Researchers race to document voting machine vulnerabilities ahead of November

LAS VEGAS — One peek inside the Voting Village at the DEF CON hacker conference would lead the average person to believe they had entered a sterile operating room meant only for computers. 

At tables placed throughout the space, voting equipment and other machine parts lie exposed like patients awaiting surgery, surrounded by tech specialists taking notes and wielding diagnostic tools as they peer into the circuit boards, microchips and wires underpinning the pivotal instrument that will enable Americans to cast their votes in this November’s election.

In one back corner, Will Baggett is one of several performing his own digital surgery. He images a single tabulation device, used in counties across the U.S. to tally up votes that are brought in from a separate machine, which only enables voters to cast their ballots. To the left, he examines a newer generation machine that allows voters to pick their candidate while the device internally tabulates the totals. 

“There’s a diversity of machines here, it’s not like the CrowdStrike phenomenon where one bad push takes down the whole voting system,” Baggett said alluding to last month’s CrowdStrike-enabled Windows outage.

His work is part of a broader effort employed by thought leaders in the election security space to ensure election officials, voting machine manufacturers and ordinary Americans are confident enough in the devices that decide the fate of their political world every two to four years. The DEF CON village, stood up in 2017, has become a central information source for those looking to secure their physical electoral infrastructure.

“We want the public to see this is what the software is,” said Baggett, a veteran forensic examiner and former CIA operative who declined to reveal his current full-time job title for privacy reasons. 

“They’re pulled out from storage once every two years. Every so often, people vote on them.” he said, contrasting voting gadgets with an internet-connected device that receives regular security patches, oftentimes because of previously unseen cyber vulnerabilities taken advantage of by hackers.

But voting hardware and software have evolved. On the right of Baggett’s tabulation device, a modern-looking touch screen voting platform displays a video of Rick Astely’s “Never Gonna Give You Up” — in pop culture terms, the device was sabotaged and became the victim of the “Rickrolling” prank.  

The dynamic has presented an apparent paradox for how voting devices are used in parallel with accelerating technological innovation in consumer electronics or AI. Disconnecting from the internet appears to have helped keep voting machines safe from cross-border hacks enabled via the backbone of the internet.

But there’s just one problem: Vulnerabilities located in older devices still remain today, creating a uniquely physical threat surface that could cause headaches at polling places or further add distrust into U.S. electoral systems.

Village researchers found that, if a hacker gets close enough, they could use a Bash Bunny USB drive to deploy a digital payload into a voting machine and scramble its tallying capabilities, Baggett said. It’d be a small-scale incident, but with online spin doctors lurking in the shadows and ready to pounce on a disinformation opportunity, a single USB intrusion could disenfranchise the reputation of an entire system, he added.

With just a few days available to them, good samaritan hackers tamper away at these devices looking for such flaws. Whether or not their work will be thorough enough by the time November rolls around remains to be seen. Harri Hursti, a famed Finnish hacker who helped stand up the village, says on-site specialists found vulnerabilities in devices that were first observed in 2007.

The best they can do is log as many flaws as possible and send them off to officials before Election Day on November 5. Voting Village staff, at most, can send “proof of concept” notes to secretaries of state and other governmental leaders overseeing the electoral process, said Hursti. If they explain how to further exploit the vulnerabilities, then they get into uncharted territory because threats are always evolving, and such detailed work might inadvertently provide a roadmap for malicious actors to compromise election systems.

“People have been claiming that there’s this ‘secret algorithm’ that’s stealing votes and whatnot. Well, we have copyrighted voting machines here … and you can find them yourself. Is there an algorithm? Because if there is, please let us know,” he said with a chuckle.