As hackers at the Defcon security conference this weekend successfully probed voting equipment for security holes at the second annual Defcon Voting Village, officials downplayed the risks to actual elections.
Experts successfully took over digital voting machines, some of which are still in use, using a variety of vulnerabilities that allowed them to explore files on the machines, hijack them to play music and in some cases change votes, according to Defcon officials. Separately, as part of the r00tz Asylum series of Defcon events for young people, children and teens learned about security vulnerabilities that have previously been found in state election reporting sites. They got to practice using them on replica sites that had been set up for the conference, with one 11-year-old successfully making it appear that Libertarian Party candidate Darrell Castle had carried Florida in 2016, BuzzFeed News reports. And Defcon officials said some election officials praised the event
“It’s been incredible the response we’ve received,” Voting Village cofounder Matt Blaze said in a statement. “We’ve had over 100 election officials come through here and they expressed over and over again how much they have appreciated learning from this opportunity.”
Voting Village discovery roundup, Day 3 (final day). Expect our official report later this year! pic.twitter.com/TGpeCihm13
— DEFCON VotingVillage (@VotingVillageDC) August 13, 2018
But the National Association of Secretaries of State, which represents the officials in charge of counting elections in most states, said the access hackers at Defcon are given to experiment with voting machines doesn’t reflect real-world election conditions.
“Our main concern with the approach taken by DEFCON is that it utilizes a pseudo-environment which in no way replicates state election systems, networks or physical security,” the group said in a statement. “Providing conference attendees with unlimited physical access to voting machines, most of which are no longer in use, does not replicate accurate physical and cyber protections established by state and local governments before and on Election Day.”
Still, plenty of security and fair election advocacy groups have warned for years that digital voting machines that don’t create paper ballots could be vulnerable to tampering. While Congress in March appropriated $380 million for state and local officials to use to beef up election security, that’s not enough to replace all the digital-only machines still in use.
Experts have also warned that state election reporting systems could be targeted by hackers looking to undermine confidence in the election. And while the vulnerabilities young hackers were able to experiment with at Defcon have been previously reported and are likely fixed in real-world election sites, organizers say there could be other flaws in the real sites waiting to be exploited.