Some Voting Machines Still Have Decade-Old Vulnerabilities

In three short years, the Defcon Voting Village has gone from a radical hacking project to a stalwart that surfaces voting machine security issues. This afternoon, its organizers released findings from this year's event—including urgent vulnerabilities from a decade ago that still plague voting machines currently in use.

Voting Village participants have confirmed the persistence of these flaws in previous years as well, along with a raft of new ones. But that makes their continued presence this year all the more alarming, underscoring how slow progress on replacing or repairing vulnerable machines remains.

Participants vetted dozens of voting machines at Defcon this year, including a prototype model built on secure, verified hardware through a Defense Advanced Research Projects Agency program. Today's report highlights detailed vulnerability findings related to six models of voting machines, most of which are currently in use. That includes the ES&S AutoMARK, used in 28 states in 2018, and Premier/Diebold AccuVote-OS, used in 26 states that same year.

"As disturbing as this outcome is, we note that it is at this point an unsurprising result," the organizers write. "It is well known that current voting systems, like any hardware and software running on conventional general-purpose platforms can be compromised in practice. However, it is notable—and especially disappointing—that many of the specific vulnerabilities reported over a decade earlier ... are still present in these systems today."

The types of vulnerabilities participants found included poor physical security protections that could allow undetected tampering, easily guessable hardcoded system credentials, potential for operating system manipulations, and remote attacks that could compromise memory or integrity checks or cause denial of service. The report points out that many of these vulnerabilities were discovered years ago—sometimes more than a decade—in academic research or state and local audits.

"This confirms what we’ve been saying for years now—around the country, we’re still using antiquated equipment that should be replaced, both for security and reliability reasons," says Lawrence Norden, deputy director of the Brennan Center's Democracy Program at New York University School of Law. "This shouldn’t be a surprise to anyone. It’s certainly not to election officials. This is one reason why Congress and the states need to step up on election security spending. Soon."

Roger Kisby
There has been some progress on voting machine security since the 2016 US elections. Michigan, Virginia, Arkansas, Colorado, Florida, Nevada, and others have all taken steps to replace either machines that were aging and potentially vulnerable to digital attack, or all-digital voting machines that left no paper backup as a failsafe. But a survey released by the Brennan Center in March of 121 local election officials in 31 states found that more replacements are still desperately needed before the 2020 election. And about two-thirds of respondents said they didn't have adequate funds to enact the changes.