Two years ago, on the first day of DEF CON 25, the world’s largest hackers conference, computer security experts discovered the private information of more than 650,000 Tennessee voters on a decommissioned electronic poll book (e-poll book). Names, addresses, dates of birth, driver’s license numbers, and more were left in the hands of hackers, who safely removed the information and notified local election officials.
Now, hackers from this year’s “Voting Village” (the part of DEF CON that is about election security) have discovered another sobering vulnerability, this time in e-poll books manufactured by ES&S — one of the leading election management companies in the United States.
E-poll books allow voters to sign themselves in at polling places, confirm voter eligibility, and, in at least one state, register eligible voters. This tablet-like machine can be hacked using a hardcoded three- or six-digit password, meaning the password on the device was preprogrammed by the manufacturer, and takes a user from the e-poll book software to maintenance mode.
Then, a hacker can access the Microsoft Windows software installed inside the machine and turn on a video game, like this:
ES&S epollbook is basically just a Windows tablet with a hardwired 3 OR 6 digit password that takes you from the epollbook software straight to maintenance mode and from there to Windows. We’re playing Doom on it now, thanks to @l33tLumberjack & @techvendetta #votingvillage2019 pic.twitter.com/sGWedsIudD
— DEF CON VotingVillage (@VotingVillageDC) August 11, 2019
Harri Hursti, co-founder of the Voting Village, told WhoWhatWhy that this year included election equipment that had never been previously examined at DEF CON or in other election security studies. Hackers discovered new failures and abnormalities in a variety of equipment, especially e-poll books.
“This year, we found more … than the two other years combined,” Hursti said, adding that the vulnerabilities discovered this year are completely new.
Hackers at the Voting Village did not take long to discover and exploit faults in election equipment. With the ES&S ExpressPoll, its password is the name of the manufacturer, and the supervisor maintenance password was stored in plain text on the e-poll book. Last year, Hursti said, hackers were able to find administrator passwords for a bunch of election equipment with a simple Google search.
At least one jurisdiction in 36 states used e-poll books to confirm voters’ eligibilities during the 2018 midterm elections, a nearly 50 percent increase from the 2014 elections. New York recently approved similar machines for early voting in the next election in hopes that it will significantly drive down waiting lines at polling places and increase voter turnout.
On day one of DEF CON, Sen. Ron Wyden (D-OR) addressed thousands of professional hackers and cybersecurity experts as the keynote speaker. This year was the first time lawmakers and election officials were explicitly invited to the annual conference.
“What I saw was a real who’s who of hackable election equipment. Professor Blaze and the hackers at the Voting Village are doing an incredible service to our country by putting a spotlight on all the ways that voting machines and e-poll books are vulnerable to attack,” Wyden said in an emailed statement. “I wish Mitch McConnell could see it for himself and end his one-man blockade of election security legislation.”
Although these machines do not tabulate votes, any disruption to them could cause a ripple effect of problems at polling places. Without a backup printed voter list, voters willing to wait for hours in line to vote could end up casting a provisional ballot. In some cases, a voter could be turned away because a polling place ran out of provisional ballots or they could not prove they are eligible to vote.
Maurice Turner, senior technologist with the Center for Democracy and Technology (CDT), told WhoWhatWhy that e-poll books allow voters to spend less time waiting in line to vote and serve as a simpler tool for poll workers to confirm their eligibility rather than sift through piles of printed voter lists. His concern, however, is that the hardcoded, or preprogrammed, passwords on these machines could easily be targeted by malicious actors.
“Hardcoded passwords should not be used in this environment. It is something that does not meet the level of security that’s required when we’re talking about the seriousness of voting and the fact that these systems are now being actively targeted,” he said.
In Indiana, investigators found that ES&S’s ExpressPoll e-poll books failed to meet performance expectations in at least one county during the 2018 midterm elections. Furthermore, election officials held ES&S responsible for increasing voter anxiety and discouraging voters from waiting in line to cast a ballot.
ES&S could not be reached for comment on the findings from DEF CON’s Voting Village.
According to Turner, e-poll books are useful if they have robust connectivity. In Indiana’s case, however, a firewall was unable to handle a higher-than-expected level of traffic on the machines and the workaround was to turn off that layer of security. High voter turnout, Turner said, could have been predicted and handled in a more secure manner.
“If, for example, you go to the airport and there aren’t enough TSA lines open, and the lines are really backing up, the answer isn’t just to turn off the metal detectors and let everyone through. The answer is to get more metal detectors to process more people,” Turner said.
Election security experts have also raised concerns for years that insecure internet connections that transfer voter registration information from election management companies to the local jurisdictions could easily be manipulated. Hackers at Voting Village proved their concerns.
“If you have a secure system, you cannot have this kind of remote access,” Hursti said. ES&S previously admitted to installing remote access software in its election equipment after initial denials, which Hursti said could create a hole in a machine’s firewall and become vulnerable.
Some states require e-poll books to be certified before an election, but election officials lack the infrastructure to determine vulnerabilities themselves and often rely on manufacturers to ensure their machines are in compliance. Other states lack the certification process entirely.
Part of the problem, Hursti explained, is that there is a lack of coordination between election management companies and election officials for how equipment like e-poll books are implemented into the election environment.
Attitude revealing comment during @VotingVillageDC @defcon was made by a voting machine vendor. When asked why they do not send their machines to the Village the response was : We know we have 100 vulnerabilities, there is no point showing those publicly.https://t.co/NiUFPqvme0
— Harri "scofield" Hursti (@HarriHursti) August 13, 2019
The follow-up comment to that was by an election official : Then what about the next 50 vulnerabilities you do not know about.
— Harri "scofield" Hursti (@HarriHursti) August 13, 2019
Hursti warned that simply fixing the flaws in election equipment that were discovered at Voting Village is not enough to address the security risks e-poll books have.
“Right now, we don’t even know how vulnerable these machines are,” Hursti said. “It’s dangerous to think that if you fix everything that [the Voting Village] found, it would be enough to be secure.”
Related front page panorama photo credit: Adapted by WhoWhatWhy from Eliot Phillips / Flickr (CC BY-NC 2.0).