A Hackathon Reveals Most Any Hacker Can Break Into Election Equipment

DEFCON hackers find it’s really easy to hack U.S. voting machines.

From July 27-30, 25,000 hackers — yes, you read that right — convened in Las Vegas for the DEFCON hacking conference. One of the topics under discussion was the security of U.S. voting systems, especially apt in light of ongoing investigations into possible Russian hacking of the American electoral system during the 2016 presidential election. At the conference, there was a gathering of voting hardware called “Voting Village" for hackers to check out and hack into, if they could. In September, DEFCON published the startling results of the Voting Village experiment at VerfiedVoting.org: Every single piece of voting hardware was successfully breached. The report was co-authored by DEFCON's founder Jeff Moss.


Douglas E. Lute, former U.S. ambassador to NATO, and retired Lieutenant General of the U.S. Army wrote the preface to DEFCON's report, explaining why he's getting involved in electoral security:

The answer is simple: last year's attack on America's voting process is as serious a threat to our democracy as any I have ever seen in the last 40+ years — potentially more serious than any physical attack on our Nation. Loss of life and damage to property are tragic, but we are resilient and can recover. Losing confidence in the security of our voting process — the fundamental link between the American people and our government – could be much more damaging. In short, this is a serious national security issue that strikes at the core of our democracy.

In fact, what happened at Voting Village was even worse that it seems, since the hackers didn't even possess the resources and tools a real-world hacker might have, such as “source code, operational data or other proprietary information," according to the report. And it didn't require any special skill, either; hackers of all levels broke in just fine.

Most of the equipment was purchased on eBay, though DEFCON has a special allowance that allows it to buy machines for research. Most current voting machines are made by just four manufacturers. All in all, there were 25 machines in Voting Village, including these:

  • AVS WinVote DRE (software version 1.5.4 / hardware version N/A)
  • Premier AccuVote TSx DRE (TS unit, model number AV - TSx, firmware 4.7.8)
  • ES&S iVotronic DRE (ES&S Code IV 1.24.15.a, hardware revision 1.1)
  • PEB version 1.7c - PEB - S
  • Sequoia AVC Edge DRE (version 5.0.24)
  • Diebold Express Poll 5000 electronic pollbook (version 2.1.1)
  • The DEFCON report reveals how stunningly weak the U.S. voting system is, with bold text added for emphasis:

    The first voting machine to fall — an AVS WinVote model — was hacked and taken control of remotely in a matter of minutes, using a vulnerability from 2003, meaning that for the entire time this machine was used from 2003-2014 it could be completely controlled remotely, allowing changing votes, observing who voters voted for, and shutting down the system or otherwise incapacitating it.

    That same machine was found to have an unchangeable, universal default passwordfound with a simple Google search — of “admin" and “abcde."

    Virginia has decertified the AVS Winvote. VERFIEDVOTING)

    An “electronic poll book", the Diebold ExpressPoll 5000, used to check in voters at the polls, was found to have been improperly decommissioned with live voter file data still on the system; this data should have been securely removed from the device before reselling or recycling it. The unencrypted file contained the personal information — including home residential addresses, which are very sensitive pieces of information for certain segments of society including judges, law enforcement officers, and domestic violence victims — for 654,517 voters from Shelby County, Tennessee, circa 2008.

    As important as the integrity of our election system is, the truth is it's a patchwork of rules and systems individually acquired and operated by each state in accordance with the first clause in Article 1, Section 4 of the U.S. Constitution.

    Local politicians have been able to, for example, maintain their hold on power by preventing their opponents' constituency from voting. This has been done through literacy tests at the polling place, as well with the distribution of misleading information that's prevented voters from successfully casting ballots. Today, photo IDs are required in some states that make voting harder for certain groups — often, the only photo ID available locally is a drivers license — disproportionately affecting students, the poor, and the elderly. And there's always the question of incompetence that can result in ballots that make no sense to local voters or even to election officials during counting. Congress has modified national election laws only a few times to rectify egregious abuses, such as with the passage of the Voting Rights Act in 1965 and the National Voter Registration Act of 1993.

    All of which is to say that each state decides not only how its citizens will vote, but what kind of electoral machinery will be used. Whether or not the state has the requisite expertise or personnel on hand to select the best equipment, operate it, and keep it up-to-date and secure, that's the way it works. Budgetary considerations at times drive state election officials simply to find and take the best deal available — regardless of potential conflicts of interest or other considerations — or force them to keep machines in service long after they should be de-certified and decommissioned. States don't have the resources to thoroughly research the source of their machines' components either, meaning that, as DEFCON notes, “the extensive use of foreign-made computer parts… within the machines opened up a serious set of concerns that are very relevant in other areas of national security and critical infrastructure: the ability of malicious actors to hack our democracy remotely, and well before it could be detected. “

    Election consultant Pam Smith tells Who.What.Why, “The very notion that local election officials would be able to protect themselves, when they are underfunded and under-resourced, is almost laughable."

    Five states — Delaware, Georgia, Louisiana, New Jersey and South Carolina — have chosen to forgo paper backups of voters' choices, and nine others are partially paperless. Paper backup is a critical line of defense when dealing with otherwise completely electronic Direct Recording Electronic (DRE) machines, viewed by cybersecurity experts as the most vulnerable systems, not to mention likely to experience occasional operational failures.

    The now-established certainty that Russia compromised our electoral systems in the elections of 2016 — though the full effect of their incursions is not yet known as of this writing — makes it clear that in our interconnected world, electoral security needs to be considered an issue of national security and no longer left to individual states. As Lute writes, “First, Russia has demonstrated successfully that they can use cyber tools against the US election process. This is not an academic theory; it is not hypothetical; it is real. This is a proven, credible threat. Russia is not going away. They will learn lessons from 2016 and try again. Also, others are watching. If Russia can attack our election, so can others: Iran, North Korea, ISIS, or even criminal or extremist groups." Gen. Michael Hayden has said he suspects Russia's Vladimir Putin must be pleased: "He wants to bring us down in the eyes of ourselves and of his people."

    Some state-level politicians will undoubtedly be reluctant to cede control over their election systems; we can expect to hear concerns voiced about “big government" whether in the context of it being an too-powerful controlling force on one hand, or, on the other, being incapable of doing it competently. There are currently state-level efforts under way to address the gaping security holes, and we can, at the very least, encourage these endeavors.

    But belief in our democracy is something we're on the verge of losing altogether. Even before the 2016 election, doubt was in the air, and sSince then faith in the honesty of U.S. elections has dropped precipitously.


    Given how unlikely it is that hackers bent on destruction have slacked off, though, the sooner we can secure our systems, the better. It may be something only the Federal government can do. We'll have to watch closely from here on in.

    Befriend your ideological opposite. It’s fun.

    Step inside the unlikely friendship of a former ACLU president and an ultra-conservative Supreme Court Justice.

    Sponsored by Charles Koch Foundation
    • Former president of the ACLU Nadine Strossen and Supreme Court Justice Antonin Scalia were unlikely friends. They debated each other at events all over the world, and because of that developed a deep and rewarding friendship – despite their immense differences.
    • Scalia, a famous conservative, was invited to circles that were not his "home territory", such as the ACLU, to debate his views. Here, Strossen expresses her gratitude and respect for his commitment to the exchange of ideas.
    • "It's really sad that people seem to think that if you disagree with somebody on some issues you can't be mutually respectful, you can't enjoy each other's company, you can't learn from each other and grow in yourself," says Strossen.
    • The opinions expressed in this video do not necessarily reflect the views of the Charles Koch Foundation, which encourages the expression of diverse viewpoints within a culture of civil discourse and mutual respect.
    Keep reading Show less

    3 ways to find a meaningful job, or find purpose in the job you already have

    Learn how to redesign your job for maximum reward.

    • Broaching the question "What is my purpose?" is daunting – it's a grandiose idea, but research can make it a little more approachable if work is where you find your meaning. It turns out you can redesign your job to have maximum purpose.
    • There are 3 ways people find meaning at work, what Aaron Hurst calls the three elevations of impact. About a third of the population finds meaning at an individual level, from seeing the direct impact of their work on other people. Another third of people find their purpose at an organizational level. And the last third of people find meaning at a social level.
    • "What's interesting about these three elevations of impact is they enable us to find meaning in any job if we approach it the right way. And it shows how accessible purpose can be when we take responsibility for it in our work," says Hurst.
    Keep reading Show less

    Physicist advances a radical theory of gravity

    Erik Verlinde has been compared to Einstein for completely rethinking the nature of gravity.

    Photo by Willeke Duijvekam
    Surprising Science
    • The Dutch physicist Erik Verlinde's hypothesis describes gravity as an "emergent" force not fundamental.
    • The scientist thinks his ideas describe the universe better than existing models, without resorting to "dark matter".
    • While some question his previous papers, Verlinde is reworking his ideas as a full-fledged theory.
    Keep reading Show less

    UPS has been discreetly using self-driving trucks to deliver cargo

    TuSimple, an autonomous trucking company, has also engaged in test programs with the United States Postal Service and Amazon.

    PAUL RATJE / Contributor
    Technology & Innovation
    • This week, UPS announced that it's working with autonomous trucking startup TuSimple on a pilot project to deliver cargo in Arizona using self-driving trucks.
    • UPS has also acquired a minority stake in TuSimple.
    • TuSimple hopes its trucks will be fully autonomous — without a human driver — by late 2020, though regulatory questions remain.
    Keep reading Show less