Voting Machine Vendors, Election Officials Continue To Look Ridiculous, As Kids Hack Voting Machines In Minutes
from the voting-village-strikes-again dept
Last year at Defcon, the Voting Machine Hacking Village showed just how bad the security was on electronic voting machines. This is not a surprise, of course. It’s a topic we’ve covered on Techdirt going back almost 20 years. But what’s still most incredible is how much the voting machine manufacturers and election officials continue to resist the efforts of security experts to explain all of this. Even earlier this year, there were reports about the insane lengths that voting machine vendors were going to to try to stop Defcon from obtaining their machines:
Village co-organizer Harri Hursti told attendees at the Shmoocon hacking conference this month they were having a hard time preparing for this year’s show, in part because voting machine manufacturers sent threatening letters to eBay resellers. The intimidating missives told auctioneers that selling the machines is illegal — which is false.
Meanwhile, election officials have been whining about the whole thing, and telling people not to pay any attention to all of this:
Election officials from the National Association of Secretaries of State (NASS) bristled at the demonstrations, saying they didn’t reflect what could actually happen on Election Day. So did voting machine vendors, which argued it would be difficult for adversaries to gain the level of access necessary to tamper with equipment.
Leading voting machine Vendor, ES&S put out a completely bullshit letter to its customers basically saying “don’t pay any attention to Defcon.” That letter was expertly debunked and mocked by reporter Kim Zetter:
In advance of the @VotingVillageDC tomorrow, ES&S sent a message to customers today with their comments about the hacking village and the security of their machines. I've pasted their memo below, with some annotation from me. pic.twitter.com/6eQUYuuGJA
— Kim Zetter (@KimZetter) August 10, 2018
Also, memo to ES&S: when hackers are trying to help you improve the security of your shitty machines, whining that they’re “breaking licensing agreements” is not a good look. But, it’s the hill ES&S has ridiculously decided to die on:
In the letter, ES&S also warned election officials ahead of the conference that unauthorized use of its software violated the company?s licensing agreements, according to a copy of the letter viewed by The Wall Street Journal.
And, of course, all this hand-waving failed to stop the inevitable. The news is full of stories, often revolving around the hook that an 11-year-old hacked into and changed votes on a replica Florida state website:
The boy, who was identified by DEFCON officials as Emmett Brewer, accessed a replica of the Florida secretary of state?s website. He was one of about 50 children between the ages of 8 and 16 who were taking part in the so-called ?DEFCON Voting Machine Hacking Village,? a portion of which allowed kids the chance to manipulate party names, candidate names and vote count totals.
After a few hours on Friday, one hacker was essentially able to turn a voting machine into a jukebox, making it play music and display animations.
And while the Secretaries of State continue to insist that this is not a real world replica, Defcon folks disagree:
Nico Sell, the co-founder of the the non-profit r00tz Asylum, which teaches children how to become hackers and helped organize the event, said an 11-year-old girl also managed to make changes to the same Florida replica website in about 15 minutes, tripling the number of votes found there.
Sell said more than 30 children hacked a variety of other similar state replica websites in under a half hour.
?These are very accurate replicas of all of the sites,? Sell told the PBS NewsHour on Sunday. ?These things should not be easy enough for an 8-year-old kid to hack within 30 minutes, it?s negligent for us as a society.?
The really incredible part of this, of course, is that election officials and voting machine vendors don’t embrace Defcon’s vote hacking village. That would open up important lines of communication, rather than all this sniping. Indeed, Defcon folks made the effort only to be mostly ignored:
?The Voting Village conducted an outreach effort that was more extensive than any other organization. The Village mailed invitations to almost 7,000 election officials, made over 3,500 live calls, and sent two emails to nearly every single election official in the country, inviting them to participate at DEFCON and the Voting Village.?
While it appears that a few election officials came (including some from Illinois, Colorado and Ohio), many others did not, preferring to just complain about the demonstration. The end result, of course, is that they look silly and petty — and unconcerned with the terrible security associated with their machines.