Sergey Nivens - Fotolia
Voting machine hacking to be taken on at DEFCON 2017
Possible voting machine hacking has been a topic of conversation since before the 2016 election and at DEFCON 2017; professional pentesters will find out what damage can be done.
DEFCON is where hackers and pentesters come together to show off their skills at breaking security and on tap this year will be various teams trying their hands at voting machine hacking.
Hackers at DEFCON 25 are expected to try to crack voting machines from a number of angles. Some will attempt remote attacks on electronic voting machines, some will analyze hardware for flaws and others will look into potential voting machine hacking from the perspective of an attacker with physical access looking to affect individual machine results.
Before the 2016 U.S. presidential election there were reports of multiple hacks of state voter databases, security experts feared potential voting machine hacking during the election and the White House even warned Russia about it.
Jeff Moss, founder of DEFCON, told Politico that it was clear voting machine hacking was a topic that needed to be investigated given the news surrounding Russia's intentions to affect the 2016 U.S. presidential election. Moss said the DEFCON 2017 organizers are still in the early stages of planning, including locating used voting machines for the testing.
Neither Moss nor DEFCON officials responded to requests for comment, but Matthew Masterson, chairman of the U.S. Election Assistance Commission (EAC), offered to help.
Masterson said the EAC is "focused on helping state and local election officials carry out accurate, accessible and secure elections."
"Our door is always open to DEFCON organizers and anyone with the goal of improving the U.S. election system. The EAC is constantly looking for ways to improve U.S. voting system security and testing guidelines, so communicating with DEFCON could be very informative for us and equally informative for them," Masterson told SearchSecurity. "We've advised everyone from the Department of Homeland Security to the FBI about the inner workings of our nation's election systems. We would be happy to provide that same kind of soup to nuts expertise to DEFCON organizers."
The DHS refused to provide a comment for this story.
Voting machine hack testing only the beginning
Moss said the voting machine hacking plans at DEFCON 2017 might only be the beginning because it will only be a two-day affair and malicious actors could have much longer to plan attacks.
Brian Knopf, senior director of security research and IoT architect at Neustar, said it would still be beneficial to give "skilled penetration testers access to voting systems they would not otherwise have the means to test."
"That allows a much larger group to find vulnerabilities, which can only improve the security of these devices. For many years, we have heard that large scale hacking of voting systems is not possible. There is doubt regarding the accuracy of that statement because skilled penetration testers have not focused on these devices," Knopf told SearchSecurity. "Now we will actually be able to prove or disprove that statement with a large scale effort to find vulnerabilities from people who specialize in attacking these types of devices."
Tom KellermannCEO, Strategic Cyber Ventures
Masterson suggested the DEFCON 2017 village "set up should mimic the actual conditions and protections used by election administrators across the nation."
"We encourage them to engage state and local election officials, who can educate them on the realities of election administration and security measures officials put in place to protect elections," Masterson said. "It's important to note that elections take place in a layered environment -- people, laws, processes and technology. Technology is not the only part of that equation. Election administrators are a key part of that process as well. The EAC would be happy to facilitate communication between DEFCON and election administrators."
Tom Kellermann, CEO of Strategic Cyber Ventures, said this kind of voting machine hacking and pentesting "is profoundly important for the safety of future American elections."
"This is a national security issue. The testing will undermine the mythology that these machines are tamperproof," Kellermann told SearchSecurity. "The media's objective discussion will hopefully force the system to at a minimum: disconnect machines from local or wide area networks; create paper receipts of ballots to ensure integrity; and to force remediation timetables and resources for all viable vulnerabilities which are identified."
Thomas McCarthy, director of the cyber threat analysis team at Nuix, suggested voting machine hacking projects should be made more widely available.
"Voting machines should be more open source and publicly available for anyone to test. They might even consider implementing a bug bounty program to incentivize more security researchers to look at these systems and software," McCarthy told SearchSecurity. "Security testing is also only effective if issues identified are fixed. Many voting machines are legacy devices built without security in mind where issues might not be technically possible to be remediated. Money and effort needs to be spent to standardize systems and hardening to properly defend these devices."
Masterson said the work done at DEFCON could be implemented in future security testing.
"Election system security has long been a priority for state and local election officials, who conduct regular testing, develop contingency plans, and conduct post-election audits -- all steps that improve the voting process and instill voter confidence. With regard to technology specifically, when the results of state and locals tests are shared with the EAC, we take that data and use it to inform and improve our testing and certification practices," Masterson said. "We are actually in the midst of finalizing the next generation of voluntary voting system testing guidelines. We would be happy to consider the DEFCON results -- and any other similar information from anywhere in the nation -- as we continue that work."