A voting machine hacked to play Rick Astley’s “Never Gonna Give You Up” might seem amusing – but it has a sinister sting in the tale. At security conference DEF CON in Las Vegas last week, security researchers proved that it is possible to access and change votes on the same voting machines used in US elections in the time it takes to watch a movie. Some of the hacks were even carried out wirelessly.
DEF CON purchased thirty voting machines from eBay and government auctions for the event. Ninety minutes after participants were let loose the first machines started to fall, with vote rigging and Rickrolling coming soon afterwards.
One of the machines was still using Windows XP, and so an exploit that has been known since 2003 allowed people to get remote access through its Wi-Fi system. This meant that the votes could be changed from anywhere.
Other exploits involved prying open mechanical locks covering USB ports or spotting the uncovered USB ports on the back. One team then simply plugged in a mouse and keyboard to gain control of the machine.
Go open source?
Rarely do voting machines get put through a test like this. Despite DEF CON hosting many hacking events over the past 25 years, this is the first time they’ve hosted one specifically for voting machines. Manufacturers do their own testing, but few make the code or machines available for researchers or the general public to look over.
“If you make your code open source, any vulnerabilities that are found can be sorted before election day, which is good for democracy but not necessarily for the manufacturer’s reputation,” says Steve Schneider, the Director ofSurrey Centre for Cybersecurity.
To counteract this governments could announce that they will only buy voting machines with open source software. That way a competitor can’t gain an advantage by being less transparent than another.
“One possible solution is to have end-to-end verifiability,” says Feng Hao at Newcastle University. This uses similar techniques to those used in encryption to give voters a verifiable receipt of their vote. If the vote or the machine is tampered with then the receipt won’t match the public record of votes cast, indicating that the system has been compromised.
If security researchers find it so easy to hack voting machines, what about nation states? There’s already substantial evidence that Russia hacked emails from the Democratic National Committee and party leaders during the US presidential election. French president Emmanuel Macron’s team also suffered from cyberattacks during his election campaign. There’s no evidence that election results have actually been directly hacked in this way as yet, but an election is clearly a big target.
“You have the stereotype of the hacker in their bedroom, but what we see these days is states like Russia, China, and presumably the US as well, who have a lot of resources to throw at cyberattacks on other countries,” says Schneider.
The worrying thing is because many countries use voting machines that don’t have sufficient checks in place, rigging may have already gone unnoticed. “It could have already happened and we wouldn’t know,” he says.
Timothy Revell writes for The New Scientist