New Tests Reveal Voting Machines Still Suffer from Key Vulnerabilities Ahead of Mid-Term Elections

Last summer at the 2017 DEFCON hackers conference in Las Vegas, Nevada, hackers were given open access to various US voting machines known to have been used in the 2016 US Presidential Election. What they uncovered was remarkable. For example, hackers were able to compromise different types of voting machines used in 18 States in 2016, some of which were hacked/cracked in as little as 120 seconds – allowing for, among other things, remote executions/control of those machines.

In response to this and other cyber threats like them, in conjunction with the United States Department of Homeland Security, in January 2018, US Congress rolled out a new ‘Election Security Initiative‘ to better secure the country/voting process headed in to the 2018 November Mid-Term Elections. However, to date, only 21 out of 50 US states have successfully completed their security audits with the DHS. On top of this, recent pen tests indicate that the same voting machines to be used in state elections later this month are still suffering from critical and un-patched vulnerabilities that could potentially compromise the legitimacy or outcome of state elections.

According to a sneak peak of a new report by CoalFire released to the public on November 1st 2018, assessing the security vulnerabilities of US voting machines in 10 states ahead of the November 2018 Mid-Terms, CoalFire‘s “team of penetration testers was able to reverse engineer voting media and replace software in voting systems with a program that emulates it, but recompiled with malicious logic, instructs it to record malicious votes—despite the systems having passed EAC voting system standards.” Explaining that “These vulnerabilities can be found in network infrastructure, voter registration systems, and equipment in storage, which can be compromised if proper controls are not implemented; and elections staff, which could become victims of social engineering schemes.

Despite different Federal and private initiatives meant to sure up problems/security risks ahead of the November elections, Coalfire‘s Vice President, Mike Weber, noted that he sensed “a lack of cybersecurity rigor in the Voluntary Voting System Guidelines (VVSG) 1.1 standard issued by the Elections Assistance Comission (EAC).” To this very point, as was reported by SC Magazine earlier today, November 1st 2018, 29 US states have failed to take advantage of the National Protection and Programs Directorate a free cyber security initiative/partnership provided to US Federal, State and local Governments on behalf of the US Department of Homeland Security. 

To date, the only confirmed states to have conducted full security audits head of the November elections are Arizona, Colorado, Connecticut, Delaware, Iowa, Illinois, Indiana, Maryland, Massachusetts, Minnesota, Montana, Nebraska, North Carolina, Pennsylvania, Rhode Island, South Carolina, Utah, Washington and Wisconsin – Louisiana’s is currently underway.

[pdf-embedder url=””%5D


Published by

Brian Dunn

Writer, Researcher Owner: Rogue Media Labs | Rogue Security Labs (929)-319-2570 BrianDunn@RogueSecurityLabs.Ltd

Leave a Reply

Your email address will not be published.