Defcon Voting Village report: Bug in one system could “flip Electoral College”

Electronic voting booth.
Enlarge / A voting machine is submitted to abuse in DEFCON’s Voting Village.

Sean Gallagher

As we speak, six outstanding information-security specialists who took half in DEF CON’s Voting Village in Las Vegas final month issued a report on vulnerabilities that they had found in voting tools and associated laptop programs. One vulnerability they found—in a high-speed vote-tabulating system used to rely votes for total counties in 23 states—may enable an attacker to remotely hijack the system over a community and alter the vote rely, altering outcomes for giant blocks of voters. “Hacking simply certainly one of these machines may allow an attacker to flip the Electoral School and decide the end result of a presidential election,” the authors of the report warned.

The machine in query, the ES&S M650, is used for counting each common and absentee ballots. The gadget from Election Programs & Software program of Omaha, Nebraska, is basically a networked high-speed scanner like these used for scanning standardized-test sheets, normally run on a community on the county clerk’s workplace. Based mostly on the QNX four.2 working system—a real-time working system developed and marketed by BlackBerry, at present as much as model—the M650 makes use of Iomega Zip drives to maneuver election information to and from a Home windows-based administration system. It additionally shops outcomes on a 128-megabyte SanDisk Flash storage gadget straight mounted on the system board. The outcomes of tabulation are output as printed studies on an hooked up pin-feed printer.

The report authors—Matt Blaze of the College of Pennsylvania, Jake Braun of the College of Chicago, David Jefferson of the Verified Voting Basis, Harri Hursti and Margaret MacAlpine of Nordic Innovation Labs, and DEF CON founder Jeff Moss—documented dozens of different extreme vulnerabilities present in voting programs. They discovered that 4 main areas of “grave and simple” concern should be addressed urgently. One of the crucial vital is the dearth of any kind of supply-chain safety for voting machines—there is no such thing as a strategy to take a look at the machines to see if they’re reliable or if their parts have been modified.


“If an adversary compromised chips via the provision chain,” the report notes, “they may hack entire courses of machines throughout the US, remotely, suddenly.” And regardless of the declare by producers that the machines are safe as a result of they’re “air gapped” from the Web throughout use, testing during the last two years at DEF CON found distant hacking vulnerabilities requiring no bodily entry to the voting machines.

In a number of circumstances, the Voting Village’s assortment of hacker/researchers found that hacking the voting machines took much less time than voting. One voting machine could possibly be hacked in two minutes. And one other hack, exploiting a flaw in an digital card used to activate voting terminals, made it attainable to reprogram the cardboard wirelessly with a cellular gadget—permitting the voter to probably forged as many votes as they like.

Maybe probably the most irritating of the issues documented by the researchers is that flaws, even when reported, do not get fastened. One instance is one other vulnerability within the ES&S M650 that had been reported greater than 10 years in the past to the producer—however was nonetheless current on programs used for the 2016 election.


Please enter your comment!
Please enter your name here