Hackers breached defences of US voting machines in less than 90 minutes

In a public - and legal - contest at the DEF CON cybersecurity conference in Las Vegas, hackers 'rick-roll'd' one machine and gained remote control of another, notoriously weak device from a laptop

Adam Lusher
Monday 31 July 2017 12:08
comments
One device was 'rick-roll'd' to play Rick Astley's Eighties hit 'Never Gonna Give You Up'
One device was 'rick-roll'd' to play Rick Astley's Eighties hit 'Never Gonna Give You Up'

Hackers competed to take control of US voting machines and overcame some of their security defences in less than 90 minutes.

One hacking team at the DEF CON cybersecurity conference in Las Vegas ‘rick-roll'd’ a touchscreen voting machine so it played Rick Astley’s 1987 hit ‘Never Gonna Give You Up’, and another contestant was able to gain full remote control of a notoriously weak device from his laptop.

The results of the competition are likely to add to anxieties about the hacking of future US elections and about possible Russian interference in Donald Trump’s victory in November.

The US Department of Homeland Security said last year that it was “confident” the Russian Government had directed the hacking and leaking of Democratic National Committee emails in the run-up to Donald Trump’s victory over his Democrat rival Hillary Clinton.

And last month it was reported that a leaked National Security Agency document stated that Russian military intelligence executed a cyberattack on at least one US voting software supplier and sent phishing emails to more than 100 local election officials just days before the presidential election.

The DEF CON competition was said to have exposed a wide range of vulnerabilities in 30 computer-powered ballot boxes that had been acquired on eBay or from US government auctions so hackers could try to attack them.

The hackers were allowed to break the machines open to see how they worked, as well as trying to gain control of them remotely.

It allegedly took them less than 90 minutes to find the first cracks in the machines’ defences.

It was also claimed that Carsten Schürmann, an associate professor at the IT University of Copenhagen, was able to exploit poorly secured WiFi to gain remote control of one machine that has been used in previous US county elections.

The Register reported that some machines were using outdated and relatively easily hacked software, including unpatched versions of OpenSSL and Windows XP and CE.

Other machines had open ports, physical docking points meant for the use of election officials, which could be exploited to instal malicious software. Simple Google searches reportedly allowed other hackers to find passwords that would allow them administrative access to some machines.

Jake Braun, the Chief Executive Officer of Cambridge Global Advisors, who devised the hacking competition, said: “Without question, our voting systems are weak and susceptible. Thanks to the contributions of the hacker community, we've uncovered even more about exactly how.

“The scary thing is we also know that our foreign adversaries – including Russia, North Korea, Iran – possess the capabilities to hack them too, in the process undermining principles of democracy and threatening our national security.”

Douglas Lute, a former Deputy National Security Advisor who is now a senior consultant for Cambridge Global, added: “This [election hacking] is now a grave national security concern that isn't going away. In the words of former FBI Director James Comey, ‘They're coming after America. They will be back.’”

Some of the machines hacked at DEF CON, however, are no longer used in American elections. The particular WinVote machine hacked by Mr Schürmann, for example, was retired from service in 2015 after a decade of complaints about its vulnerability. The Register was also told that the remote hacking of the machine would have been detected and logged.

Eric Hodge, director of consulting at CyberScout and a consultant for Kentucky’s Board of Elections, told The Hill that because voting machines were not connected to the internet, many security problems could be avoided by watching them to ensure no-one tampered with them.

He added that because voting machines varied from county to county – administrative subdivisions of which there are more than 3,000 in the US – it would be relatively hard to hack enough devices to influence the result of a national election.

Harri Hursti, co-founder of Nordic Innovation Labs, who helped organise the competition, said, however, that if a national election was expected to be very close, hackers could influence the results by targeting machines in just a few key counties.

Russia has consistently denied hacking or interfering in the 2016 US presidential election, with Vladimir Putin dismissing such allegations as “useless and harmful chatter”.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

View comments