The 25th Annual DEF CON Included a Voting Machine Hacking Village

Recently in Las Vegas, the 25th Annual DEF CON took place July 27-30. DEF CON, short for “Defense Condition,” is one of the oldest and largest hacking conferences. To many in the election field, one of DEF CON’s Hacking Villages this year drew their attention – the Voting Machine Hacking Village.

While this village would have been illegal under the Digital Millennium Copyright Act in years prior, in October of 2015 the Librarian of Congress included an exemption to allow for “good faith efforts” in researching vulnerabilities of these types of endeavors. The exemption rules are revised every three years. Exemption proposals are submitted by the public to the Registrar of Copyrights, and after a process of hearings and public comments, the final rule is recommended by the Registrar and issued by the Librarian. Exemptions expire after three years and must be resubmitted for the next rulemaking cycle.

The Federal Trade Commission outlined several requirements below for “white hat” hackers:

  • The program or device that will be “lawfully hacked” must be lawfully acquired
  • The program or device should operate “solely for the purpose of good faith security research”
  • The research “must be conducted in a controlled setting designed to avoid harm to individuals or the public”

Through their “good-faith” research into security of these machines, the rules include expectations of “responsible disclosure,” which could then be used by those who can improve the security level of the programs or devices. By releasing information to individuals and entities that can make changes to the security of the equipment, it proves that the efforts were launched to be beneficial and educational rather than merely from exploiting intentions.

The conference attendees who checked out the Voting Machine Hacking Village found more than thirty voting machines, mostly bought off eBay, in varying states of disassembly throughout the room. The hackers hoped to find the fundamental compromises that were possible on the machines.

According to an article in USA Today, the difficulty level in exploiting vulnerabilities was not immensely high as the first ones were discovered in the first couple of hours. Vulnerabilities were exploited in five different voting machine types in the first day alone. However, while there certainly lies concern in the ability of the hackers to gain access to the machines, apparently in full operation some of the machines would have detected and logged the intruder’s presence within the system.

This year’s focus was on individual machines – all of which are still in use somewhere within the country, except one that has been decommissioned – next year, the hacking gurus hope to have a full “end-to-end simulation” of a voting network to test and report on weaknesses that should be improved to better secure the voting process. While some election officials attended the conference, DEF CON expressed interest in having election officials play a more prominent role next year in participating in detecting flaws within the election systems and networks.

This was not only the first time that DEF CON has taken on voting machines, but also the largest open attempt at hacking voting machines to date. The hope is that all the public interest surrounding election protection will lead to efforts to improve some of the issues within elections that tend to fly under the radar.