US voting hardware maker's shock discovery: Security improves when you actually work with the community
ES&S takes the bold step of not ignoring vulnerability reports
Black Hat Just hours after Professor Matt Blaze today discussed the state of election system security in America, one of the largest US voting machine makers stepped forward to say it's trying to improve its vulnerability research program.
Election Systems and Software (ES&S), whose products include electronic ballot boxes and voter registration software, said it is working with infosec outfits and bug-finders to improve the security of its products.
Speaking at this year's online Black Hat USA conference, CISO Chris Wlaschin outlined a number of steps his biz has already or will soon take to overhaul its relationship with bug-bounty hunters.
America was getting on top of its electronic voting machine security – then suddenly... A wild pandemic appearsREAD MORE
In addition to its ongoing vulnerabilities rewards program, ES&S said it will employ the services of security house Synack to bridge the gap with bounty hunters, and make its products better able to withstand attacks from the likes of state-sponsored groups.
Most notably, ES&S will beef up said rewards program. With the help of ethical hackers at Synack, testers will be able to hammer on devices like the ES&S ExpressPoll without fear of legal reprisal.
This is actually a big step for ES&S, who when we last checked in was bickering with DEF CON organizers over its products being included in the voting-machine-hacking village, and taking heat from government officials for its lax security.
Since then, the manufacturer says it has upped its game and embraced external reports of weaknesses in its equipment. Wlaschin noted that ES&S engaged with bug-finders to get bugs patched for both its products and those from other vendors.
One of the bounty hunters who has worked with ES&S, industry veteran Jack Cable, issued his seal of approval to the expanded program.
Today, the nation's largest voting vendor released a vulnerability disclosure policy giving hackers authorization to test their systems. This is a great step towards transparency for election security. I hope that other vendors follow suit and welcome hackers with open arms. 🧵— Jack Cable (@jackhcable) August 5, 2020
ES&S also said it plans to involve state election agencies in the effort, though it stopped short of promising to get other election machine vendors involved.
Meanwhile, Synack CTO Dr Mark Kuhr talked up the role his company would play in helping to clean up ES&S's security reputation and safeguard US voting machines ahead of the 2020 election.
One point of reference the companies plan to use with the program, says Kuhr, is the successful Hack the Pentagon campaign from 2016.
"Our election infrastructure is designated as critical infrastructure by the DHS," he said. "What we are seeing here is a match made in heaven between the security research community and the government bodies." ®