Tensions Flare as Hackers Root Out Flaws in Voting Machines
Tensions Flare as Hackers Root Out Flaws in Voting Machines
Defcon hack-a-thon conference aims to help test election security, but makers of voting equipment raise doubts
By Robert McMillan and Dustin Volz Aug. 12, 2018 9:00 a.m. ET
LAS VEGAS—Hackers at the Defcon computer security conference believe they can help prevent manipulation of U.S. elections. Some election officials and makers of voting machines aren’t so sure.
That tension was front and center at Defcon’s second-annual Voting Village, where computer hackers are invited to test the security of commonly used election machines. Organizers see the event as an early test of U.S. election security and a counterpunch to potential outside interference. On the first day of the event, which runs through Sunday, hackers were able to swap out software, uncover network plug-ins that shouldn’t have been left working, and uncover other ways for unauthorized actors to manipulate the vote.
These hacks can root out weaknesses in voting machines so that vendors will be pressured to patch flaws and states will upgrade to more secure systems, organizers say.
Yet some manufacturers and security experts believe the hack-a-thon is unlikely to uncover the type of real-world issues that would come up in an election.
“Anybody could break into anything if you put it in the middle of a floor and gave them unlimited access and unlimited time,” said Leslie Reynolds, executive director of the National Association of Secretaries of State.
Election Systems & Software LLC, a leading manufacturer of voting equipment, was reluctant to have its systems tested at the conference. The company played down the expected findings from the event in a letter to customers. Hackers “will absolutely access some voting systems internal components because they will have full and unfettered access to a unit without the advantage of trained poll workers, locks, tamper-evident seals, passwords, and other security measures that are in place in an actual voting situation.”
Kathy Rogers, senior vice president of government relations for ES&S, said the letter was sent “in response to numerous inquiries by our customers as to what equipment might be at Defcon and what they might expect.”
In the letter, ES&S also warned election officials ahead of the conference that unauthorized use of its software violated the company’s licensing agreements, according to a copy of the letter viewed by The Wall Street Journal. Voting Village organizer Jake Braun disagreed with this interpretation of the agreements.
The states and vendors are making a mistake by not participating in the voting village, which amounts to a thorough security test for any machine involved, Mr. Braun said. “This is not a cyber-mature industry,” he said.
Some state and local election officials at the conference said the companies that sell voting equipment are more interested in maintaining their profit margins than improving the security of their machines.
Representatives from voting machine makers ES&S and Dominion Voting Systems Corp. declined to comment on criticisms raised by the organizers and wouldn’t say whether they had employees present at the hacking conference.
Election cybersecurity has been a national concern since 2016, when Russian-government hackers allegedly broke into systems at the Democratic National Committee, launched an influence campaign on Facebook Inc.’s social network, and targeted more than 20 voter registration systems, government officials say.
Russia has repeatedly denied interfering in the election.
Earlier this month, senior intelligence officials in the Trump administration warned that Russia was again engaging in “pervasive” efforts to interfere in the November elections.
In March, Congress appropriated $380 million to shore up the nation’s election systems—money that has now been allocated to 50 states and five territories to pay for improved election equipment, and security training and testing, according to the Election Assistance Commission, the agency responsible for disbursing the funds.
Jeanette Manfra, a senior cybersecurity official at the Department of Homeland Security, said that security researchers at Defcon were doing important work by finding vulnerabilities in voting systems that could be used by bad actors. But she said she sympathized with concerns from election officials that the vote-hacking village could unintentionally lower public confidence in American elections—considered a chief goal of Russian interference.
“You want companies to be building more secure products, but at the same time the public doesn’t necessarily know the full picture,” Ms. Manfra said. “If all you are saying is, ‘Look, even a kid can hack into this’, you’re not getting the full story, which can have the impact of having the average voter not understanding what is going on.”
“It’s really, really difficult to actually manipulate the vote count itself,” she said.
But it’s still worth uncovering any potential security flaws in these machines, because there are plenty of others—organized criminals for example —who might want to throw an election, said Joseph Lorenzo Hall, chief technologist with the nonprofit Center for Democracy & Technology.
“Everybody’s talking about Russians, but we have to be clear that there are other threats here,” said Mr. Hall on Friday while mingling with hackers at the Defcon Voting Village. It’s a conference room deep in the bowels of Caesars Palace—littered with voting machines, memory cards and scanners.
A few minutes later, Mr. Hall stopped talking and cast a wary eye over at two attendees who were examining a big grey vote scanning machine in the corner of the room. He was worried they might plug it in and fire up its powerful engine without supervision. “We’re OK with destructive testing of these things. I just don’t want you to hurt yourself,” he said. “There are things that will take your fingers off in there.”