces of election equipment, and organizers said all of the equipment -- except for the AVS WINVote -- can still be found in use in the U.S. today.
The Report on Cyber Vulnerabilities in U.S. Election Equipment, Databases, and Infrastructure was co-authored by Voting Village organizers Matt Blaze, associate professor of computer and information science at the University of Pennsylvania; Jake Braun, CEO of Cambridge Global Advisors, based in Arlington, Va.; Harri Hursti, founding partner at Nordic Innovation Labs; Jeff Moss, founder of DEF CON, and David Jefferson, board member of Verified Voting and Margaret MacAlpine, founding partner at Nordic Innovation Labs.
"The Voting Village is the only public forum in United States at which hackers have nearly unrestricted access to discover vulnerabilities in the equipment. In addition, this year the Voting Village conducted unprecedented outreach to state and local election officials, inviting them to participate in the Village's activities and receive free training from cybersecurity experts," the authors wrote in the DEF CON report. "As was the case last year, the number and severity of vulnerabilities discovered on voting equipment still used throughout the United States today was staggering."
The DEF CON report listed "dozens" of flaws found across the election equipment, including a voting tabulator from ES&S used in 26 states that was vulnerable to remote exploit, a voting machine used in 18 states in which administrator access can be obtained in under two minutes and a flaw in electronic cards used to activate voting machines that could allow an attacker "to take over the voting machine on which they vote and cast as many votes as the voter wanted."
Darien Kindlund, data scientist and vice president of technology at Insight Engines, said this DEF CON report appears to be "merely the tip of a much larger iceberg, in terms of election security vulnerabilities."
"These findings were produced by a team of volunteers who ultimately care about election security. Instead, what if this were a team of experts funded by a nation state? How many more vulnerabilities would they be able to find?" Kindlund asked. "Our election systems should be vetted the same way our crypto algorithms are vetted. Specifically, knowing how an election system works end-to-end should not impact the security of this system. If that is not the case, then vendors are relying on security-by-obscurity which is a recipe for disaster."
DEF CON vs ES&S
The DEF CON report made special note of the ES&S M650, an electronic ballot scanner and tabulator used for counting both regular and absentee ballots. Not only was that piece of election equipment vulnerable to remote exploit, but contained a flaw that had been disclosed in 2007 and remained unpatched.
When asked about whether these flaws had been patched and if ES&S had data on how often customers updated election equipment software, a spokesperson from ES&S did not answer and instead noted that ES&S "discontinued the manufacture of those units in early 2008."
"The base-level security protections on the M650 are not as advanced as the security protections that exist on the voting machines ES&S manufactures today, although we believe that the security protections on the M650 are strong enough to make it extraordinarily difficult to hack in a real-world environment and, therefore, safe and secure to use in an election," the spokesperson wrote via email.
Darien Kindlunddata scientist and vice president of technology at Insight Engines
ES&S did not respond to questions regarding reports that the M650 was still on sale through the ES&S website as of Monday. The device appears to have been removed from the site as of this post, but the Internet Archive Wayback Machine show the M650 on sale through the ES&S website as of the last site snapshot on Oct. 7, 2017.
The ES&S spokesperson added that "while there's no evidence that any vote in a U.S. election has ever been compromised by a cybersecurity breach, ES&S agrees the cybersecurity of the nation's voting systems can and should be improved."
"The totality of security measures -- such as voting machines never being connected to the internet, tamper-resistant seals, along with more advanced technology found in newer equipment -- provides for an environment that would be difficult to compromise without detection," the spokesperson wrote. "The totality of security measures -- such as voting machines never being connected to the internet, tamper-resistant seals, along with more advanced technology found in newer equipment -- provides for an environment that would be difficult to compromise without detection."
ES&S did not respond to follow-up questions regarding how an election security breach might be detected -- something DEF CON organizers questioned -- nor did ES&S respond to the claim in the DEF CON report that tamper-resistant seals were ineffective.
"There is a common misconception that physical security precautions (tamper-evident seals, locks, etc.) keep voting machines safe from malicious attacks. While all equipment was shipped to us with keys, the researchers wanted proof that the locks in the machine did not inhibit access," authors wrote in the DEF CON report. "In under a minute, a Voting Village researcher picked the lock on the back of the M650 and unlocked its case, gaining full access to the computer systems and electronics via a serial connection to the main board."
Blaze was one of the people called upon by the Secretaries of State in 2007 to lead the research teams -- made up of graduate students -- investigating the direct-recording electronic (DRE) voting machines in California and Ohio over the course of six weeks. In a press conference Thursday, Blaze said the teams found that election equipment from "every vendor and in every state" had security vulnerabilities.
"That is, things someone with no more access than a poller or voter could do to cast doubt on the outcome of an election -- change votes -- and do it in ways that couldn't be audited. We knew in 2007, as a result of those studies, those machines were so insecure that they shouldn't be used in elections," Blaze told reporters. "If we fast forward 11 years to the DEF CON Voting Village, the most disturbing outcome is how little is new. The vulnerabilities and the types of vulnerabilities we discovered in 2007 are all still there and can be exploited and discovered and re-engineered by general technologists, not specialists."
Moss said in the press conference that DEF CON has seen evidence that "there's essentially a civil war happening at companies like ES&S." Moss described situations where executives at election equipment vendors want to deny any security vulnerabilities, but engineers at those same companies feel like now would be "a great time to change things and improve" going forward, but no one wants to admit past flaws.
Election equipment security research
Kindlund said overall, he thinks vulnerability reporting on election systems is "extremely poor and unorganized."
"For example, for each vulnerability reported, why was there no CVE issued to track it? If the vendor were not Diebold but rather Microsoft, we would likely see those assigned vulnerabilities formally tracked as CVEs," Kindlund wrote via email. "Ultimately, this comes down to accountability and transparency by the election system vendors. There needs to be formal, transparent processes in place to track and manage vulnerabilities. This doesn't seem to exist today."
Hursti said election equipment vendors "seem to be living in the past," with a desire to shut down research and a reluctance to listen to any recommendations.
Blaze likened the reactions of election equipment vendors to those of software vendors in the early computer industry, who initially pushed back against security research. But Blaze said those in the computer industry "quickly realized it was a bad practice to try to stop researchers, because the bad people looking for flaws won't tell you about what they found."
The ES&S spokesperson said the company "works closely and transparently with federal officials on a daily basis and voluntarily takes every machine it offers to customers through federal certification, which includes robust cybersecurity testing to supplement its own security testing and other third-party security testing."
"In addition, ES&S proactively invites academics, federal and state officials, and other experts to its offices for first-hand examinations of its equipment and transparent discussions of ES&S practices in its quest to further security for the nation’s voting environment," the spokesperson added.
ES&S did not respond to follow-ups as to why they do not work with DEF CON or if they plan to work with the Voting Village in the future.