11/13/2019 DEFCON Hackers Found Many Holes In Voting Machines And Poll Systems IEEE Spectrum - IEEE Spectrum

Topics Reports Blogs Multimedia Magazine Resources

Search

Topics
Search
Sign In Create Account
Special Reports
Tech Talk Computing Networks
Computing
Blogs

03 Aug 2017 | 13:39 GMT

Multimedia
DEFCON Hackers Found Many Holes in Voting Machines
The Magazine
and Poll Systems
Professional Resources
Annual Las Vegas gathering of white-hat hackers breaks into e-voting and
registration systems, sometimes in just a few hours
Newsletters

By Mark Anderson

Posted 03 Aug 2017 | 13:39 GMT

Photo: Steve Marcus/Reuters

A hacker tries to access and alter data from an electronic poll book in a Voting Machine
Hacking Village during the Def Con hacker convention in Las Vegas, Nevada, on 29
July 2017.

E-voting machines and voter registration systems used widely in the United States and other
countries’ elections can readily be hacked—in some cases with less than two hours’ work. This

https://spectrum.ieee.org/tech-talk/computing/networks/defcon-hackers-find-holes-in-every-voting-machine 1/4
11/13/2019 DEFCON Hackers Found Many Holes In Voting Machines And Poll Systems IEEE Spectrum - IEEE Spectrum

conclusion emerged from a three-day-long hackathon at the Def Con security conference in Las
Vegas last weekend. Some of those hacks could potentially leave no trace, undercutting the
assurances of election officials and voting machine companies who claim that virtually
unhackable election systems are in place.

Def Con, an annual computer hacking conference celebrating its 25th year, hosted its first
Voting Machine Hacking Village this year. In it, conference attendees were given access to many
of the most popular voting machines and voter registration tracking systems in use around the
world today. And before the Hacking Village organizers were even finished with their opening
morning introductory remarks, a Danish hacker in the audience had already broken into one of
the target machines wirelessly.

Soon after on the same morning, a second group in the room wirelessly hacked into a
popular electronic poll book system, responsible for storing and maintaining voter registration
information. In total, the inaugural e-voting hackathon turned up at least 18 new vulnerabilities
to e-voting and e-poll book systems. (This may be a conservative estimate, as the hacks
discovered at the Village are now being verified and studied before they’ll be compiled and
counted as legitimate new hacks.)

“We have shown it over and over again that electronic

voting is currently beyond our technical capabilities”
—Harri Hursti, Hacking Village at Def Con

“These people who hacked the e-poll book system, when they came in the door they didn’t even
know such a machine exists. They had no prior knowledge, so they started completely from
scratch,” says Harri Hursti, Hacking Village co-coordinator and data security expert behind
the first hack of any e-voting system in 2005.

The Danish hacker, Hursti added, also had no prior knowledge about the e-voting system he
hacked. Both hacks, Hursti says, undermine critics who have claimed that computerized
election system hacks are too elaborate and unrealistic to be used in real world settings.

“I hacked the same e-poll book system in 2007,” Hursti says. But it took him two weeks instead
of the few hours it took hackers last weekend.

One big difference between now and then is a key rule issued in October 2015, by the U.S.
Copyright Office. That rule established that hacks to e-voting and electronic vote counting and
tabulating systems are allowable under the Digital Millennium Copyright Act—so long as those
hacks are used for research purposes.

Prior to 2015, Hursti says, the DMCA restricted e-voting machine access to hackers. And those
few like Hursti who could access them had to ensure that the machines were not altered in any
way that might affect their performance or void their warrantees.

So, realistically, the Hacking Village couldn’t have happened anytime before the Copyright
Office’s DMCA e-voting machine exemption, Hursti says.

The restricted access that real-world hackers previously had to voting machines made the
weekend something of an opening of the floodgates. As Village co-organizer Matt Blaze,
associate professor of computer and information science at the University of
Pennsylvania, tweeted, “Overheard more than once (at the Hacking Village): 'Wait, it can't be
that simple, can it?'”

Another attendee added, “Default passwords, man. Default passwords. #votingvillage”

https://spectrum.ieee.org/tech-talk/computing/networks/defcon-hackers-find-holes-in-every-voting-machine 2/4
11/13/2019 DEFCON Hackers Found Many Holes In Voting Machines And Poll Systems IEEE Spectrum - IEEE Spectrum

One disturbing aspect of a number of attacks was that a hacker might be able to cover their
tracks. The untraceability of such hacks is nothing new. Hursti recalls an interaction he had
with Ohio’s then-Secretary of State Jennifer Brunner, who he says assured him there was not a
single incident of any e-voting machine ever being hacked.

“I said if you continue to use these machines, that will always remain true,” Hursti says. “These
machines have no capability of providing you any kind of evidence whether they were not
hacked or hacked. There’s no protective locks, there’s no forensic evidence gathering. There’s
absolutely nothing. The machine cannot prove it’s been hacked.”

And while this year’s Hacking Village concentrated on voting’s front-end—the e-voting
machines and e-poll registration systems used at polling places—there are other spots for
hackers to attack.

“There has been a lot of interest in the voting machines, because that’s the customer-facing side.
That is the machine the voter sees,” Hursti says. “That is just the tip of the iceberg. The whole
system is the election management system, the ballot originating system, the tallying system,
the reporting system, the voter registration system, the e-poll books. That is a humungous
amount of infrastructure.”

Future DEF CON Voting Machine Hacking Villages plan to tackle such larger election
cybersecurity challenges, the organizers say.

In the meantime, Hursti is advocating for a return to a smart paper-ballot and scan machine
system, plus regular audits.

“A lot of these electronic voting machines are software unfixable,” he says. “The problem is in
the hardware design. The problem is in the architecture. There’s nothing you can do in software
to really fix them.”

On the other hand, Hursti disagrees with some e-voting critics who overcompensate and
advocate a return to hand-counting paper ballots. “That is stupid,” he says. “Humans are
extremely error prone. Humans have the capability of being dishonest. So paper ballots with the
responsible use of technology—meaning, optical scan machines, software analyzing, and an
audit process which will verify the machine-produced results. And whether the audit process is
purely human, or by software and other scanners, those are other questions. Different
jurisdictions will pick up different answers.”

“The sad part here is in 10 years nothing really has happened, except that the [voting
officials] have moved on,” he says. “And we have shown it over and over again that electronic
voting is currently beyond our technical capabilities… if we keep auditability and secrecy and
privacy of the ballot, then we cannot have electronic voting. That’s a full stop.”

The Tech Alert Newsletter

Receive latest technology science and technology news & analysis from
IEEE Spectrum every Thursday.

About the Tech Talk blog

https://spectrum.ieee.org/tech-talk/computing/networks/defcon-hackers-find-holes-in-every-voting-machine 3/4
11/13/2019 DEFCON Hackers Found Many Holes In Voting Machines And Poll Systems IEEE Spectrum - IEEE Spectrum

IEEE Spectrum’s general technology blog,

featuring news, analysis, and opinions about
engineering, consumer electronics, and
technology and society, from the editorial
Featured Jobs staff and freelance contributors.

Tenure-Track/Tenured Professor Assistant Professor of Computer

Follow @IEEESpectrum Computer Science Assistant Prof
Subscribe to RSS Feed
Positions in Theoretical Computer Science Santa Barbara, California
Science Seattle, Washington University of California, Santa Barbara
West Lafayette, Indiana Seattle Pacific University
Department of Computer Science in the
College of Science at Purdue University
More J

https://spectrum.ieee.org/tech-talk/computing/networks/defcon-hackers-find-holes-in-every-voting-machine 4/4