The Washington PostDemocracy Dies in Darkness

Hackers were told to break into U.S. voting machines. They didn’t have much trouble.

August 12, 2019 at 3:10 p.m. EDT
(Steve Marcus/Reuters)

LAS VEGAS — As Sen. Ron Wyden (D-Ore.) toured the Voting Village on Friday at Def Con, the world’s hacker conference extraordinaire, a roomful of hackers applied their skills to voting equipment in an enthusiastic effort to comply with the instructions they had been given: “Please break things.”

Armed with lock-pick kits to crack into locked hardware, Ethernet cables and inquiring minds, they had come for a rare chance to interrogate the machines that conduct U.S. democracy. By laying siege to electronic poll books and ballot printers, the friendly hackers aimed to expose weaknesses that could be exploited by less friendly hands looking to interfere in elections.

Wyden nodded along as Harri Hursti, the founder of Nordic Innovation Labs and one of the event’s organizers, explained that the almost all of the machines in the room were still used in elections across the United States, despite having well-known vulnerabilities that have been more or less ignored by the companies that sell them. Many had Internet connections, Hursti said, a weakness savvy attackers could abuse in several ways.

Wyden shook his head in disbelief.

“We need paper ballots, guys," Wyden said.

After Wyden walked away, a few hackers exchanged confused expressions before figuring out who he was.

“I wasn’t expecting to see any senators here,” one said with a laugh.

In the three years since its inception, Def Con’s Voting Village — and the conference at large — has become a destination not only for hackers but also for lawmakers and members of the intelligence community trying to understand the flaws in the election system that allowed Russian hackers to intervene in the 2016 election and that could be exploited again in 2020.

This year’s programming involved hacking voting equipment as well as panels with election officials and security experts, a demonstration of a $10 million experimental voting system from the Pentagon’s Defense Advanced Research Projects Agency, and a “part speed-dating, part group therapy" session where state and local election officials gathered with hackers to hash out challenges of securing elections.

Congregants spoke often of the need for thorough auditing of election results, increased funding and improved transparency from vendors. The call for paper ballots was a common refrain. At the time of the 2018 midterm elections, Delaware, Georgia, Louisiana, New Jersey and South Carolina had no auditable paper trails.

“Election officials across the country as we speak are buying election systems that will be out of date the moment they open the box,” Wyden said in the Voting Village’s keynote speech. “It’s the election security equivalent of putting our military out there to go up against superpowers with a peashooter.”

House Democrats have introduced two bills that would require paper records to back up voting machines, mandate post-election audits and set security standards for election technology vendors. But Senate Majority Leader Mitch McConnell (R-Ky.) has repeatedly blocked votes on the bills, saying election security is the province of the states.

Last month, the Senate Intelligence Committee released a report detailing how Russian hackers probably targeted all 50 states between 2014 and 2017. Although the report did not find evidence that Russian actors tampered with vote tallies on Election Day, the committee said that hackers “exploited the seams” between federal and state authorities and that states weren’t sufficiently prepared to handle such an attack.

“In 2016, cybersecurity for electoral infrastructure at the state and local level was sorely lacking,” the report reads. “Voter registration databases were not as secure as they could have been. Aging voting equipment, particularly voting machines that had no paper record of votes, were vulnerable to exploitation by a committed adversary. Despite the focus on this issue since 2016, some of these vulnerabilities remain.”

Local election officials at Def Con echoed these fears. Joel Miller, an election auditor in Linn County, Iowa, and repeat Def Con attendee, said he’ has had to file Freedom of Information Act requests and a Help America Vote Act complaint to try to get answers about security concerns in the state’s voter registration system from Iowa’s secretary of state. Russian hackers attempted to infiltrate the system in 2016, and while an overhaul of the 14-year-old system is impending, officials have said it will not be replaced before 2020.

“We don’t know what’s going on with the system,” Miller said. “I’m a former IT director, and I know more about what I don’t know, but that’s almost worse than if I didn’t have a tech background. I’m aware there’s more threats out there than we can handle.”

A spokesman for the Iowa secretary of state defended the security of the state’s systems and noted that Secretary of State Paul D. Pate’s chief of staff also attended Def Con this year. “Iowa’s system is secure and we work every day to ensure it remains secure,” the spokesman, Kevin Hall, said in an emailed statement. “Cybersecurity threats are constantly evolving and we are constantly evaluating what’s in place and what gains we can make. This is a race without a finish line.”

At the Voting Village, nestled in a ballroom in the sprawling Planet Hollywood convention center, hackers put the machines’ weaknesses on display with playful flourishes, overtaking one electronic poll book to play the first-person shooter game Doom on it, or leaving Nyan Cat, a Japanese meme, sailing across the screen of another made by VR Systems. Ahead of the 2016 election, Russian hackers installed malware on VR Systems’ company network, The Washington Post reported.

The Voting Village has faced extreme pushback from voting equipment companies and government officials in the past. They’ve argued that the free-for-all environment at Def Con doesn’t replicate the realities of security on Election Day. The National Association of Secretaries of State condemned the exercise as “unrealistic” last year, and Election Systems & Software, one of the major voting machine vendors, sent a letter to its customers making the same argument.

"Physical security measures make it extremely unlikely that an unauthorized person, or a person with malicious intent, could ever access a voting machine,” ES&S wrote last year.

ES&S and VR Systems did not respond to requests for comment about this year’s village.

Hursti said vendors have used legal threats to “create a chilling effect” on research of their equipment, and that they were “actively trying to shoot the messengers” rather than reckon with the weaknesses in their products. That lack of cooperation has left organizers to search for machinery to use at the Voting Village: Some equipment was rescued from a warehouse where the roof collapsed, while other was snagged in government surplus auctions or on eBay, Hursti said.

“One rebuttal is to say we give a lot of access to the machines, but in reality, that’s how research works. Whether or not you can show me how to attack this machine in x or y setting is beside the point,” Hursti said. “This is about discovering vulnerability and stopping it before weaponization.”

The first primary votes of the 2020 election will be cast in the Iowa caucuses in just a few months, but it’s impossible to patch the gaping security holes in U.S. election security by then, or even by Election Day, Hursti said.

“Everyone claiming we can fix this by 2020 is giving a false sense of security,” Hursti said. “The aim should be, can we do something by 2022 or 2024?”

Hours after the Voting Village opened, it was packed with hackers sporting T-shirts with slogans such as, “If I’m not on the government watchlist, someone isn’t doing their job” and “Come to the Dork side" — all eager to test their skills as an act of civic service. By the end of the weekend, they would uncover a litany of new vulnerabilities in the voting equipment, ranging from gallingly obvious passwords to hardware issues and exposure to remote attacks.

On Friday afternoon, one conference attendee meandered through the labyrinth of tables covered in dusty voting equipment and Pabst Blue Ribbon cans, explaining the enterprise to his less-well-versed companion.

“So, this is how the Russians did it,” he said, as a hacker near him crowed about how easy it was to pick the lock on a machine. “The fate of our whole country rests on these machines.”

He shuddered.