Voting Machine Vendors, Election Officials Continue To Look Ridiculous, As Kids Hack Voting Machines In Minutes

from the voting-village-strikes-again dept

Last year at Defcon, the Voting Machine Hacking Village showed just how bad the security was on electronic voting machines. This is not a surprise, of course. It's a topic we've covered on Techdirt going back almost 20 years. But what's still most incredible is how much the voting machine manufacturers and election officials continue to resist the efforts of security experts to explain all of this. Even earlier this year, there were reports about the insane lengths that voting machine vendors were going to to try to stop Defcon from obtaining their machines:

Village co-organizer Harri Hursti told attendees at the Shmoocon hacking conference this month they were having a hard time preparing for this year's show, in part because voting machine manufacturers sent threatening letters to eBay resellers. The intimidating missives told auctioneers that selling the machines is illegal -- which is false.

Meanwhile, election officials have been whining about the whole thing, and telling people not to pay any attention to all of this:

Election officials from the National Association of Secretaries of State (NASS) bristled at the demonstrations, saying they didn't reflect what could actually happen on Election Day. So did voting machine vendors, which argued it would be difficult for adversaries to gain the level of access necessary to tamper with equipment.

Leading voting machine Vendor, ES&S put out a completely bullshit letter to its customers basically saying "don't pay any attention to Defcon." That letter was expertly debunked and mocked by reporter Kim Zetter:

Also, memo to ES&S: when hackers are trying to help you improve the security of your shitty machines, whining that they're "breaking licensing agreements" is not a good look. But, it's the hill ES&S has ridiculously decided to die on:

In the letter, ES&S also warned election officials ahead of the conference that unauthorized use of its software violated the company’s licensing agreements, according to a copy of the letter viewed by The Wall Street Journal.

And, of course, all this hand-waving failed to stop the inevitable. The news is full of stories, often revolving around the hook that an 11-year-old hacked into and changed votes on a replica Florida state website:

The boy, who was identified by DEFCON officials as Emmett Brewer, accessed a replica of the Florida secretary of state’s website. He was one of about 50 children between the ages of 8 and 16 who were taking part in the so-called “DEFCON Voting Machine Hacking Village,” a portion of which allowed kids the chance to manipulate party names, candidate names and vote count totals.

Lots of other hackers were successful as well:

After a few hours on Friday, one hacker was essentially able to turn a voting machine into a jukebox, making it play music and display animations.

And while the Secretaries of State continue to insist that this is not a real world replica, Defcon folks disagree:

Nico Sell, the co-founder of the the non-profit r00tz Asylum, which teaches children how to become hackers and helped organize the event, said an 11-year-old girl also managed to make changes to the same Florida replica website in about 15 minutes, tripling the number of votes found there.

Sell said more than 30 children hacked a variety of other similar state replica websites in under a half hour.

“These are very accurate replicas of all of the sites,” Sell told the PBS NewsHour on Sunday. “These things should not be easy enough for an 8-year-old kid to hack within 30 minutes, it’s negligent for us as a society.”

The really incredible part of this, of course, is that election officials and voting machine vendors don't embrace Defcon's vote hacking village. That would open up important lines of communication, rather than all this sniping. Indeed, Defcon folks made the effort only to be mostly ignored:

“The Voting Village conducted an outreach effort that was more extensive than any other organization. The Village mailed invitations to almost 7,000 election officials, made over 3,500 live calls, and sent two emails to nearly every single election official in the country, inviting them to participate at DEFCON and the Voting Village.”

While it appears that a few election officials came (including some from Illinois, Colorado and Ohio), many others did not, preferring to just complain about the demonstration. The end result, of course, is that they look silly and petty -- and unconcerned with the terrible security associated with their machines.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 16 Aug 2018 @ 9:48am

    11-year-old is good, but...

    We're still safe until a child of 5 can breach these systems. Once a child of 5 can see the flaws in the system, all is lost.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 16 Aug 2018 @ 10:00am

      Re: 11-year-old is good, but...

      That would be the one that you're supposed to bounce your evil but potentially really bad ideas off of, right?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Aug 2018 @ 11:05am

        Re: Re: 11-year-old is good, but...

        Exactly. Selling a voting machine with serious security problems while trying hard to avoid fixing them certainly seems evil. Now we just need to determine if it's a really bad idea.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Aug 2018 @ 10:04am

    The news is full of stories, often revolving around the hook that an 11-year-old hacked into and changed votes on a replica Florida state website

    Voting machine company: "This was a useless test of the machine's vulnerabilities. Eleven-year-olds can't vote. So your machines are safe from them getting into and changing any records. "

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 16 Aug 2018 @ 10:06am

    That's fair

    In the letter, ES&S also warned election officials ahead of the conference that unauthorized use of its software violated the company’s licensing agreements, according to a copy of the letter viewed by The Wall Street Journal.

    I mean, that's certainly a valid argument, everyone knows that the sort of people who would hack a voting machine would absolutely be the sorts that would stop in a moment the second they realized that doing so would violate the licensing agreement regarding the software.

    They're criminals trying to undermine if not shift an election, something with potentially huge repercussions, but that doesn't mean they'd be rude enough to ignore a license, and as such simulated hacking that does so isn't really an accurate scenario, and can be completely dismissed as non-representative of reality.

    reply to this | link to this | view in chronology ]

    • icon
      ShadowNinja (profile), 16 Aug 2018 @ 10:42am

      Re: That's fair

      But if passing laws doesn't prevent crime then what good is passing laws?

      - Every useless politician.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Aug 2018 @ 6:38pm

      Re: That's fair

      Similar to Al Capone... we can't prove Russian agents hacked the elections, but we may be able to search their laptops and get them on minor copyright infringment.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Aug 2018 @ 10:09am

    It's almost as if they wanted the voting machines to be easily compromised. It's not a flaw, it is a design requirement.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 16 Aug 2018 @ 10:18am

      Pointy-haired boss security: 'If I can't see it, it isn't there'

      Possible, but in this case I'd go with stupidity/laziness/CYOA rather than malice as the likely culprit. It's much cheaper to pretend that things are nice and secure rather than admit that the very expensive voting systems that have been purchased are so laughable insecure that literal children are able to crack their security.

      An admission like that makes the company look all sorts of bad(potentially to the 'bankruptcy' point), the people who purchased voting machines from them all sorts of stupid, and the latter on the hook for scrounging up the funds to replace everything after a potentially lengthy search to find an actually secure system.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Aug 2018 @ 10:34am

      Re:

      The voting machine manufacturers? No, they don't want their machines to be easily compromised. DEFCON, which loves all the publicity it gets from clickbait like "Watch this Child Hack a Voting Machine!"? Yeah, they do, which is why they use old voting machines that're scrounged off of places like eBay and haven't had software updates in ages or glaring security flaws.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Aug 2018 @ 11:20am

        Re: Re:

        These "old Machines" to which you refer are still being used in some precincts, or did that fact avoid your detection?

        The new machines are unhackable? ... lol, sure they are.

        Automatic teller Machines have been around for some time and there have been a few stories about how they susceptible but not to the extent that voting machines are. Shows where the priorities lie.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 16 Aug 2018 @ 2:59pm

          Re: Re: Re:

          That's because tracking what goes out is important (we might give someone something extra and have to take it back), but tracking what's coming in is irrelevant (if we don't like the votes we will just change them anyway, so no need to have them be 'secure' to the same level as cash machines).

          It's not like someone manipulating the voting machines is 'buying' the election, amiright?

          Don't be surprised if local machines use playground bully counting rules, 1 for you, 2 for me, 2 for you, 3 for me, etc... I win again??? imagine my surprise :)

          reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Aug 2018 @ 2:48pm

        Re: Re:

        Security is a weapon-race, true.

        But depending on how outdated the machine is, it is still a gauge on the risks election authorities are willing to take, just by accepting voting machines in the first place.

        Pen and paper is work-intensive to defraud and the more you want to fudge the numbers, the harder it is. Voting machines are as easy as the hack and you can change the vote-winner to "Downeaster Alexa" if you want, without much work needed: The damage potential from voting machines is a lot larger than from "pen and paper"-fraud, making the question of security that much more important.

        "security by obscurity" is stupidity. In this case the approach of the voting machine manufacturers is the equivalence of that. Sitting in a corner and screaming "fake news!" at everything is not as good as providing evidence, but it sure is hell of a lot easier!

        reply to this | link to this | view in chronology ]

  • icon
    Flakbait (profile), 16 Aug 2018 @ 10:17am

    Mixed Metaphors

    Pay no attention to the 11 year old boy behind the curtain! I'm too busy rearranging the deck chairs on the Titanic!

    reply to this | link to this | view in chronology ]

  • icon
    orbitalinsertion (profile), 16 Aug 2018 @ 10:20am

    _ Election officials from the National Association of Secretaries of State (NASS) bristled at the demonstrations, saying they didn't reflect what could actually happen on Election Day._

    As if election day is the prime window during which hacking any part of the system is going to occur.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Aug 2018 @ 10:21am

    DEFCON is a three-ring circus compared to actual security circles.

    "Hackers “breach” election equipment during a highly publicized workshop via methods that bear no resemblance to the real world. Workshop sponsors report their success to credulous reporters who print them under inflammatory headlines. And voters are worked into a lather, inspiring larger and larger budgets. Vendors are standing by, ready to capitalize on this cycle of fear and misinformation."

    Voting Machines, Fake News, and the Future of Democracy.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Aug 2018 @ 10:26am

      Re:

      Please explain how their methods bear no resemblance to the real world?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 16 Aug 2018 @ 10:43am

        Re: Re:

        Read the article I linked to. It goes into detail as to how DEFCON's voting machine hacking village is just a publicity stunt useful for spinning fearmongering clickbait and nothing else.

        reply to this | link to this | view in chronology ]

        • icon
          ShadowNinja (profile), 16 Aug 2018 @ 10:48am

          Re: Re: Re:

          Hackers hold similar conventions for hacking all the different OS's, and award prizes for the first person to hack each of them.

          Microsoft, Apple, and other major OS makers pay close attention to those events for security vulnerabilities to patch.

          If tech companies pay attention to such events to improve their products, and think they reflect the real world enough to pay attention to, why wouldn't voting machines?

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 16 Aug 2018 @ 11:03am

          Re: Re: Re:

          I did. Your article does not go into actual details. It skims it at a very high level and handwaves away actual in-person attempts.

          My polling place is staffed entirely by volunteers. All of them have access to the machines and could compromise it. Also, with many elections going down to a few thousand votes deciding the winner, only one or two actual precincts needs to be compromised to change an election.

          Your article was also written a week before the conference. So how can you call the results of this conference bearing no resemblance to the real world?

          reply to this | link to this | view in chronology ]

    • identicon
      I.T. Guy, 16 Aug 2018 @ 10:29am

      Re:

      "DEFCON is a three-ring circus"

      "“These are very accurate replicas of all of the sites,” Sell told the PBS NewsHour on Sunday."

      So you were there? I look forward to your in-depth analysts of the methods they used and how you formed your opinion.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Aug 2018 @ 11:27am

      Re:

      Do you really expect anyone reading this blog to believe your silly bullshit?

      "Actual security circles" ... which I'm certain you are familiar with - lol, not.

      Did you know that people actually within said "security circles" attend, present papers and participate in this convention because there are things to learn. Unlike yourself, they do not already know everything.

      reply to this | link to this | view in chronology ]

  • icon
    crade (profile), 16 Aug 2018 @ 10:24am

    So are they trying to say that the hackers "agreed" to some sort of license agreement and then broke it? Or is it the people who installed the software that are breaking the license agreement by reselling it?

    I don't see why the hackers would need to agree to any license agreements when they aren't making any copies of the software.. what exactly are they supposed to be getting out of these agreements? You don't need a license to use software. How exactly does the hacker get bound up into an license agreement?

    reply to this | link to this | view in chronology ]

    • icon
      ShadowNinja (profile), 16 Aug 2018 @ 10:45am

      Re:

      Technically, it might somehow violate CFAA because of how ridiculously broad it's written so that violating the TOS on a website is 'hacking'. No doubt this also covers violating a license agreement. (Buying a voting machine however would not violate said law like the manufacturers alleged in the story).

      reply to this | link to this | view in chronology ]

      • icon
        crade (profile), 16 Aug 2018 @ 11:36am

        Re: Re:

        How does an outside party who doesn't license the software and has no legal obligation to license the software violate a license agreement?

        Isn't there even an anti-circumvention exemption for security research?

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Aug 2018 @ 10:26am

    You know there has to be some reason why politicians won't support change outs of these voting machines for something more secure. I don't just buy that it's party politics alone.

    Someone somewhere is benefiting. If it is that easy to hack a voting machine and they are not keeping paper trails, then someone some where is taking advantage of that.

    That would be a strong incentive not to want change to more secure. At this point one can not help but feel voting is just another fraud these days.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Aug 2018 @ 11:08am

      Re:

      I imagine there are a few that are purposefully blocking any attempt at improvement (i.e. current administration), but I think most politicians are just cheap, lazy, and have too big of an ego. They don't want to spend the millions it would take to fix the machines, especially in an election year. They also don't want to admit they have done anything wrong. So they ignore it.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Aug 2018 @ 10:33am

    List of officials they emailed and phoned?

    Have they published a list of the officials that were contact and/or invited? I'm in Texas and I'd like to find out what the response was from the people serving Texans.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Aug 2018 @ 12:01pm

    In a real democracy there would be overwhelming support from all quarters for publicly demonstrating vulnerabilities in the core voting infrastructure.

    Government agencies would promote such events and put up large vuln bounties. Vendors would proudly seek to demonstrate that their offerings are fit-for-purpose.

    Instead they lie about it and try to suppress it, or, at best, ignore it. Can you really blame people for assuming the worst?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 16 Aug 2018 @ 12:11pm

      Re:

      The problem is there exists no digital infrastructure that would be secure enough for voting. It just does not exist. Everything is vulnerable at some point in the chain and even the tiny bit of vulnerability will be exploited in something as important as voting.

      I am fine with using the machines to speed up counting, but there should always, always, always be a human count for the official records. Have a team of volunteers (must be different from the volunteers who staffed on election day), backed up by an impartial official count the votes and their number is the actual one used. The digital one is just used for verification. If there is any discrepancy between human and digital greater than 0.5% and the vote total is close enough where the discrepancy would matter, it forces a recount for both systems.

      Rinse and repeat until a result is agreed upon.

      reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 16 Aug 2018 @ 12:48pm

    Ok, I want info..

    WHAT are the requirements for a voting machine..

    I would LOVE to know.

    Because if it takes more then a 486dx100, I think something is REALLY WRONG..

    reply to this | link to this | view in chronology ]

    • identicon
      OGquaker, 18 Aug 2018 @ 1:08am

      Re: Ok, I want info..486

      I think the SOS of California last approved software for a vote tally machine about 1998.
      Dell has donated about 20 newer machines that are mounted below the SOS approved tally computers and use their same key-boards & mices.
      In 2004, Cisco had donated a 6ft. tall '19-inch rack-mount' that had it's own closed room within the 3,500 sq ft room where voter-ink-doted cards are brought in to be run through the 20 tally stations. Los Angeles County Register Of Voters promised that the Cisco machine would be turned of on the first Tuesday in November, but it's closed room is not visible from puplic observing windows.
      When we took the Precinct volunteer class for this last Primary, we were told that LA County was going to 'tablets' in the voter booths soon.

      reply to this | link to this | view in chronology ]

  • icon
    lars626 (profile), 16 Aug 2018 @ 12:58pm

    A positive note

    On the bright side there are some states, like Minnesota, where the use of all electronic systems is illegal.
    A marked paper ballot is fed into and stored in a counting machine. At the end a sampling of precincts are re-tallied on a separate machine to verify. All the machines are tested after they are prepared and cannot be opened by individual poll workers. No chads, no missing electrons, very little fuss.

    There are times in life where a little inefficiency is a good thing, this is one of them.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 17 Aug 2018 @ 2:33pm

    E-voting is a complete joke.

    reply to this | link to this | view in chronology ]

  • identicon
    Lawrence D’Oliveiro, 17 Aug 2018 @ 6:08pm

    Wondering When History Would Repeat ...

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories

Close

Email This

This feature is only available to registered users. Register or sign in to use it.