Voting Machine Vendors, Election Officials Continue To Look Ridiculous, As Kids Hack Voting Machines In Minutes

from the voting-village-strikes-again dept

Last year at Defcon, the Voting Machine Hacking Village showed just how bad the security was on electronic voting machines. This is not a surprise, of course. It's a topic we've covered on Techdirt going back almost 20 years. But what's still most incredible is how much the voting machine manufacturers and election officials continue to resist the efforts of security experts to explain all of this. Even earlier this year, there were reports about the insane lengths that voting machine vendors were going to to try to stop Defcon from obtaining their machines:

Village co-organizer Harri Hursti told attendees at the Shmoocon hacking conference this month they were having a hard time preparing for this year's show, in part because voting machine manufacturers sent threatening letters to eBay resellers. The intimidating missives told auctioneers that selling the machines is illegal -- which is false.

Meanwhile, election officials have been whining about the whole thing, and telling people not to pay any attention to all of this:

Election officials from the National Association of Secretaries of State (NASS) bristled at the demonstrations, saying they didn't reflect what could actually happen on Election Day. So did voting machine vendors, which argued it would be difficult for adversaries to gain the level of access necessary to tamper with equipment.

Leading voting machine Vendor, ES&S put out a completely bullshit letter to its customers basically saying "don't pay any attention to Defcon." That letter was expertly debunked and mocked by reporter Kim Zetter:

Also, memo to ES&S: when hackers are trying to help you improve the security of your shitty machines, whining that they're "breaking licensing agreements" is not a good look. But, it's the hill ES&S has ridiculously decided to die on:

In the letter, ES&S also warned election officials ahead of the conference that unauthorized use of its software violated the company’s licensing agreements, according to a copy of the letter viewed by The Wall Street Journal.

And, of course, all this hand-waving failed to stop the inevitable. The news is full of stories, often revolving around the hook that an 11-year-old hacked into and changed votes on a replica Florida state website:

The boy, who was identified by DEFCON officials as Emmett Brewer, accessed a replica of the Florida secretary of state’s website. He was one of about 50 children between the ages of 8 and 16 who were taking part in the so-called “DEFCON Voting Machine Hacking Village,” a portion of which allowed kids the chance to manipulate party names, candidate names and vote count totals.

Lots of other hackers were successful as well:

After a few hours on Friday, one hacker was essentially able to turn a voting machine into a jukebox, making it play music and display animations.

And while the Secretaries of State continue to insist that this is not a real world replica, Defcon folks disagree:

Nico Sell, the co-founder of the the non-profit r00tz Asylum, which teaches children how to become hackers and helped organize the event, said an 11-year-old girl also managed to make changes to the same Florida replica website in about 15 minutes, tripling the number of votes found there.

Sell said more than 30 children hacked a variety of other similar state replica websites in under a half hour.

“These are very accurate replicas of all of the sites,” Sell told the PBS NewsHour on Sunday. “These things should not be easy enough for an 8-year-old kid to hack within 30 minutes, it’s negligent for us as a society.”

The really incredible part of this, of course, is that election officials and voting machine vendors don't embrace Defcon's vote hacking village. That would open up important lines of communication, rather than all this sniping. Indeed, Defcon folks made the effort only to be mostly ignored:

“The Voting Village conducted an outreach effort that was more extensive than any other organization. The Village mailed invitations to almost 7,000 election officials, made over 3,500 live calls, and sent two emails to nearly every single election official in the country, inviting them to participate at DEFCON and the Voting Village.”

While it appears that a few election officials came (including some from Illinois, Colorado and Ohio), many others did not, preferring to just complain about the demonstration. The end result, of course, is that they look silly and petty -- and unconcerned with the terrible security associated with their machines.

Filed Under: defcon, e-voting, hacking, voting, voting integrity
Companies: es&s

Georgia Election Server Mysteriously Wiped Clean After Lawsuit Highlights Major Vulnerabilities

from the yeah-whoops-a-daisy dept

For as long as Techdirt has existed, we've highlighted how most implementations of electronic voting simply aren't safe or secure. The Diebold disaster in 2006, Sequoia's security scandal in 2008, and a rotating flood of similar stories since, have driven this point home time, and time, and time again. And despite these warnings neither the companies that make these machines, nor the election commissions or local governments tasked with overseeing them, have done enough (or, in many cases, much of anything) to ensure that our Democratic process is secure.

The latest example of just how not under control this problem is comes out of Georgia, where reports indicate that somebody managed to completely wipe a server integral to a lawsuit against Georgia election officials. The lawsuit, filed by a coalition of election reform advocates, is attempting to force Georgia to retire antiquated and heavily-criticized election technology that has been under fire in the media since June, after security researchers indicated that the touch-screen machines could be easily tampered with without leaving much of a trace:

A misconfigured server, Logan Lamb discovered last August, had left Georgia’s 6.7 million voter records and other sensitive files exposed to hackers. And it may have been left unfixed for seven months. The vulnerability might have allowed attackers to plant malware and possibly rig votes or wreak chaos with voter rolls by deleting or altering records — a major concern amid heightened sensitivity to state-sponsored Russian election hacking.

Shortly after the lawsuit was filed, the servers of interest in the case were mysteriously wiped by technicians at the Center for Elections Systems at Kennesaw State University, which oversees the state’s election system. The Associated Press only discovered the wipe after obtaining an email from an assistant state attorney general to plaintiffs in the case. Efforts to determine who requested that the server be wiped clean have so far gone nowhere:

The Kennesaw election center answers to Georgia’s secretary of state, Brian Kemp, a Republican who is running for governor in 2018 and is the main defendant in the suit. A spokeswoman for the secretary of state’s office said Wednesday that “we did not have anything to do with this decision,” adding that the office also had no advance warning of the move. The center’s director, Michael Barnes, referred questions to the university’s press office, which declined comment.

Plaintiffs in the case have argued that data from last November’s election and a special June 20th congressional runoff cannot be trusted due to the unresolved flaws in the machines. And while the election server would have gone a long way toward answering that concern, it was wiped clean on July 7 -- just four days after the lawsuit was filed. Two backup servers were subsequently wiped clean on August 9, just as the case was moving to federal court.

Filed Under: e-voting, elections, evidence, georgia, servers, spoliation, voting integrity, wiped