I’m just going to leave this here.
Google and Apple invite hackers to find flaws in their code and offer hefty rewards to those who find them. It’s a common practice in the industry. The government’s done it too, with programs like “Hack the Pentagon.”
But opportunities to test how secure our voting machines are from hackers have been rare. Manufacturers like to keep the details of voting machines secret. And they don’t often provide machines for people to test.
That’s why hackers swarmed to the Voter Hacking Village at Defcon in Las Vegas. The massive hacker convention is split into “villages” based on themes such as lock picking, encryption, social engineering and, for the first time, voter machine hacking.
Defcon received more than 30 voting machines to play with, providing a rare opportunity for hackers to find the flaws in our democracy’s technology. (The organizers didn’t specify how many models the 30 units represented.) Voting technology was elevated into the political spotlight in 2016 as lawmakers raised concerns about Russian hacking and President Donald Trump’s road to the White House.
To be clear, there’s no evidence any votes were hacked during the 2016 presidential election. But there hasn’t been much research on the voting machines to see if it’s possible.
“The exposure of those devices to the people who do bug bounties or actually look at these kind of devices has been fairly limited,” said Brian Knopf, an internet of things security researcher for Neustar, a security analysis company. “And so Defcon is a great opportunity for those of us who hack hardware and firmware to look to these kind of devices and really answer that question, ‘Are they hackable?'”
After just about an hour and a half, the answer was an emphatic “yes.”
I don’t want to be alarmist. The one specific voting machine mentioned in the story is one that has been out of use since 2015, so it’s hard to say how real-world and prevalent some of this is. The problem is that there’s a lot of secrecy around voting machine technology, so while there are no known examples of systems being compromised, we mostly just have the assurances of the people in charge that there’s nothing to see here. There’s a lot of room to improve standards and transparency, in the name of promoting faith in the security of the system.