Shmoocon Vendor intimidation, default passwords, official state seals for sale. Yes, we're talking about computer-powered election machines.
The organizers of last year's DEF CON Voting Village – a corner of the annual infosec conference where peeps easily hacked into electronic ballot boxes – are preparing for a similar penetration-testing session at this year's event in August.
There are some hurdles to clear, though.
Speaking at the Shmoocon conference in the US capital last week, Finnish programmer and village organizer Harri Hursti said the team was having trouble getting voting machines to compromise for this year's hackfest, in part because manufacturers weren't keen to sell kit that could expose their failings.
In some cases, the box makers sent letters to people flogging election systems on eBay, claiming selling the hardware was illegal, which isn't true. His team is still scouring the web for voting gear.
"One e-cycling company had bought 1,300 voting machines, which it acquired when the ceiling of the warehouse in which they were being stored collapsed," Hursti said. "We found the company had already sold 400 of the machines, in some cases back to counties for voting duties."
One of the machines was duly bought for the hacking competition. The seller is also touting packets of 25 official election machine seals for the state of Michigan for less than $5.
"You'd think you could only buy these if you had a government ID and were in the state of Michigan," Hursti said. "But no, anyone can buy these."
Meanwhile at Shmoocon, we learned that Margaret MacAlpine, founding partner at Nordic Innovation Labs and another member of the DEF CON Voting Village team, found complete lists of the default admin passwords for electronic ballot boxes in their training manuals.
In one tome, election officials are instructed not to change the default password, and if someone had already, to reset passwords to the defaults. This manual covered machines used to count 18 per cent of the votes in US elections, we were told.
SAVE our souls
The sad levels of security in America's voting infrastructure have worried politicians, and in October the bipartisan Securing America's Voting Equipment (SAVE) Act was introduced. The legislation, if passed, would require election machines to be audited and officials trained to deal with with the latest credible security threats.
Voting village organizer Matt Blaze, an associate professor of computer and information science at the University of Pennsylvania, said that the proposed law was "a beautiful piece of legislation," and should be supported. Given the intransigences within Congress, however, it may be a while before it gets through.
But it is needed, he argued, as there was already evidence that Russian hackers had been busy attacking election systems – not the voting machines themselves but the computers used to house voter rolls and tabulate the results.
"We'll find out how much hacking went on in the history books, assuming they are allowed to be written in the future," he told Shmoocon attendees. ®