Getting Under The Hood: DefCon Highlights Growing Role of Friendly Hackers
[Image via hopeseguin]
This past weekend’s DefCon meeting in Las Vegas produced numerous headlines thanks to a “hacking village” set up to, essentially, get under the hood of various voting machines. USAToday has more:
The Voting Machine Hacking Village event at the 25th annual DefCon computer security conference ran from Friday to Sunday. Its goal was to educate the computer security community about potential weaknesses of the voting systems used in U.S. elections and get them involved in fixing them.
By all accounts it worked…
Conference goers thronged to the room where more than 30 voting machines were laid out in various states of disassembly.
The machines themselves were mostly bought on eBay, said event co-coordinator Matt Blaze, a professor at the University of Pennsylvania and election security expert. Only one of the models has been decommissioned, the rest are still in use around the country, he said.
Ad hoc clusters of attendees hunched around each of them, murmuring quietly as they tested various inputs. Every once in a while, someone would call out for help or advice. “Anybody got a card scanner?” or “Did somebody have the manual for the Diebold?”
Several groups took machines apart, others found ports meant for election officials and plugged computers and testing devices into them to see what the could gain access to. Wireless and networked hacks were also attempted.
The most widely-reported news from the hacking village was the the exploit of a WinVote machine – though anyone who’s been following the issue for the last several years realizes that such machines are no longer in use anywhere after they were decertified by the Virginia Department of Elections in 2015 after discovery of some eye-opening vulnerabilities.
Attendees were unable to change votes on any of the machines, but they nonetheless learned quite about about what makes the technology vulnerable:
The groups weren’t able change votes, noted [co-organizer Harry] Hursti, a partner at Nordic Innovation Labs and an expert on election security issues.
“That’s not what we’re trying to do here today. We want to look at the fundamental compromises that might be possible,” he said.
Next year, organizers hope to set up a full end-to-end simulation of a voting network so they can find and report weaknesses. For this year, efforts focused on individual machines.
As of Sunday morning, no one had succeeded in gaining access to a system wirelessly, all the successful exploits required physical access to a machine to gain access.
No one expects that an attack on the U.S. voting system would involving someone take a screwdriver into the voting booth with them on election day, said [co-organizer and University of Pennsylvania professor Matt] Blaze. But the vulnerabilities discovered at the conference could lead to future exploits that don’t require actual physical access – and that might be done on not just one machine but dozens or hundreds.
To me, the most eye-opening aspect of the meeting was that until very recently it would have been illegal under federal law:
This is the first time such an open and large-scale hacking of voting machines has been attempted, because until October of 2015 such efforts were illegal under the Digital Millennium Copyright Act. An exemption by the Librarian of Congress now allows good faith efforts meant to find vulnerabilities, leading conference organizers to launch the event.
According to the Federal Trade Commission, the new exemption sets forth several requirements for so-called “white hat” hacking:
First, the computer program, or any devices on which those programs run, must be “lawfully acquired.” Second, during research, the device and computer program should operate “solely for the purpose of good-faith security research.” This means, in part, that the research “must be conducted in a controlled setting designed to avoid harm to individuals or the public” …
The rule defines “good-faith security research” as “accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.”
The rule discusses responsible disclosure as a factor that shows good faith in security testing. Although the rule does not explicitly require disclosure, the rule does suggest that promoting the security of devices includes responsibly disclosing vulnerabilities to companies.
These “white hat” efforts are increasingly being seen by election officials as key to hardening their own systems against “black hat” attacks; indeed, Los Angeles County sent several team members to DefCon and is preparing a similar study of its own prototype voting system sometime in the future:
[County Registrar-Recorder Dean] Logan said he wants the proposed system to face even tougher tests.
Enter DefCon, with its whiff of outlaw credibility and its democratic style of ferreting out the latest computer break-in techniques.
“There is a past history in the election community … to kind of resist this kind of event,” Logan said. “But we need to embrace this. We need to know what the threats are.”
Logan said it’s too early to send the county’s proof-of-concept for a new election system to Defcon, but that’s in the works for next year.
For now, three specialists plan to go — all of whom are involved in reviewing the proposed new voting systems. They aim to learn how to better detect, and defend against, hacks, Logan said. They’ll be on the lookout for hackers with what he called “hands-on” experience. Logan plans to invite the hackers to attack the proposed system as a test down the line — to “kick the tires,” as he put it.
Events like these are a tremendous opportunity for the election community to come together and learn about what works, and what doesn’t, with regards to existing (and proposed) voting systems. Here’s hoping that similar events in the future help election officials find new ways to detect, resist and prevent outside attacks on voting systems going forward.
Stay tuned …