Obsolete Computers Used in U.S. Elections: Kill Chain-The Cyber War on America's Elections
“Voting is our capability to have a peaceful transfer of power. If you don’t have that, the alternatives are revolutions.” - Harri Hursti
Last week, HBO released Kill Chain: The Cyber War on America's Elections, a documentary that covers a 15-year analysis of voting machines in the United States. Many of the voting machines used in U.S. elections are vulnerable to attack and they are being targeted by nation states and other threat actors. Follow cybersecurity expert Harri Hursti in the HBO Documentary Kill Chain: The Cyber War on America's Elections, as he explains and demonstrates the weaknesses in many voting machines. In the documentary, Hursti is described as, “one of the world’s top experts on hacking techniques and voting security. For decades, he has been investigating vulnerabilities in U.S. election systems.” In addition to Hursti, the film features an impressive roster of cybersecurity experts including, Jeff Moss, Matt Blaze, Sandy Clark, and Mikko Hypponen, to name a few.
In 2005, Hursti discovered and disclosed a vulnerability in a Diebold voting machine memory card that, when exploited, could alter votes. HBO’s 2006 documentary, Hacking Democracy, first addressed this issue. In that documentary, Bev Harris, founder of the non-profit organization, Black Box Voting, predicted, “If, when, people see what’s really going on, there is no way we will allow this to continue.”
I wish she had been right about that, because here we are 14 years later and The Kill Chain shows that numerous states will be using vulnerable voting systems in the 2020 election. As hardware and software ages, we learn more about their weaknesses. Jeff Moss, founder of the Black Hat and DEF CON hacking conferences says that, “Attacks only get easier,” while Hursti states, “Software I hacked in 2005 is still in use.”
The documentary does a good job of making this a story about voting machines and not politics. Hursti emphasized that solving problems with voting machines should not be a partisan issue, “…this is our common problem, owned by everyone living in the United States, and we have to solve it in order to preserve our way of life, our society, the rule of law, and our right to self-govern,” he said. While it’s not a political documentary, a number of politicians contributed, including recent presidential candidate, Sen. Amy Klobuchar.
DEF CON
Like many of the devices in our lives today, the voting systems are computers. In fact, Sandy Clark called voting machines, “…nothing more than obsolete computers.” That being said, who better to research and analyze them, than the hackers attending DEF CON hacking conference in Las Vegas? Hursti obtained more than five other types of voting machines and rather than just examining them himself, he took them to DEF CON and challenged attendees to find vulnerabilities in a controlled environment called the DEF CON Voting Machine Village. At the start of the event, Hursti announced that 20 states will use these voting machine models in the upcoming 2020 election. At the 2018 DEF CON conference, social engineer, Rachel Tobac demonstrated how to gain full admin access to a voting machine used in 18 states, in under two minutes, with no tools. To get a glimpse inside of the Voting Village, watch this NBC news coverage that includes Sen. Ron Wyden witnessing the hacking at work.
While openly allowing hackers to look for vulnerabilities may seem shocking to some readers, the DEF CON conference is attended by government agencies such as the NSA, FBI, CIA, as well as leading private and public sector cyber offense and cyber defense teams. Companies also like to bring their products to DEF CON to have attendees help in finding vulnerabilities. In 2015, Tesla brought one of its cars to DEF CON to not only find vulnerabilities, but to also hire hackers. Since then, the Car Hacking Village has grown to include the computer systems for many car manufacturers, and they are available for testing by the attendees. In 2018, Elon Musk announced that he would make the Tesla security software open source so other car companies can use it as well. Open source also means that the code can be audited and examined for vulnerabilities by anyone. Considering all of the security issues that we have with the voting machines in this documentary, maybe the voting system manufacturers should move in this direction as well.
DEF CON 27 Voting Village Report
The outcome of the DEF CON Voting Village efforts was a 47-page report written by the organizers and coordinators of the Voting Village. The report illuminates the social contribution of hackers, stating, “The clear conclusion of the Voting Village in 2019 is that independent security experts and hackers are stepping into the breach - providing expertise, answers, and solutions to election administrators, policymakers, and ordinary citizens where few others can.”
I encourage you to read the report for more details, however the conclusion of the report echoes the conclusion of the documentary. It is information that we all need to know and take action on, so we are not using the same flawed voting systems in 2034.
While it seems almost antiquated in this age of computers and Internet, paper ballots are the way that we can validate the results and actually have a verifiable recount. The movie Kill Chain emphasizes that if you, as a voter, do not feel confident in the security of your local voting system, ask for a paper ballot.