Some Voting Machines Still Have Decade-Old Vulnerabilities
Credit to Author: Lily Hay Newman| Date: Thu, 26 Sep 2019 18:41:42 +0000
The results of the 2019 Defcon Voting Village are in—and they paint an ugly picture for voting machine security.
In three short years, the Defcon Voting Village has gone from a radical hacking project to a stalwart that surfaces voting machine security issues. This afternoon, its organizers released findings from this year's event—including urgent vulnerabilities from a decade ago that still plague voting machines currently in use.
Voting Village participants have confirmed the persistence of these flaws in previous years as well, along with a raft of new ones. But that makes their continued presence this year all the more alarming, underscoring how slow progress on replacing or repairing vulnerable machines remains.
Participants vetted dozens of voting machines at Defcon this year, including a prototype model built on secure, verified hardware through a Defense Advanced Research Projects Agency program. Today's report highlights detailed vulnerability findings related to six models of voting machines, most of which are currently in use. That includes the ES&S AutoMARK, used in 28 states in 2018, and Premier/Diebold AccuVote-OS, used in 26 states that same year.
"As disturbing as this outcome is, we note that it is at this point an unsurprising result," the organizers write. "It is well known that current voting systems, like any hardware and software running on conventional general-purpose platforms can be compromised in practice. However, it is notable—and especially disappointing—that many of the specific vulnerabilities reported over a decade earlier … are still present in these systems today."
The types of vulnerabilities participants found included poor physical security protections that could allow undetected tampering, easily guessable hardcoded system credentials, potential for operating system manipulations, and remote attacks that could compromise memory or integrity checks or cause denial of service. The report points out that many of these vulnerabilities were discovered years ago—sometimes more than a decade—in academic research or state and local audits.
"This confirms what we’ve been saying for years now—around the country, we’re still using antiquated equipment that should be replaced, both for security and reliability reasons," says Lawrence Norden, deputy director of the Brennan Center's Democracy Program at New York University School of Law. "This shouldn’t be a surprise to anyone. It’s certainly not to election officials. This is one reason why Congress and the states need to step up on election security spending. Soon."
There has been some progress on voting machine security since the 2016 US elections. Michigan, Virginia, Arkansas, Colorado, Florida, Nevada and others have all taken steps to replace either machines that were aging and potentially vulnerable to digital attack, or all-digital voting machines that left no paper backup as a failsafe. But a survey released by the Brennan Center in March of 121 local election officials in 31 states found that more replacements are still desperately needed before the 2020 election. And about two-thirds of respondents said they didn't have adequate funds to enact the changes.
"Computerized voting presents a known set of risks and vulnerabilities, and because legacy systems are still in the field, these vulnerabilities are still there," says Marian Schneider, president of the nonprofit Verified Voting, which promotes election system best practices. "States are making the effort to replace vulnerable machines before the 2020 election but they need financial assistance from Congress to continue doing so. Federal legislation would help ensure sufficient funding to help states purchase new equipment."
Additionally, voting machine security is only one item on a much larger punch list for better defending US elections. More districts need to implement network and cloud defenses to protect infrastructure like voter rolls and email, and more states need to conduct risk limiting audits to verify elections results.
"While the discovery and replication of voting system security vulnerabilities are critical tasks for which the Voting Village plays an important role, that is not, in our view, its main contribution," the Village organizers write. "The clear conclusion of the Voting Village in 2019 is that independent security experts and hackers are stepping into the breach—providing expertise, answers, and solutions to election administrators, policymakers, and ordinary citizens where few others can."
The urgent need to fill the election security information gap, and give officials the resources and intelligence they need to conduct accurate, independent elections, has been clear for years. It's finally starting to gain some mainstream recognition, in large part thanks to the research community and initiatives like the Defcon Voting Village. Once openly hostile to hackers, voting machine manufacturers have even considering establishing bug bounty programs to make vulnerability disclosure easier—a collaboration that would have been unthinkable just a few years ago.
That's thanks also to the stakes involved. "I think the greatest challenge that we do have is to make sure that we maintain the integrity of our election system," acting director of national intelligence Joseph Maguire told the House intelligence committee on Thursday. "We know right now that there are foreign powers who are trying to get us to question … whether or not our elections are valid."
All photos Roger Kisby/Redux Pictures.