Hackers Break Into Voting Machines Within 2 Hours at Defcon

Hackers from around the world had the rare opportunity to crack election-style voting machines this weekend in Las Vegas -- and they didn't disappoint. From a report: After nearly an hour and a half, Carsten Schurmann, an associate professor with IT-University of Copenhagen, successfully cracked into a voting machine at Las Vegas' Defcon convention on Friday night, CNET reports. Schurmann penetrated Advanced Voting Solutions' 2000 WinVote machine through its Wi-Fi system. Using a Windows XP exploit from 2003, he was able to remotely access the machine, CNET reports. Voting technology was thrust into the political spotlight when election systems in several states were targeted by Russian cyber attacks. The convention purchased more than 30 voting machines for the event, although, organizers didn't specify how many models those units represented.

So what?

[Train0987]

This is why voting machines on not connected to the internet.

Re:So what?

You seem very sure. How do they get the results off the machine?

Re:So what?

[Train0987]

I just realized these machines were known as exploitable and decertified years ago. Nice clickbait though.

Re:So what?

[Train0987]

Depends on the machine. In 2000 most printed a paper ticket that was input and tallied by hand into the central Sec of State's office. Or an SD card. Some even had LAN capabilities but back in 2000 I never heard of anyone using that. It's possible I suppose, but these machines were not widely deployed anywhere.

P.S. I used to work in the electronic voting world.

Re: So what?

They may not have to be. I'm curious if this was an attack that only requires someone to just be in range of the device's wifi.

Re:So what?

[Train0987]

I meant to say *after 2000*. This machine and the push for electronic voting in general was a response to the 2000 Presidential recount debacle in Florida.

Re:So what?

If it is not connected to the internet . . . why does it have WiFi?

Re:So what?

[PopeRatzo]

In 2000 most printed a paper ticket that was input and tallied by hand into the central Sec of State's office.

Ah, 2000. That was before Americans outsourced their election fraud to Russia.

Re:So what?

[TheDarkener]

Are you trolling?

Re:So what?

[Train0987]

Are you familiar with internal LAN's that aren't connected to the internet? They were a thing when this machine was built 15 years ago.

Re: So what?

Actually it is in response to the RUSSIANS making TRUMP the President thru reprogramming America to "vote" for ol orange handz.

-=BeauHD=-

Cracked

[ArchieBunker]

How about hacked?

Re:Cracked

[Nidi62]

How about hacked?

Considering many polling places are in schools I doubt they would let you walk in with a machete so they are safe there.

Re:Cracked

[Tsolias]

apps

Last Year's News

[kampf]

This news is one year old.

DEF CON 26, the 2018 show, starts on the 9th of August this year...and will have a Voting Machine Village again.

Re:Last Year's News

[Train0987]

Gotta keep "The Russians Hacked the Election!" myth alive at all costs. Even if it means publicizing the exploit a known vulnerable 15 year-old machine that's not in use anywhere.

Re:Last Year's News

[Nidi62]

This news is one year old.

DEF CON 26, the 2018 show, starts on the 9th of August this year...and will have a Voting Machine Village again.

People keep complaining they want old Slashdot back. Posting incredibly out of date articles is classic Slashdot.

Really????

Schurmann penetrated Advanced Voting Solutions' 2000 WinVote machine through its Wi-Fi system. Using a Windows XP exploit from 2003, he was able to remotely access the machine

Advanced Voting Solutions ... that name sounds like an oxymoron.

Yet another tech company ran by idiots and morons with no concept of security.

Fuck me ... an XP system on open wi-fi, what the fuck could possibly go wrong?

Re:Really????

[Train0987]

The machine is from 2001-2003ish.

Brave new world

[TheDarkener]

I think all OG Slashdotters here realize that current voting machines deployed here in the U.S. are all shit, hackable, it's been like this for many elections. There's proof online. But will anything ever be done about it? The people that make the big decisions at the state/federal level have always been reluctant to take security seriously enough to do anything about it - after all, it's all about the Benjamins.

So what next? Are we just going to keep holding elections that nobody really believes in, on outdated, vulnerable piece of shit voting machines? How will the people who actually understand the internals of machines like this convince the people who purchase and deploy them that they can't keep doing it this way?

Re:Brave new world

[Archangel+Michael]

I have no idea why we're not looking at paper ballots as an option. Fully Digital Voting is ripe for exploitation on a massive scale, the kind that would keep a dictator elected for life.

Decentralized paper ballots are less prone to wide scale exploitation. Because it is "hard" doesn't seem like a good answer IMHO.

Re:Brave new world

[Train0987]

You are absolutely correct. Voting machines should never be computerized or networked. The old mechanical lever-style machines with manual counts work just fine and are as secure as you can get.

What most people don't realize is that voting equipment is a very expensive burden for the local governments that are responsible for buying them. They get used one day every 2 years, maybe 4. That's why most eqpt is 50 years old and computerizing them is a bad idea (they won't be updated or replaced for decades, usually by elderly volunteers). There simply isn't a budget for these things.

The biggest push for these things is the demand by the media for immediate results. And of course the blaming of hackers by whoever loses whatever election they felt they were owed.

Re:Brave new world

[Train0987]

Paper ballots WERE the main way of doing things for decades prior to 2000, until Gore needed an excuse for delaying the vote certification in Florida and blamed hanging chads, butterfly ballots, etc. Every push for electronic voting machines can be traced directly back to that.

Re:Brave new world

[Archangel+Michael]

Saw an interesting post about hanging chads. Basically said that it was unlikely to be problem in the numbers being reported, unless someone was stuffing the ballot with bulk punched cards. Not that the chads were impossible, but rather that in the numbers that were reported was higher than statistically probable.

Re:Brave new world

[Train0987]

It wasn't a problem at all. Neither was the butterfly ballot debacle. That was all about the Gore team calling a bunch of elderly Jewish Democrats in West Palm Beach and convincing them that they had voted for Pat Buchanan by mistake. It was a delay tactic by the Gore team to hold up Florida from certifying their election results until they could come up with a better strategy to contest the entire 2000 election.

I was there, deeply involved in that mess.

This is a one year old story BLEEEEEH

see title above.

Re:This is a one year old story BLEEEEEH

[kalieaire]

yeah, i have no idea why this showed up in my rss reader.  it doesn't show up on the site's front page.

Is it really that hard?

[AlanObject]

I have my own views on this but I would like to hear from others what they think.

There are ATM machines all across the world that handle billions of dollars of transactions -- a big percentage of it in cash -- and they are a network and the public has physical access to them 24/7. Many of them have more than $100K cash in them. If you ever had a great target for crooks to hack that would be it.

Yes there are reports of them getting hacked or robbed now and then but by and large the companies that own and operate ATMs are fully dependent on their security. Whatever losses they have are manageable if not negligible. And we don't see "hacked in 2 hours stories at Defcon" stories where ATMs are the target.

Some of the voting machines are made by the same companies that make ATMs. So why the shoddy security on voting machines versus ATMs?

Re:Is it really that hard?

[Train0987]

Because voting machines sit unplugged in a box and only turned on once every few years, usually by volunteers who have no idea how to update or troubleshoot them. Would you like to pay an extra $5k in taxes per year for 24/7 maintenance and support for such equipment? That's about what it would cost.

Re:Is it really that hard?

[TheDarkener]

Hey I know, how about a process to update them before they're used (not necessarily 24/7 care)? I wonder if voting machine manufacturers are smart enough to keep track of sold equipment, software revisions and therefore patches needed, update processes...Sounds familiar to me for some reason, it's almost like other companies do that kind of thing. Not sure if computers are smart enough yet to query a server for required updates though. Sounds so....futuristic.

Re:Is it really that hard?

[Train0987]

Because it is prohibitively expensive. It's impossible for local governments to justify spending more money on a piece of equipment that's used once every four years instead of more pressing day to day things like sewer, water, trash pickup, etc. Taxdollars are a finite resource.

Re:Is it really that hard?

[Papaspud]

Why would a machine that has only one simple purpose counting votes) need to be updated /patched? If it works- it works, why try to introduce new problems? No way to connect to the real world= good.

Re:Is it really that hard?

[TheDarkener]

You obviously have never worked in software development.

Re:Is it really that hard?

[sysrammer]

You obviously have never worked in software development.

Yes, if it works, keep fixing it until it doesn't. Anyways, the UI's are *so* last millennium.

Re:Is it really that hard?

[TheDarkener]

What I mean is, there will *always* be bugs to fix in software. "It works" isn't as simple of a goal as you are imagining.

Year old post

[Fallon]

Interesting how DEFcon doesn't start for a week & a half... And the date on this post is from July 2017. Way to go Slashdot editors.

DEFcon will be running the Voting Machine Hacking village again this year. I fully expect they will be owning as many machines as quickly as they did a year ago. But it hasn't happened yet this year.

Re:Year old post

[ediron2]

The only thing more disappointing than slashdot editors not noticing the staleness of this article, is that the current frickin' slashdot owners & editors aren't VISCERALLY & PERSONALLY aware that Defcon is still more than a week away.