Mentioned on the blog before, explore the full technical report from DEFCON's Voting Village
With election day barely in the rear view we can take a minute to appreciate the beauty of modern democracy and the peaceful transfer of power. Everything in our world is becoming connected and the voting process is no different. Gone are the days of recording your vote on a slip of paper and putting it in a ballot box. Increasingly, voting polls are favoring electronic voting machines to ease the collection and burden of counting votes. This September at DEFCON in Las Vegas a special area dubbed the Voting Village gathered over 25 pieces of voting equipment from voting machines to electronic poll books in order to find vulnerabilities in their design. This is the first time since the passage of the 1998 Digital Millennium Copyright Act that such equipment has been legally allowed to be exploited for educational purposes. At the end of their conference the results spoke for themselves, “...every piece of equipment in the Voting Village was effectively breached in some manner. Participants with little prior knowledge and only limited tools and resources were quite capable of undermining the confidentiality, integrity, and availability of these systems” (DEFCON Voting Village Report).
Further exploration of the voting equipment revealed that many of the machines relied on foreign made components, in some cases from China, which raises supply chain security concerns. The DEFCON report also emphasized, “many of these systems had extensive use of binary software for subcomponents that could completely control the behavior of the system and information flow, highlighting the need for greater use of trusted computing elements to limit the effect of malicious software.” Certain machines were determined to have glaring vulnerabilities such as the AccuVote- TSx whose kernel for the Windows CE operating system retained local networking and modem support along with the Diebold ExpressPoll 5000 which had subpar physical security. The findings have hopefully spurred device makers and legislators alike to rethink security for pieces of equipment that have been deemed “critical infrastructure” by the Federal Government. Douglas E. Lute, former ambassador to NATO and retired Lieutenant General of the Army, stated, “The “Voting Village” at DEFCON ... was intended to make clear how vulnerable we are. The report describes clearly why we must act with a sense of urgency to secure our voting systems.” Hardware and software security strike at the heart of our democracy and are issues that can no longer be ignored.
Read the full DEFCON technical report here.