Last summer at the 2017 DEFCON hackers conference in Las Vegas, Nevada, hackers were given open access to various US voting machines known to have been used in the 2016 US Presidential Election. What they uncovered was remarkable. For example, hackers were able to compromise different types of voting machines used in 18 States in 2016, some of which were hacked/cracked in as little as 120 seconds – allowing for, among other things, remote executions/control of those machines.
In response to this and other cyber threats like them, in conjunction with the United States Department of Homeland Security, in January 2018, US Congress rolled out a new ‘Election Security Initiative‘ to better secure the country/voting process headed in to the 2018 November Mid-Term Elections. However, to date, only 21 out of 50 US states have successfully completed their security audits with the DHS. On top of this, recent pen tests indicate that the same voting machines to be used in state elections later this month are still suffering from critical and un-patched vulnerabilities that could potentially compromise the legitimacy or outcome of state elections.
DEFCON Video Shows a Voting Machine Used in 18 States Is Hacked in 2 Minutes
A hacker at DEFCON shows how to get into a voting machine "admin" mode in 120 seconds.https://t.co/UJnkYXx2sT
— Miss Anthropy (@MissAnthropy) August 17, 2018
According to a sneak peak of a new report by CoalFire released to the public on November 1st 2018, assessing the security vulnerabilities of US voting machines in 10 states ahead of the November 2018 Mid-Terms, CoalFire‘s “team of penetration testers was able to reverse engineer voting media and replace software in voting systems with a program that emulates it, but recompiled with malicious logic, instructs it to record malicious votes—despite the systems having passed EAC voting system standards.” Explaining that “These vulnerabilities can be found in network infrastructure, voter registration systems, and equipment in storage, which can be compromised if proper controls are not implemented; and elections staff, which could become victims of social engineering schemes.”
Despite different Federal and private initiatives meant to sure up problems/security risks ahead of the November elections, Coalfire‘s Vice President, Mike Weber, noted that he sensed “a lack of cybersecurity rigor in the Voluntary Voting System Guidelines (VVSG) 1.1 standard issued by the Elections Assistance Comission (EAC).” To this very point, as was reported by SC Magazine earlier today, November 1st 2018, 29 US states have failed to take advantage of the National Protection and Programs Directorate – a free cyber security initiative/partnership provided to US Federal, State and local Governments on behalf of the US Department of Homeland Security.
To date, the only confirmed states to have conducted full security audits head of the November elections are Arizona, Colorado, Connecticut, Delaware, Iowa, Illinois, Indiana, Maryland, Massachusetts, Minnesota, Montana, Nebraska, North Carolina, Pennsylvania, Rhode Island, South Carolina, Utah, Washington and Wisconsin – Louisiana’s is currently underway.