Professional Documents
Culture Documents
Search
Topics
Search
Sign In Create Account
Special Reports
Tech Talk Computing Networks
Computing
Blogs
By Mark Anderson
E-voting machines and voter registration systems used widely in the United States and other
countries’ elections can readily be hacked—in some cases with less than two hours’ work. This
https://spectrum.ieee.org/tech-talk/computing/networks/defcon-hackers-find-holes-in-every-voting-machine 1/4
11/13/2019 DEFCON Hackers Found Many Holes In Voting Machines And Poll Systems IEEE Spectrum - IEEE Spectrum
conclusion emerged from a three-day-long hackathon at the Def Con security conference in Las
Vegas last weekend. Some of those hacks could potentially leave no trace, undercutting the
assurances of election officials and voting machine companies who claim that virtually
unhackable election systems are in place.
Def Con, an annual computer hacking conference celebrating its 25th year, hosted its first
Voting Machine Hacking Village this year. In it, conference attendees were given access to many
of the most popular voting machines and voter registration tracking systems in use around the
world today. And before the Hacking Village organizers were even finished with their opening
morning introductory remarks, a Danish hacker in the audience had already broken into one of
the target machines wirelessly.
Soon after on the same morning, a second group in the room wirelessly hacked into a
popular electronic poll book system, responsible for storing and maintaining voter registration
information. In total, the inaugural e-voting hackathon turned up at least 18 new vulnerabilities
to e-voting and e-poll book systems. (This may be a conservative estimate, as the hacks
discovered at the Village are now being verified and studied before they’ll be compiled and
counted as legitimate new hacks.)
“These people who hacked the e-poll book system, when they came in the door they didn’t even
know such a machine exists. They had no prior knowledge, so they started completely from
scratch,” says Harri Hursti, Hacking Village co-coordinator and data security expert behind
the first hack of any e-voting system in 2005.
The Danish hacker, Hursti added, also had no prior knowledge about the e-voting system he
hacked. Both hacks, Hursti says, undermine critics who have claimed that computerized
election system hacks are too elaborate and unrealistic to be used in real world settings.
“I hacked the same e-poll book system in 2007,” Hursti says. But it took him two weeks instead
of the few hours it took hackers last weekend.
One big difference between now and then is a key rule issued in October 2015, by the U.S.
Copyright Office. That rule established that hacks to e-voting and electronic vote counting and
tabulating systems are allowable under the Digital Millennium Copyright Act—so long as those
hacks are used for research purposes.
Prior to 2015, Hursti says, the DMCA restricted e-voting machine access to hackers. And those
few like Hursti who could access them had to ensure that the machines were not altered in any
way that might affect their performance or void their warrantees.
So, realistically, the Hacking Village couldn’t have happened anytime before the Copyright
Office’s DMCA e-voting machine exemption, Hursti says.
The restricted access that real-world hackers previously had to voting machines made the
weekend something of an opening of the floodgates. As Village co-organizer Matt Blaze,
associate professor of computer and information science at the University of
Pennsylvania, tweeted, “Overheard more than once (at the Hacking Village): 'Wait, it can't be
that simple, can it?'”
https://spectrum.ieee.org/tech-talk/computing/networks/defcon-hackers-find-holes-in-every-voting-machine 2/4
11/13/2019 DEFCON Hackers Found Many Holes In Voting Machines And Poll Systems IEEE Spectrum - IEEE Spectrum
One disturbing aspect of a number of attacks was that a hacker might be able to cover their
tracks. The untraceability of such hacks is nothing new. Hursti recalls an interaction he had
with Ohio’s then-Secretary of State Jennifer Brunner, who he says assured him there was not a
single incident of any e-voting machine ever being hacked.
“I said if you continue to use these machines, that will always remain true,” Hursti says. “These
machines have no capability of providing you any kind of evidence whether they were not
hacked or hacked. There’s no protective locks, there’s no forensic evidence gathering. There’s
absolutely nothing. The machine cannot prove it’s been hacked.”
And while this year’s Hacking Village concentrated on voting’s front-end—the e-voting
machines and e-poll registration systems used at polling places—there are other spots for
hackers to attack.
“There has been a lot of interest in the voting machines, because that’s the customer-facing side.
That is the machine the voter sees,” Hursti says. “That is just the tip of the iceberg. The whole
system is the election management system, the ballot originating system, the tallying system,
the reporting system, the voter registration system, the e-poll books. That is a humungous
amount of infrastructure.”
Future DEF CON Voting Machine Hacking Villages plan to tackle such larger election
cybersecurity challenges, the organizers say.
In the meantime, Hursti is advocating for a return to a smart paper-ballot and scan machine
system, plus regular audits.
“A lot of these electronic voting machines are software unfixable,” he says. “The problem is in
the hardware design. The problem is in the architecture. There’s nothing you can do in software
to really fix them.”
On the other hand, Hursti disagrees with some e-voting critics who overcompensate and
advocate a return to hand-counting paper ballots. “That is stupid,” he says. “Humans are
extremely error prone. Humans have the capability of being dishonest. So paper ballots with the
responsible use of technology—meaning, optical scan machines, software analyzing, and an
audit process which will verify the machine-produced results. And whether the audit process is
purely human, or by software and other scanners, those are other questions. Different
jurisdictions will pick up different answers.”
“The sad part here is in 10 years nothing really has happened, except that the [voting
officials] have moved on,” he says. “And we have shown it over and over again that electronic
voting is currently beyond our technical capabilities… if we keep auditability and secrecy and
privacy of the ballot, then we cannot have electronic voting. That’s a full stop.”
https://spectrum.ieee.org/tech-talk/computing/networks/defcon-hackers-find-holes-in-every-voting-machine 3/4
11/13/2019 DEFCON Hackers Found Many Holes In Voting Machines And Poll Systems IEEE Spectrum - IEEE Spectrum
https://spectrum.ieee.org/tech-talk/computing/networks/defcon-hackers-find-holes-in-every-voting-machine 4/4