Spotlight: U.S. voting system vulnerabilities raise concern as hackers break into mock sites

Source: Xinhua| 2018-08-13 21:28:52|Editor: xuxin

Video PlayerClose

LAS VEGAS, the United States, Aug. 12 (Xinhua) -- Following the world's largest yearly hacking conventions Black Hat and DEFCON held in Las Vegas this week, the United States has only about 90 days left to get ready for the 2018 midterm elections.

Amid the growing debate over whether electronic voting machines (EVMs) are hackable or not, there is increasing concern about how vulnerable the systems could be to cyber-attack.

WORST VOTING MACHINE

At Black Hat USA 2018, security researcher Carsten Schuermann discovered the results of a forensic analysis of eight WinVote voting machines that had been used in Virginia elections for more than a decade.

The associate professor at IT University of Copenhagen noted there are actually two problems with insecure voting machines. The first is obvious: The systems can be easily hacked.

"But the other threat is equally important and equally dangerous, and that is the threat of an alleged cyber attack -- when people claim there was a cyber attack when there actually wasn't," said Schuermann at the conference.

Schuermann said such allegations can disrupt elections and damage the credibility of voting results.

The WinVote voting machine was used extensively in Virginia elections during 2004 and 2015. It has been dubbed the worst voting machine ever.

It runs Windows XP, service pack 0. It is by default wifi enabled. It uses WEP security and all WinVote machines appear to use the same password "abcde."

"That's not a very secure password," said Schuermann.

Several States still use voting machines similar to the WinVote.

INFORMATION THREAT

Now in its second year, organizers of "The Vote Hacking Village" at the DEFCON, which takes place immediately following Black Hat in Las Vegas every year, have packed a conference room at Caesars Palace with voting machines.

The Voting Village has invited attendees to study and identify vulnerabilities in election equipment used around the United States as well as other nations.

This year's Voting Village featured hands-on experience with at least nine types of voting equipment, almost all of which are in use in elections today.

Thousands of hackers, over 100 election officials, and about 50 kids identified and exploited various vulnerabilities within the election ecosystem, according to DEFCON.

After a few hours attack on the first day of the course, one hacker was essentially able to turn a voting machine into a jukebox, making it play music and display gifs.

Hackers were also discovering 1,784 files, including mp3s of Chinese pop songs, hidden among the operating system files of another voting machine.

The Voting Village has dramatically expanded this year to include not only more machines but also end-to-end voting infrastructure including a voter registration database and election reporting websites.

"Election cybersecurity has been a national concern since 2016," an organizer told Xinhua. "These hacks can root out weaknesses in voting machines."

Some officials that have flown to the event are becoming increasingly concerned about information threat of November's midterm elections.

In recent months, U.S. Congress has failed to pass various bills that would fund election security and infrastructure improvements ahead of the midterms.

CHILDREN'S PLAY

How vulnerable is the U.S. electronic voting system?

At the DEFCON event, nearly 40 child hackers were taking part in a contest to hack the mock versions of election board websites, and most of them were able to tamper with vote tallies. Some were even able to change candidates' names.

The quickest hacker was an 11-year-old boy, who was able to access a replica of the Florida state election website and change voting results found there in less than 10 minutes, the organizers confirmed on Sunday.

But the U.S. National Association of Secretaries of State (NASS) criticized creating mock election office networks and voter registration databases for participants to defend and/or hack as "unrealistic".

"Our main concern with the approach taken by DEFCON is that it utilizes a pseudo environment which in no way replicates state election systems, networks or physical security, " the organization said in a statement.

One election machine manufacturer, Election Systems and Software (ES&S), has also raised some questions about the value of the Voting Village.

"We at the Voting Village, along with our counsel, remain confident that our activities are lawful and are happy to address any of ES&S's legal concerns directly," DEFCON said in a statement.