US mid-terms: Hackers expose 'staggering' voter machine flaws
- Published
Voting machines pose "serious risks" to US security, hackers are warning.
A report outlines major flaws in voting hardware, weeks before US mid-term elections.
One ballot machine, used in 23 US states, carries a cybersecurity flaw that was reported over a decade ago, the hackers claim.
An expert warned that lessons would need to be learned if the UK adopts electronic voting systems.
In August, the Def Con conference in Las Vegas ran a "Voting Village", where participants were encouraged to uncover flaws in US election infrastructure by hacking into various computer systems.
The organisers of the conference on Thursday released a 50-page report, external on their findings.
They describe the number and severity of flaws in voting equipment as "staggering".
"The problems outlined in this report are not simply election administration flaws that need to be fixed for efficiency's sake, but rather serious risks to our critical infrastructure and thus national security," the report claims.
More than 30 voting machines and other pieces of equipment were made available to attendees of the conference, including the M650 electronic ballot scanner, which is currently used by 23 US states.
The report says vulnerabilities mean the M650 can be remotely hacked.
A design flaw reported as far back as 2007 was also found in the model tested during the conference.
Hacking the US mid-terms? It's child's play
The organisers of the conference argue that because the unit is designed to process a high volume of ballots, hacking one of the machines could enable an attacker to "flip the electoral college and determine the outcome of a presidential election".
The makers of the M650 system, Election Systems & Software (ES&S), told the Wall Street Journal that because the voting machine uses paper ballots, votes can be audited.
The company also said "the security protections on the M650 are strong enough to make it extraordinarily difficult to hack in a real-world environment".
In August, four US Senators signed a letter to ES&S, external, which said they were "disheartened" that the company had chosen to dismiss the hacker's demonstrations.
ES&S responded, saying forums open to anonymous hackers "may be a green light for foreign intelligence operatives" and should be viewed with caution.
Reprogrammed smart cards
Other machines tested include the AccuVote TSx, currently used by 18 US states. The system includes a smart card reader for users to cast votes, which the report says can be easily disconnected to "disrupt the election" process.
Attendees of the conference were also able to reprogramme voting smart cards wirelessly, using mobile phones.
"Over 15 years we have studied numerous election systems and voting machines across the world, and every single one has been found to have severe vulnerabilities," Harri Hursti, one of the authors of the report, told the BBC.
On Tuesday, Republican Senator James Lankford said an election security bill, known as the Secure Elections Act, would not be passed by Congress ahead of the mid-term elections in November.
Earlier this year, an amendment for $250m (£192m) to increase spending on election security measures was blocked by Republican senators.
"There is a history of disclosed vulnerabilities taking years to properly mitigate, and seemingly no great appetite for a national security standard for voting machines," security expert Davey Winder told the BBC.
"We need to be learning lessons here so that when, rather than if, the UK adopts electronic voting systems, we are ready to make sure the implementation is a secure one."
A spokesperson for the UK's Electoral Commission told the BBC: "Any change to the system of voting would require a pilot, which would be proposed by the Cabinet Office."
- Published11 August 2018
- Published17 July 2018
- Published31 July 2018
- Published31 August 2018