Posted on Sep 5, 2019
Cyber Experts Warn Of Vulnerabilities Facing 2020 Election Machines
651
3
2
2
2
0
A group of guys are staring into a laptop, exchanging excited giggles. Every couple minutes there's an "oooooh" that morphs into an expectant hush.
The Las Vegas scene seems more like a college dorm party than a deep dive into the democratic process.
Cans of Pabst Blue Ribbon are being tossed around. One is cracked open and spews foam all over a computer keyboard.
"That's a new vulnerability!" someone yells.
The laptop that's drawing the most attention in this moment is plugged into a voting machine that was used just last year in Virginia.
The Las Vegas scene seems more like a college dorm party than a deep dive into the democratic process.
Cans of Pabst Blue Ribbon are being tossed around. One is cracked open and spews foam all over a computer keyboard.
"That's a new vulnerability!" someone yells.
The laptop that's drawing the most attention in this moment is plugged into a voting machine that was used just last year in Virginia.
Cyber Experts Warn Of Vulnerabilities Facing 2020 Election Machines
Posted from npr.org
Election 2020
Voting
Hacking
Cyber
Democracy
Posted >1 y ago
Responses: 2
1
1
0
0
0
0
Before folks get all in a frenzy about how these systems are vulnerable (and yes, they do have a lot of vulnerabilities), note from the article:
"No one could get that kind of access on a real Election Day, which is when most people come into contact with voting machines for a few minutes at most. Election supervisors are quick to point out that any vulnerabilities found under these conditions aren't indicative of problems that actually could be exploited during an election."
In other words, one must have physical access to the system, the means to plug in (along with a port), and the time to do it without being noticed. Additionally, they need to know how the software works. Let's just say this is not easy. I'd love to go into what the best vectors would be, but I won't do that.
Also, for those who roll their eyes and suggest the government doesn't understand the threat or know what to do, this is not true. While we can't address every vulnerability for every type of system out there (and there are a lot of them) steps to mitigate are being done. That despite the many obstacles which hamper our ability to address the issues such as resources/manpower, the laws in effect, and the means in which these systems are deployed.
So as a cyber expert let me end with this. It's great that a bunch of cyber experts at DefCon can make their claims they are able to exploit the many vulnerabilities of our voting systems. It doesn't take much to do that. I appreciate what they are trying to do by highlighting the issue, but I wouldn't consider their ability to exploit these systems as a ground breaking accomplishment. If I were to describe their efforts a little better, I would say they are simply working in a grey box pen-testing environment (i.e. under more like lab conditions, physical access, without the challenge of being caught). What can they do if placed in a threat emulation/red team environment? In other words, without overt, physical access to the systems, exploiting them either at a voting station or specifically where they are stored (and not get caught). I would not be surprised to find out that it is the developers of these system encouraging these tests in order to create fear and drive government to spend more money upgrading the systems. Not trying to dismiss the threat, but I also don't buy the "sky is falling" insinuations some are making about this issue. Honestly, I would argue the paper ballots are just as vulnerable (if not more).
"No one could get that kind of access on a real Election Day, which is when most people come into contact with voting machines for a few minutes at most. Election supervisors are quick to point out that any vulnerabilities found under these conditions aren't indicative of problems that actually could be exploited during an election."
In other words, one must have physical access to the system, the means to plug in (along with a port), and the time to do it without being noticed. Additionally, they need to know how the software works. Let's just say this is not easy. I'd love to go into what the best vectors would be, but I won't do that.
Also, for those who roll their eyes and suggest the government doesn't understand the threat or know what to do, this is not true. While we can't address every vulnerability for every type of system out there (and there are a lot of them) steps to mitigate are being done. That despite the many obstacles which hamper our ability to address the issues such as resources/manpower, the laws in effect, and the means in which these systems are deployed.
So as a cyber expert let me end with this. It's great that a bunch of cyber experts at DefCon can make their claims they are able to exploit the many vulnerabilities of our voting systems. It doesn't take much to do that. I appreciate what they are trying to do by highlighting the issue, but I wouldn't consider their ability to exploit these systems as a ground breaking accomplishment. If I were to describe their efforts a little better, I would say they are simply working in a grey box pen-testing environment (i.e. under more like lab conditions, physical access, without the challenge of being caught). What can they do if placed in a threat emulation/red team environment? In other words, without overt, physical access to the systems, exploiting them either at a voting station or specifically where they are stored (and not get caught). I would not be surprised to find out that it is the developers of these system encouraging these tests in order to create fear and drive government to spend more money upgrading the systems. Not trying to dismiss the threat, but I also don't buy the "sky is falling" insinuations some are making about this issue. Honestly, I would argue the paper ballots are just as vulnerable (if not more).
(0)
(0)
Read This Next
Continue with Facebook 
Continue with Google