The same machines used in US elections were easily hacked REUTERS/Steve Marcus
A voting machine hacked to play Rick Astley鈥檚 “Never Gonna Give You Up鈥 might seem amusing – but it has a sinister sting in the tale. At聽security conference DEF CON in Las Vegas聽last week, security researchers proved that it is possible to access and change votes on the same voting machines used in US elections聽in the聽time it takes to watch a movie. Some of the hacks were even carried out wirelessly.
DEF CON purchased thirty voting machines from eBay and government auctions for the event. Ninety minutes after participants were let loose the first machines started to fall, with vote rigging and Rickrolling coming soon afterwards.
One of the machines was still using Windows XP, and so an exploit that has been known since 2003 allowed people to get remote access through its Wi-Fi system. This meant that the votes could be changed from anywhere.
Advertisement
Other exploits involved prying open mechanical locks covering USB ports or spotting the uncovered USB ports on the back. One team then simply plugged in a mouse and keyboard to gain control of the machine.
Go open source?
Rarely do voting machines get put through a test like this. Despite DEF CON hosting many hacking events over the past 25 years, this is the first time they鈥檝e hosted one specifically for voting machines. Manufacturers do their own testing, but few make the code or machines available for researchers or the general public to look over.
鈥淚f you make your code open source, any vulnerabilities that are found can be sorted before election day, which is good for democracy but not necessarily for the manufacturer鈥檚 reputation,鈥 says Steve Schneider, the Director of Surrey Centre for Cybersecurity.
To counteract this governments could announce that they will only buy voting machines with open source software. That way a competitor can鈥檛 gain an advantage by being less transparent than another.
鈥淥ne possible solution is to have end-to-end verifiability,鈥 says at Newcastle University. This uses similar techniques to those used in encryption to give voters a verifiable receipt of their vote. If the vote or the machine is tampered with then the receipt won鈥檛 match the public record of votes cast, indicating that the system has been compromised.
If security researchers find it so easy to hack voting machines, what about nation states? There鈥檚 already substantial evidence that Russia hacked emails from the Democratic National Committee and party leaders during the US presidential election. French president Emmanuel Macron鈥檚 team also suffered from cyberattacks during his election campaign. There鈥檚 no evidence that election results have actually been directly hacked in this way as yet, but an election is clearly a big target.
鈥淵ou have the stereotype of the hacker in their bedroom, but what we see these days is states like Russia, China, and presumably the US as well, who have a lot of resources to throw at cyberattacks on other countries,鈥 says Schneider.
The worrying thing is because many countries use voting machines that don鈥檛 have sufficient checks in place, rigging may have already gone unnoticed. 鈥淚t could have already happened and we wouldn鈥檛 know,鈥 he says.
Topics:
