US voting systems: Full of holes, loaded with pop music, and 'hacked' by an 11-year-old

Pen and paper is still king in America election security

DEF CON Hackers of all ages have been investigating America’s voting machine tech, and the results weren't great.

For instance, one 11-year-old apparently managed to hack and alter a simulated, albeit deliberately hobbled, Secretary of State election results webpage in 10 minutes.

The Vote Hacking Village, one of the most packed-out locations at this year’s DEF CON hacking conference in Las Vegas, saw many of the most commonly used US voting machines hijacked using a variety of wireless and wired attacks – and replica election websites so poorly constructed they were thought too boring for adults to probe, and left to youngsters to infiltrate.

The first day saw 39 kids, ranging in age from six to 17, try to crack into facsimiles of government election results websites, developed by former White House technology advisor Brian Markus. The sites had deliberate security holes for the youngsters to exploit – SQL injection flaws, and similar classic coding cockups.

All but four of the children managed to leverage the planted vulnerabilities within the allotted three-hour contest. Thus, it really is child's play to commandeer a website that doesn't follow basic secure programming practices nor keep up to date with patches – something that ought to focus the minds of people maintaining election information websites.

(Various folks, including ex-NSA and Immunity Inc founder Dave Aitel, have argued the simulation was likely not particularly realistic.)


DEF CON plans to show US election hacking is so easy kids can do it


The children were able to change vote tallies so that they numbered 12 billion, and rewrite party names as well as the names of candidates. Kids being kids, these latter changes included "Bob Da Builder" or "Richard Nixon's Head" – we spotted the Futurama fan there.

On the adult side, Premier/Diebold’s* TSX voting machines were found to be using SSL certificates that were five years old, and one person managed to, with physical access, upload a Linux operating system to the device and use it to play music, although that hack took a little more time than you’d get while voting.

Diebold’s Express Poll 5000 machines were even easier to crack, thanks to having an easily accessible memory card, which you could swap out while voting, containing supervisor passwords in plain text. An attacker could physically access and tamper with these cards, which also hold the unencoded personal records for all voters including the last four digits of their social security numbers, addresses, and driver's license numbers.

Hackers thus found that by inserting specially programmed memory cards when no election official is looking, they could change voting tallies and voter registration information. And take a guess what the root password was? Yes, “Password” – again stored in plain text.

More bizarrely, voting machine manufacturer WinVote’s VoteActive device was found to contain pop music. The machine, which was running Windows XP, could be hacked wirelessly in seconds, and had a music player and CD ripper program built in. It is believed this music stuff was left lying around in unused and unallocated space on the disk.

The village also hosted a mock election between George Washington and Benedict Arnold, which was predictably hacked. Of the ballots cast, America’s first POTUS scored 26 votes, as did infamous traitor Arnold, but the winner was an unplanned candidate: DEF CON’s founder Dark Tangent, aka Jeff Moss, with 61 votes.

The machine's software had been tampered with to insert Moss into the running, and make him win with faked votes. This could be done by infecting an election official's PC so that when the ballot box is set up and programmed from that computer, the voting software is silently altered to later change vote totals and candidates.

It’s the second year DEF CON has hosted the village, and once again voting machines didn’t make the grade. In short: there just isn't enough builtin security to stop people physically meddling with machines at the booths, or before and after polling day. There is little or no verification of the authenticity and legitimacy of the code running on the boxes. Anti-tamper seals on the cases have been shown to be ineffective, too.

It is seemingly impossible to know whether or not you are casting your ballot on a machine that is clean, or has been interfered. It may well not even be obvious to election officials.

And the final numbers on government websites may not be accurate, either. An error regarding the number of registered voters, thus suggesting more people voted than were allowed, on the US state of Georgia's website sparked confusion this month.

You can find summaries of the three-day hack-fest here:

With the November elections due, it looks as though, once more, American voters will just have to hope no one is hacking their vote. But some in government have taken an interest.

“It’s been incredible the response we’ve received,” said village cofounder and University of Pennsylvania professor Matt Blaze. “We’ve had over 100 election officials come through here and they expressed over and over again how much they have appreciated learning from this opportunity.”

Fresh from his keynote, former NSA top hacker and White House cyber czar Rob Joyce popped in to chat as well. He praised the work done by those involved, which had been criticised indignantly by some manufacturers before and during the show.


Microsoft: The Kremlin's hackers are already sniffing, probing around America's 2018 elections


“Believe me, there are people who are going to attempt to find flaws in those [election] machines whether we do it here publicly or not,” he said “So, I think it's much more important that we get out, look at those things, and pull on it.”

Incidentally, on Wednesday, US Republican senators shot down $250m in emergency election security funding proposed by Senator Patrick Leahy (D-VT) – a figure that Hacking Village cofounder Jake Braun told The Register was too small by a factor of 10 if the November elections were to be anywhere close to secure. Cost concerns were cited by the ruling party as a key factor in that decision.

A few days later the President of the Senate, Mike Pence, announced plans for a new super-duper Space Force for orbital warfighting, something the Air Force Space Command already has a firm grip on. The up-in-the-air scheme has an estimated cost of $8bn. ®

* Diebold Nixdorf sold off the US Elections systems Premier division of its business several years ago.

Similar topics

Broader topics

Other stories you might like

  • Israeli air raid sirens triggered in possible cyberattack
    Source remains unclear, plenty suspect Iran

    Air raid sirens sounded for over an hour in parts of Jerusalem and southern Israel on Sunday evening – but bombs never fell, leading some to blame Iran for compromising the alarms. 

    While the perpetrator remains unclear, Israel's National Cyber Directorate did say in a tweet that it suspected a cyberattack because the air raid sirens activated were municipality-owned public address systems, not Israel Defense Force alarms as originally believed. Sirens also sounded in the Red Sea port town of Eilat. 

    Netizens on social media and Israeli news sites pointed the finger at Iran, though a diplomatic source interviewed by the Jerusalem Post said there was no certainty Tehran was behind the attack. The source also said Israel faces cyberattacks regularly, and downplayed the significance of the incident. 

    Continue reading
  • Hackers weigh in on programming languages of choice
    Small, self-described sample, sure. But results show shifts over time

    Never mind what enterprise programmers are trained to do, a self-defined set of hackers has its own programming language zeitgeist, one that apparently changes with the wind, at least according to the relatively small set surveyed.

    Members of Europe's Chaos Computer Club, which calls itself "Europe's largest association of hackers" were part of a pool for German researchers to poll. The goal of the study was to discover what tools and languages hackers prefer, a mission that sparked some unexpected results.

    The researchers were interested in understanding what languages self-described hackers use, and also asked about OS and IDE choice, whether or not an individual considered their choice important for hacking and how much experience they had as a programmer and hacker.

    Continue reading
  • Stolen-data market RaidForums taken down in domain seizure
    Suspected admin who went by 'Omnipotent' awaits UK decision on extradition to US

    After at least six years of peddling pilfered personal information, the infamous stolen-data market RaidForums has been shut down following the arrest of suspected founder and admin Diogo Santos Coelho in the UK earlier this year.

    Coelho, 21, who allegedly used the mistaken moniker "Omnipotent" among others, according to the US indictment unsealed on Monday in the Eastern District of Virginia, is currently awaiting the outcome of UK legal proceedings to extradite him to the United States.

    The six-count US indictment [PDF] charges Coelho with conspiracy, access device fraud, and aggravated identity theft following from his alleged activities as the chief administrator of RaidForums, an online market for compromised or stolen databases containing personal and financial information.

    Continue reading

Biting the hand that feeds IT © 1998–2022