Election hacking report: US ‘has a lot to do in a short period of time’

A closely watched report on election hacking on Tuesday warned that the U.S. does not have much time to fix security vulnerabilities in voting machines discovered at the DEF CON hacker conference.

“We’ve got a lot to do in a short period of time,” said Douglas Lute, former ambassador to NATO, at an Atlantic Council event releasing the report.

The DEF CON conference, held in late July, purchased 30 election machines for hackers to investigate. They found security problems in the machines including decades-out-of-date hardware with known security flaws, a machine with hackable wi-fi and other vulnerable software and hardware.

The report notes potential supply chain issues with voting machines, such as components manufactured in foreign countries including China. 

One electronic poll book obtained by DEF CON contained personal information on 654,517 voters from Shelby County, Tennessee, from roughly 2008.

There are limitations to the types of hacks described by the report. Voting machines are, at least in theory, stored offline. Many of the attacks need to be conducted in person or in close range, limiting the ease of conducting a wide-scale attack.

Hackable wi-fi can be used to issue remote commands, but only from an attacker within range. That vulnerability was only available on one machine listed in the report. At the Atlantic Council panel, Harri Hursti, who co-ran the DEF CON event, noted that there are new models of paper scanning machines with wireless modems connected to cellphone networks. 

While certain attacks can be conducted within the supply chain, those attacks cannot target specific elections without additional contact with the machines. 

{mosads}This can sometimes be circumvented by targeting the government office or company tasked with maintaining machines, but the best practice to maintaining machines is to keep all systems related to the process segmented away from the internet. 

Also, if the goal of an attacker is to reduce confidence in the election system — either creating chaos or delegitimizing the American Democracy in the eyes of the world — targeting a specific election is not as important. 

Hackers have been warning about electronic voting machines for more than a decade. 

“At DEF CON we had our first speaker talk about electronic voting machines 10, 12 years ago,” said Jeff Moss, DEF CON’s founder and a fellow at the Atlantic Council think tank.

“The difference is that this time it counts, people are now paying attention,” he said.

Moss noted that the only reason it took this long for law-abiding hackers to publicly demonstrate these vulnerabilities in bulk was a desire to abide by the laws. United States copyright law disallowed hackers from experimenting on voting machines until just the past two years and purchasers of voting machines were forced to sign nondisclosure agreements.

Experts agree that crime and nation-driven hackers are not concerned with copyright and nondisclosure rules.

Members of the DEF CON panel said they were slated to present the findings of the report to the Department of Homeland Security on Tuesday. 

Next year, said Moss, he hopes to see manufacturers attend (thus far, none have accepted his invitation) and to let hackers look at voting tabulation software.