At DEF CON, I Watched Hackers Take Voting Machines Apart

Stephen has never hacked a voting machine before. But within a few minutes of tinkering, he has already made some progress.

"We're trying to figure out how the machine works," Stephen told Motherboard at the annual DEF CON hacking conference as he typed commands on his Ubuntu laptop. His computer wrote data to a smart-card like device, which he then plugged into the voting machine, a touchscreen model made by a company called Diebold.

The small voting tablet came to life, and cheers erupted around the table. But shortly after, the screen turned jet black, and displayed a sliver of green text across the top: a file is missing, and Stephen needed to take the card back out of the machine and start again, adding another file and seeing how the machine reacts. Others focused in on device's circuit boards, and later, another researcher managed to gain remote access to a second voting machine.

This was all part of DEF CON's new voting machine hacking village, where hackers came to rip apart, reverse engineer, and probe real voting machines used in US elections.

"Feel free to take a look and play around," Harri Hursti, a Finnish computer programmer and one of the event's organizers, said before hackers dove into their work.

DEF CON regularly holds hacking villages, whether for biohacking or targeting cars. After the high-profile Russian interference in the US election, the organizers decided to launch one specifically for voting machines.

"I'm tired of reading misinformation about voting system security so it is time for a DEF CON Village," conference organizer Jeff Moss, also known as "The Dark Tangent," wrote in a forum post earlier this year announcing the event.

The machines were a hodge-podge of touchscreen tablets and Windows-based machines, with some still being used nationwide. Before this workshop, researchers had already exposed issues with all of these machines, from being able to miscalibrate a device's screen so a user will likely cast the wrong vote, to infecting the machine with malware. When introducing the machines to participants, Hursti pointed out that some were running horribly out of date software.

So although finding new vulnerabilities is of course a bonus, that was not the main drive behind this event.

"This is about education," Hursti said.

The point is giving more people access to these machines, even if only for a few hours, and a selection of speakers talked about their own misgivings around the apparent lack of interest in voting security. Barbara Simons, chairwoman of nonprofit advocacy organization Verified Voting, said she has had trouble taking these sort of security issues seriously.

Judging by the available evidence, suspected Russian hackers did not directly interfere with voting machines themselves during the 2016 election. They did, however, attempt to break into related organizations such as a voting software supplier, and local government bodies. During a hearing in June, former FBI Director James Comey said that Russian hackers targeted 'hundreds' of entities throughout their intrusion campaign.

"Why go to the trouble of loading firmware onto voting machines yourself, when you can just email a .doc file to the local registrar for voters," said Matt Blaze, associate professor of computer and information science at the University of Pennsylvania and one of the organizers of the village.

But even with that being the case, researchers and governments would be wise not to ignore the security of these devices.

"I think they will be back," Simons said, referring to those who interfered with the US election.

Got a tip? You can contact this reporter securely on Signal at +44 20 8133 5190, OTR chat at jfcox@jabber.ccc.de, or email joseph.cox@vice.com