They’re running ancient software I think that like if somebody wanted to it would be pretty easy to fake an election less than a couple hours with access and they’re already figuring out ways to break in and play pranks But it gets more serious I feel like I’m the only one here that hasn’t found a vulnerability it’s not what you think they’ve all been invited here to demonstrate just how vulnerable the tech we rely on for our elections and be the experiment is the brainchild of Jake Braun
He’s a former security adviser for the Obama administration you know with everything that happened in 16 what we’re trying to do is get this indigent industry to mature from a cybersecurity perspective so you don’t have folks saying what they are now which is things like the machines are unhackable or
Databases our air-gapped and can’t be changed it’s not clear if any actual machines were infiltrated in the 2016 election and no one has suggested any physical votes were changed but intelligence officials agreed that Russia was able to meddle with other election related systems this inspired broaden the organizers of this year’s
DEFCON hacking conference to collect over 30 pieces of voting related equipment including voting machines and a mock elections office and tell a group of hackers to try any means necessary to break into and reverse-engineer them and it didn’t take long several were compromised within the first hour and a
Half so if you’re a voter in America we’re likely hacking the Machine that you vote on there’s a few dozen of these machines and also electronic poll books and some states people check in on an electronic device as opposed to a paper book how you cast your vote varies from
District to district some places use this machine some places use that one some counties only vote on paper ballots but almost all of these machines are still in use somewhere in the United States some of the hacks might not work if your district is updated the software on the
Machines although many dump we can go ahead and impact this log within 10 seconds you gain access to the operating system we could actually remove this and clone this particular USB we could go back and start looking at and reverse engineering what’s on this image and determining the various ways that we can
Impact this particular operating system I like it every time it removes the Windows XP you hear people groaning behind the machines you use to cast your vote aren’t the only point of entry for attackers other election related systems like campaign networks and registration databases are also at risk the
Vulnerabilities of the voting machine level are very localized and what we’re trying to simulate out here is the entire back-end Network there’s a lot of mischief these guys can do without ever actually having to physically get access to a machine but they were just to go in
And mess up the voter file you could have millions of people showing up at the wrong precinct or showing up the right precinct but the names wrong in the poll book and then all of a sudden now they don’t know where they need to go intelligence officials stated that
Russia was able to influence the election without the need to penetrate actual voting machines by breaching DNC computers accessing staffer emails and opposition research the Department of Homeland Security also found that they targeted election related systems and as many as 21 states if you wanted to go in and specifically manipulate vote counts
On every single machine in America that’d be really hard to do but you don’t need to do that to have an impact on on the election in 18 either you’d only have to flip a couple Senate seats to have an impact on US Congress if it can be done there’s a chance it’s
Already being done if a nation-state a criminal organization if they would start doing this they would have stolen databases they would have stolen machines they would have manuals they would have started they have started with nothing few hours ago the uphill battle they have fought to get where they are is incomprehensible
It’s more difficult than what real criminal would need to do do you think that nation-states real criminals have already having ideas from the vulnerabilities that are being discovered today absolutely it’s all document it’s in public documents it’s it’s it’s not hiding anywhere you can go actually the Secretary of State websites
And download and learn hundreds and hundreds of abilities by the end of the weekend all of the available machines had been hacked successfully including an electronic poll books system that still contained the personal data of over 650 thousand Tennessee voters in Shelby County information that hadn’t been properly wiped before the machines
Were resold the county’s administrator of Elections told CNN tech that they are looking into the incident and that as far as they’re aware the information exposed on the poll book is already publicly available through a request to the Board of Elections when reached for comment manufacturer election systems
And software told CNN Tech unrestricted access to a voting unit in an uncontrolled environment is not a legitimate test we’ve extended an invitation to the organizers of DEFCON inviting them to visit our home office meet our developers and engage in a collaborative discussion regarding voting system security to date we have
Not received a response Dominion voting systems did not respond to our request for comment the plan is to eventually present the events findings to Congress what the election industry needs to do is start working together with our national security agencies to share threat information understand when the bad guys get in and
Then get them out when they do if we don’t get our act together quickly this could be one of the biggest threats to American democracy in our history do you believe that right now we are in a position where the 2020 election will be hacked Oh without question I mean the
2020 election will be hacked no matter what we do even if we’re as more successful than I even think we could be in securing our elections the question is will we be able to identify the attacks before they can have an impact on the election through things like
Audits of vote counts and can we get the bad guys out before they can do something bad you