Sunday, February 11, 2018

2017 DEFCON Voting Machine Hacking Village Lessons Learned

Since its founding in 1993, DEFCON has become one of the World's largest, longest-running, and best-known Hacker Conferences. DEFCON 2017 was held July 27-30 in Los Vegas, and for the first time, featured a Voting Machine Hacking Village (Voting Village) to highlight Cyber Vulnerabilities in U.S. Election Infrastructure, including Voting Machines, Voter Registration Databases, and Election Networks.

The Voting Machines available were Paperless Electronic Voting Machines.

The event was organized by several Cyber, Voting Equipment, and National Security Experts, along with DEFCON Founder Jeff Moss.

The results was sobering. By the end of the Conference, every piece of equipment in the Voting Village was effectively Breached in some manner. Participants with little prior knowledge and only limited tools and resources were quite capable of undermining the Confidentiality, Integrity, and Availability of these systems, including:

● The first Voting Machine to Fall, an AVS WinVote model, was Hacked and taken Control of remotely in a matter of minutes, using vulnerability from 2003, meaning that for the entire time this Machine was used from 2003-2014 it could be completely Controlled Remotely, allowing Changing Votes, observing who Voters Voted for, and shutting down the system or otherwise Incapacitating it.

● That same Machine was found to have an Unchangeable, Universal Default Password, found with a simple Google search of admin or abcde.

● An Electronic Poll Book, the Diebold ExpressPoll 5000, used to check in Voters at the Polls, was found to have been Improperly Decommissioned with Live Voter Data still on the system; this Data should have been Securely Removed from the Device before Reselling or Recycling it.

The Technical Findings of the Voting village were not entirely new. As stated, Hackers and Researchers have Breached these Voting Machines before under various circumstances. However, this experiment allowed Mainstream Hackers more time and access then ever before, generating seceral Real World Lessons that Policymakers should consider moving forward.

Lesson #1: Even with limited Resources, Time, and Information, Voting systems can be Hacked

The DEFCON Voting Village showed that Technical Minds with little or no previous Knowledge about Voting Machines, without even being provided proper Documentation or Tools, can still learn how to Hack the Machines within tens of minutes or a few hours. Past Official Studies such as the California Top-To-Bottom Review and the Ohio EVEREST Review, conducted over Ten years ago had significant restrictions on what participating Researchers were allowed to try. Those Studies were also done in a White Box environment where researchers has access to Source Code, Documentation, and Equipment under Strict Non-Disclosure Agreement.

In the case of the DEFCON Voting Village, Hackers had to Create, Copy, or cobble together their own Tools though, in turn, they were given Permission to fully Experiment and take risks that may result in the Machines being Destroyed in the process.

The good news is, Freedom to take such Risks accelerates the process and can lead to completely New Discoveries of New Vulnerabilities. The bad news is, if relative Rookies can penetrate a Machine or System in a matter of Hours, it becomes incredibly difficult to deny that a Skilled, Nefarious Hacker, including Sophisticated Cyber Criminals or Nation-State Attackers, with Unlimited Time and resources could not do the same.

Lesson #2: Foreign-Made Parts Introduced Serious Supply Chain Concerns

Foreign-made Parts introduce serious Supply Chain concerns. “Phishing” Scams via Email are common, and for good reason: When successful, Phishing can provide inside Access to a Machine, Account, System, or Network without the Hacker actually having Physical Access to the Machine. Information can then be Stolen or Exploited in some fashion, without the Victim ever knowing that Entry has occurred. U.S. Intelligence Reports reveal that Russians were not only interested in Hacking into Voter Databases but also into other aspects of the Election, including the Software Supply Chain. According to that Report, Russian Hackers Affiliated with Russian Military Intelligence, the GRU, sent Phishing Emails to Employees at a Voting Services Company that provides State and Local Election Offices with Voter Registration Systems, comprising at least One Account on that Vendor’s System that was then used to send Spear-Phishing Emails to 120 Local and State Election Officials. Given the typical successes of a well-designed Spear-Phishing Attack, we can be almost certain that one or more Election Officials fell Victim to this Attack, although we do not know what Access and Damage might have resulted, as this information is likely still Classified.

Good Cyber Hygiene can help prevent some of these Remote Attacks. However, during the Voting Village, the extensive use of Foreign-Made Computer Parts, frankly, as expected given how many Commercial Computing Devices are Manufactured Overseas, within the Machines opened up a serious set of Concerns that are very relevant in other areas of National Security and Critical Infrastructure: the ability of Malicious Actors to Hack our Democracy Remotely, and well before it could be Detected. A frequent argument raised about the Defensibility of Election Systems is that the Diversified, Decentralized nature of our Election Infrastructure provides at least some Protection from Wide-Scale Hacks. But via a Supply Chain originating Overseas, Voting Equipment and Software can be Compromised at the earliest of Stages in the Manufacturing process. For example, Foreign Actors could Design or Plant a Virus in Software, Memory, or even a Small Microchip that could affect an entire Make/Model of Voting Machine, theoretically allowing them to be Compromised in one coordinated Attack. To be sure, while we’ve known for over a decade that some Voting Machines have Hardware Manufacturing and/or Assembly in Foreign Countries, less is known about Sourcing of Software. We do know, for example, of One Case when Election Systems & Software Failed to disclose it was Manufacturing Products in a Sweatshop in the Philippines in 2007.

One additional Implication of Foreign Parts includes Inability to Limit insider Threats. Cyberattacks originating from Inside an Organization are a serious concern. Yet U.S. Election Officials, Vendors, or those involved in the Voting Administration process can be Vetted to some degree. This is not the Case when the process involves Foreign Components and Facilities, including complicated but common Relationships such as Subcontractors further Subcontracting work out to other entities. To be sure, there are very few entities, the Department of Defense, the National Security Agency, and large Tech Companies such as Google and Facebook, that have the Ability and Resources to Design, Develop, and Manufacture entire Computer systems on their own. A Controlled Supply-Chain is a first step towards Reducing these kinds of Threats, but it would be best if Voting systems moved to more Trusted System Design.

Lesson #3: This was more than a “Hacker” Stunt and showed that a Diverse Community of Stakeholders must be Engaged

Organizers did not maintain a precise count of how many entered the Voting Village but estimate that the number exceeded several Thousand. In just Three days, the Voting Village expanded the Number of People who have now had First-Hand Experience and Knowledge of these Systems. By Sunday, the attendees who started Hacking on Friday had become the Experts and they were Teaching and Helping the New People who just started on Sunday. Exponentially expanding the Knowledge Base in this regard is sure to have great Impact on the Solutions and Policy-Making Process. Remarkably, many of the Hackers that stayed in the Voting Village for a considerable amount of time at DEFCON 25 were Young, between the ages of 16-19, demonstrating to Organizers that this kind of Civic Infrastructure Hacking may be a promising way to reach out to Younger elements of the Information Security Community.

Additionally, given the wide scope of Stakeholders involved in Election Security, Voting Village Organizers believed it was essential the Village did not come to be seen only as a “Hacker thing.” Organizers reached out to and involved Hundreds of other “Non-Hackers” in the Event, ranging from Senior Leaders of NGOs, to Cyber and Voting Experts, to Elected Officials to National Security Leaders. Staff from U.S. Senate Homeland Security & Governmental Affairs Committee and Representatives from National Institute for Standards & Technology (NIST), the U.S. Department of Homeland Security (DHS) and the National Governors Association (NGA) attended. Members of the U.S. Congressional Cyber Caucus including Representative William Ballard Hurd (R, TX-23rd District) and Representative Jim Langevin (D, RI-2nd District) also visited the Voting Village.

The Voting Village also intentionally encouraged State and Local Election Officials to attend. For many of them in attendance, the Village was their first opportunity to look themselves into the Machines, Machines they are required to use and manage, but have been prohibited to Study in depth, and find answers to their own questions and learn more about that Equipment. Moving forward, it will be critical to Incorporate all of these Stakeholders into the Security and Solutions Discussion.

Lesson #4: The Village Challenged Major Criticisms and Reiterated the Need for Policy Change

Finally, the Voting Village helped to Dispel a few Long-Circulating Criticisms, as well as helped to Affirm what Election Security Advocates have been arguing for years: There is urgent need for Federal, State, and Local Election Officials to Implement Measures to Secure U.S. Election Infrastructure.

First, though Voting Machine Manufacturers have historically denied Claims that their Machines are Insecure, some have suggested the Voting Village demonstration did not constitute a “true” Test because it was not conducted in a Real Election Setting. Yet, Enemy Hackers are certainly not Operating in a “sanctioned” Environment and if a Voting Machine can be Hacked by a relative Novice in a matter of Minutes at DEFCON, imagine what a Savvy and Well-Resourced Adversary could do with Months or Years.

Second, there is a common Misconception that the Internet is required for Voting Machines to be Hacked. Obviously, the WinVote Hacked at DEFCON is particularly Vulnerable because it creates a Local Network that is completely Unprotected. But even for the Machines in the Village, or Real World, that do not, they are still not as Distant from the Internet as it may seem, and many contain Software and Hardware that can be used to Connect them to the Internet. Before each Election, the Ballots need to be Created via a Software Application, which Runs on a Desktop Computer or is Web-Based. From there, the Formatted Ballot is Transferred and Uploaded to Voting Machines through Memory Cards or USB Sticks. And even well before Election Day, indeed before a Voting Machine is Assembled, Sold to a Government, and brought Online for an Election, the Foreign Parts in the Machines suggest multiple Voting Systems could be compromised by laying the Seeds of Future Attacks in the Supply Chain Processes. This new Revelation heightens concerns, and more must be done to Protect our Systems at every point in the Process, including across the Supply Chain.

Finally, another common argument is that Voting Systems are Insulated to a Degree by the Diversity and Decentralized Nature of our Election Infrastructure. It is True Voting Systems do vary greatly from State to State, making it difficult to penetrate Multiple Voting Machines simultaneously. Yet, the confirmation of Foreign-made Parts and Software raises the possibility that Hackers could take Remote Control of at least an entire Line of Voting Machines at a later point, with the right Level of Access in the Supply Chain. And as pointed out, Machines also touch the Internet and Non-Networked Forms of Data Transmission, USB sticks, etc., at various other points in the process, potentially Weakening resilience if not done very carefully. Yet even if that did not happen, the Voting Village helped to show that simply Manipulating a Voter File, or in the Village’s case, Poll Book Data, could create enough Problems or Long Lines to affect an Election outcome.

Next Year’s Voting Village: Moving Forward The Voting Village will return to DEFCON in 2018. Organizers hope to Expand the Event next year to potentially cover a Number of Distinct areas in addition to Hands-On Hacking of Voting Equipment, including:

Closed-Loop System: Would like to have a Closed-Loop System on which they can Run an Entire Mock Election using actual Voting Technologies. This would include Voter Registration, Ballot Generation, a Mock polling place with Rules of Engagement, and Results Reporting. This addition would allow them to go a step beyond just Looking at the Machinery of Democracy on the Technology level.

Election Tech Range: Election Officials and Voting System Manufacturers have some of their own Security Technologies, Compositions, or Solutions that they find work well in Defending against certain Threats. They would like to invite Election Officials and Voting System Vendors to come and get Advice and even Testing of their Tech. A good example would be if an Election Official or Manufacturer would like to get Feedback on a particular Security System or challenge Security Researchers to Valuate it and give Feedback on how it could be Improved.

Election Tech Challenges: There are a number of Activities in Elections that are difficult to Secure. Some small Fraction of Votes are Cast by Email, Fax, and Web and a larger Fraction cast on Paper through Vote-by-Mail. They would like to set up Examples of these Technologies and Challenge Voting Village Attendees to Demonstrate what Failures can happen and to what extent those can be Avoided.

Election Technology Usable Security Evaluations: A Secure Voting System can still be highly usable. They would like to invite Usable Security Researchers to join the Village to Build up a Resource of Usability and needs Assessment Conclusions and Profiles of Past, Existing, and Future Voting Technologies.

Request for Donation of Machines, Software, Databases, etc.: DEFCON has embraced the notion that the DEFCON Hacker Community’s role in the Election Security Debate is one of providing a Public Service. To that end, DEFCON is offering to Test any Clerk or Secretary of State’s Election Administration Equipment and provide Training for their IT Staff at DEFCON 26.

Conclusion: DEFCON Organizers believe the Voting Village was Vital to Growing the Base of Knowledge, Expanding the Circle of Stakeholders beyond Hackers, and shining a National Spotlight on the serious Cybersecurity Weaknesses of U.S. Election Infrastructure.

The next step is to make clear that this is a Conversation that cannot “Stay in Vegas.” It is imperative that Leaders at the Federal, State, and Local level come to understand this Threat as a National Security imperative and work together, leveraging the support of the National Security and Cybersecurity Community, to better Defend and Protect the Vote from Cyberattacks in the Upcoming elections in 2018 and 2020. Americans need the reassurance that their Democracy is Safe, starting at the Ballot Box.

CLICK HERE for information about DEFCON 26.

NYC Wins When Everyone Can Vote! Michael H. Drucker
Digg! StumbleUpon

No comments: