Hackers at DEFCON took only 12 Minutes to Hack US Voting Machines

This time at the DEF CON hacking convention in Las Vegas, 30 ballot boxes running on software used in American elections was set up in a simulated public White House race and hackers got to work actually tearing the gear apart to find out what was hidden inside.

In less than 90 minutes, the opening cracks in the systems’ defenses began resembling, revealing an embarrassingly low level of security. Then one was completely hacked wirelessly.

“Without issue, US voting systems are vulnerable and susceptible. Thanks to the participation of the hacker association today, we’ve revealed even more concerning exactly how,” said Jake Braun, who sold DEF CON originator Jeff Moss on the plan earlier this year.

“The scary point is we also understand that our foreign adversaries including Russia, North Korea, Iran maintain the abilities to hack them too, in the manner undermining systems of democracy and endangering US national security.”

The devices from Diebold to Sequoia and Winvote equipment were purchased on eBay or from government disposals, and an examination of them at the DEF CON Voting Village exposed a sorry state of affairs. Some were operating very outdated and exploitable software such as unpatched apps of OpenSSL and Windows XP and CE. Some had real ports open that could be managed to install wicked software to tamper with votes.

Harri Hursti, a co-coordinator of a weekend-long Voting Machine Hacking Village event at the DefCon computer security conference in Las Vegas. Hursti is a partner at Nordic Innovation Labs and an expert on election security issues.

It’s one person to really nobble a box in presence of you, which isn’t difficult for election administrators to spot and stop. It’s different to do it in the air from a mile. Apparently, some of the boxes included inadequately secured Wi-Fi connectivity. A WinVote method used in former county elections was, it seems, hacked via Wi-Fi and the MS03-026 vulnerability in WinXP, allowing info sec academic Carsten Schurmann to enter the machine from his laptop using RDP. Another method could be possibly cracked remotely via OpenSSL bug CVE-2011-4109, it is claimed.