Hackers will target American voting machines—as a public service, to prove how vulnerable they are.
When over 25,000 of them descend on Caesar’s Palace in Las Vegas at the end of July for DEFCON, the world’s largest hacking conference, organizers are planning to have waiting what they call “a village” of different opportunities to test how easily voting machines can be manipulated.
Some will let people go after the network software remotely, some will be broken apart to let people dig into the hardware, and some will be set up to see how a prepared hacker could fiddle with individual machines on site in a polling place through a combination of physical and virtual attacks.
At 2015’s DEFCON, hackers targeted onboard car software, and two shut down a Jeep’s brakes and transmission from miles away.
With all the attention on Russia’s apparent attempts to meddle in American elections—former President Barack Obama and aides have made many accusations toward Moscow, but insisted that there’s no evidence of actual vote tampering—voting machines were an obvious next target, said DEFCON founder Jeff Moss.
Imagine, he said, what a concerted effort out of Russia or anywhere else could do.
“That’s the point: we’re only going to play with them for a couple of days, but bad guys can play with them for weeks or years,” Moss said.
Moss (also known as Dark Tangent) is a former member of Obama’s Homeland Security Advisory Council. He said he’s concerned that no one has proven where the soft spots are—and the combination of non-disclosure agreements and private contracts have allowed misinformation to take root.
“Pretty much, just like everything else, it’s time for hackers to come in and tell you what’s possible and what’s not,” Moss said.
Moss and other organizers are at the early stages of planning, locating used voting machines on eBay and elsewhere, and they’re already anticipating the excuses that any success they have hacking will be dismissed by the companies as not being up to date with their systems.
“Election machines used in USA really do not have security standards – the voluntary voting system standard addresses air humidity and shock resistance, but not security. This means that the old systems which were designed with no security consciousness are not being replaced with responsibly designed successors,” said Harri Hursti, a Finnish computer programmer who has worked on election-related issues in Finland, the United Kingdom, Estonia, Argentina and the United States. “Also, vendors are frequently blatantly mispresenting the specifications and the properties of the equipment they sell to the jurisdictions.”
Jake Braun, a White House liaison to the Department of Homeland Security under Obama, and currently a cybersecurity lecturer at the University of Chicago and CEO of Cambridge Global, said he’s hoping the event helps produce a report for DHS and Congress about the problems.
“Up until now, the voting machines companies keep telling us everything is totally secure, when everyone in cybersecurity knows there’s nothing that’s totally secure, it’s all just a matter of risk mitigation,” Braun said. “It’ll be good to get some independent folks who don’t have an ax to grind one way or the other.”
He laughs at the voting machine companies which insist there’s nothing to worry about.
“That answer in and of itself shows a total lack of sophistication in cyber security,” Braun said. “Anybody who says they’re un-hackable just doesn’t know what they’re talking about.”
Moss said he’d be happy to have the voting machine companies be actively involved, bring their voting machines, and help learn from the event. He noted that Tesla sent its vice president in the past when hackers were targeting self-driving cars.
“You’re getting something that would be hard to pay for – why not embrace it?” he said.
He doesn’t expect the notoriously secretive companies will take him up on the offer.
“I think,” he said, “they’re going to freak out.”