Corroborating the growing ill ease of American voters, a group of expert hackers at the 25th convention of DefCon in Las Vegas proved last weekend that 30 different types of digital voting machine used in this country either presently or recently are infinitely hackable.
"The first ones were discovered within an hour and 30 minutes. And none of these vulnerabilities has ever been found before, they'll all new," said Harri Hursti, co- coordinator of this "Hacking Village." [quote from USA Today article, July 30].
Such proofs have been accomplished as early as 2003 when Election Integrity (EI) pioneer Bev Harris discovered, by accident and because of vendor negligence, huge security holes in Diebold source code, confirmed by other experts when she referred her findings to them. And ever since then, other hacks have been performed in public on other brands, including the top brands sold here: Diebold (absorbed by Canada-based Dominion), ES&S, Sequoia (now owned by Dominion), and Hart InterCivic.
But the machinery hacked into was largely very difficult to obtain and one had to be transmitted to an expert in a back alley, for example. Sequoia Voting Systems threatened to sue when an expert asked for machinery to test. Go to eBay these days, however, and take your choice.
At the Hackers Village in Las Vegas, expert hackers did and managed to penetrate all 30. In one case, as happened in Prof. Alex Halderman's successful hack into an experimental Internet voting system in Washington, DC in 2010, an expert was able to add music to the programming, turning the vaunted security system into a joke. Some of the machinery was deemed less secure than the PCs we use daily in our homes and offices all over the country.
(And, I might add, industry experts say that far superior machinery could be manufactured, but the cost would be prohibitive.)
But the big news is that a DF card was left in one ES&S ExpressPoll-5000 electronic poll book that contains the names and other personal information on 650,000 registered voters in Shelby County, Tennessee. The card should have been extracted before the machine was junked, according to Sean Gallagher, one of the experts participating in the DefCon Hackers Village. The database was, as of July 29, in the hands of one of the experts. In addition to voter names, other information included addresses, driver's licenses, birthdays, voting history, but no social security information, according to California-based journalist specializing in cybersecurity/national security Kim Zetter and others.
According to the Volunteer State secretary of state's office (SoS), the information is accessible for public inspection, but lists extracted from it require a fee and must be requested for "political" purposes only. And even though the information is accessible to the public, when the infamous Kansas vice chair of the Presidential Committee on "Election Integrity," Kris Kobach, requested such a statewide list from the SoS, he demurred. Even though we all know that nationwide the lists have been requested twice by Kobach for "political," not objective governmental reasons.
According to USA Today, "This is the first time such an open and large-scale hacking of voting machines has been attempted, because until October of 2015 such efforts were illegal under the Digital Millennium Copyright Act. An exemption by the Librarian of Congress now allows good faith efforts meant to find vulnerabilities, leading conference organizers to launch the event."
One motivation for the Hacking Village, of course, was alleged Russian tampering with 21 state systems--their target was probably swing states, though no actual votes had been extracted in this process, as reported by Forbes magazine.
Another motive was, of course, to do something about this deplorable situation of next-to-useless-because-easily hackable voting machinery, and who, if not state-of-the-art experts, is qualified to help fix it?
Some of the machinery models had been decommissioned by vendors and auctioned off to anyone. Some is still being used. One question that arose, of course, was how many other decommissioned machines thus dispersed contained such sensitive data, which were supposed to be removed before the machines went public/ according to renowned security researcher Matt Blaze.
In other relevant news, reflecting bipartisan exasperation with the abysmal condition of our country's digital election systems, two Members of Congress attended the event, Rep. Will Hurd (R-TX), and Rep. Jim Langevin (D-RI). "[Such experts] could play an important role in addressing increasingly alarming vulnerabilities in the nation's voting apparatus," said Hurd. chair of the House Committee on Information Technology. Langevin is co-founder and co-chair of the Congressional Cybersecurity Caucus.
Said Langevin, ""Never underestimate the value that you can bring to the table in helping to educate members and staff of what the best policies are, what's going to work, and what's not going to work," as quoted by Parallax.