For the second year in a row, hackers at the Def Con computer security conference in Las Vegas set out to show just how vulnerable U.S. elections are to digital attacks.
At one gathering geared for kids under 17, elementary school-aged hackers cracked into replicas of state election websites with apparent ease. At the Def Con Voting Village, a section of the conference that showcased hands-on hacks, security researchers picked apart voting machines and exposed new flaws that could potentially upend a race. And hackers got close to being able to manipulate a heavily-guarded mock voter registration database.
But during the weekend-long hack-a-thon, these faux election hackers had a hard time winning over some of the people they wanted to reach most.
Election officials from the National Association of Secretaries of State (NASS) bristled at the demonstrations, saying they didn't reflect what could actually happen on Election Day. So did voting machine vendors, which argued it would be difficult for adversaries to gain the level of access necessary to tamper with equipment.
The tension doesn’t bode well for the debate over how to boost election security as the threat of Russian election interference looms large ahead of the November midterms and 2020. Officials are wary about security researchers highlighting the vulnerabilities in their systems, fearing that they could discourage voters from showing up at the polls. But if they’re too dismissive about the threats, they risk alienating important allies as they push for more resources to upgrade voting equipment, patch vulnerabilities and hire more cybersecurity staff.
“We’re trying to help,” said Jake Braun, an organizer of the Voting Village and a former Obama White House liaison to the Department of Homeland Security. “We’re identifying for them things that they can do to demonstrate to the public that they’re making elections more secure.”
But not everyone saw it that way. Micah Evans, an IT worker with the Nevada secretary of state's office, attended a demonstration as an observer. During a heated exchange with Braun, he said the actual websites were far more secure than the replicas created by the organizers. “If you're going to say, 'We're going to hack this site with kids,' you have to put the full disclosure that this is not what our website is,” Evans said. “I'm asking for fairness, and what you've mocked up is not fair.”
Braun said he was missing the point. “You're on the front lines of a war,” he said. “If you guys aren't out there screaming from the mountaintop every day to Congress asking for more money, then you're not doing your job.”
Evans's objections echoed those expressed by NASS, which released its statement criticizing Def Con almost as soon as the demonstrations began. The organization said the Voting Village was using a “pseudo-environment which in no way replicates state election systems, networks or physical security.” Voting vendors issued similar criticisms. “Physical security measures make it extremely unlikely that an unauthorized person, or a person with malicious intent, could ever access a voting machine,” ES&S said in a letter to customers.
California Secretary of State Alex Padilla, a Democrat, was the only secretary of state who attended the conference. He said he shared some of his counterparts’ reservations but assured attendees he was there to “listen and to learn.”
“We’re still a little traumatized by the headlines from last year’s conference — ‘Voting systems hacked, voting systems hacked, voting systems hacked,’” Padilla told reporters in a news conference on Friday. “If there’s distinctions between what’s happening downstairs and real world conditions, that doesn’t mean there’s nothing to learn from a meeting like this, but it does mean let’s be informed about what the takeaways are.”
It's true that Russian interference in the 2016 election turned election cybersecurity from a relatively niche technical issue to a top feature at Def Con, which is now in its 26th year. At last year's conference, hackers revealed an array of flaws in voting machines, prompting pushback from election officials and voting vendors who said the hacks were unrealistic but also helping pave the way for lawmakers to introduce election security legislation.
But as security researchers and officials both note, the threats are no different this year, as Moscow continues to target the U.S. election system.
Against that backdrop, organizers of this year's Voting Village took things to another level. In a room at the Caesars Palace hotel, hackers found a litany of new vulnerabilities in voting machines used by states, including one that allowed them to manipulate vote totals wirelessly. Organizers also set up a “Cyber Range” where a replica of Ohio’s voter registration database was secured behind firewalls. Hackers penetrated the database but weren’t able to manipulate it or download it.
A floor above, kids ages 6 to 17 sat at rows of laptops and tried to hack into replicas of state election websites that displayed election results. I watched Yonatan Lensky, 11, sneak into a mock website for the state of Pennsylvania, change President Trump’s name to "Mark Albert" and change his vote tally to 999,999,999. Other kids his age found similar exploits, including an 11-year-old girl who changed election results on the mock Florida website within 15 minutes.
Nico Sell, founder of the R00tz Asylum, the nonprofit that hosted the young hackers, said the demonstration underscored the need for officials to address basic flaws in their networks.
“They’re not taking responsibility for being vulnerable. That’s what we can change,” Sell told me at the conference. “This should be a top priority, and this is the lowest hanging, easiest thing to fix in our elections.”
After the conference ended, Padilla told me he still thought it was important to stress the difference between “what may have happened in Def Con and real world conditions.”
“Let’s be constructive on identifying different vulnerabilities,” he said, “but let’s be partners on advocating for more resources.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: “The Pentagon has a new goal aimed at protecting its $100 billion supply chain from foreign theft and sabotage: To base its weapons contract awards on security assessments — not just cost and performance — a move that would mark a fundamental shift in department culture,” The Washington Post's Ellen Nakashima reports. “The goal, based on a strategy called Deliver Uncompromised, comes as American defense firms are increasingly vulnerable to data breaches, a risk highlighted earlier this year by China's alleged theft of sensitive information related to undersea warfare, and the Pentagon's decision last year to ban software made by the Russian firm Kaspersky Lab.”
MITRE Corp., a not-for-profit company operating federally funded research and development centers, is set to release a copy of its report on the strategy today. “Addressing the security issue requires greater participation by counterintelligence agencies, which can detect threats against defense firms, the report said, and ideally, the government should establish a National Supply Chain Intelligence Center to monitor threats and issue warnings to all government agencies,” Ellen writes. “Ultimately, the military's senior leaders bear responsibility for securing the supply chain and must be held accountable for it, the report said.”
PATCHED: Four members of the House Intelligence Committee on Friday introduced a bill that would allow state and local authorities to apply for federal funding to strengthen their election systems. The bipartisan bill, titled Secure Elections Act, would also aim to improve how the federal government shares threat information with state and local officials. Reps. Thomas J. Rooney (R-Fla.), Trey Gowdy (R-S.C.), Jim Himes (D-Conn.) and Terri A. Sewell (D-Ala.) introduced the legislation as the House version of a bill that was first introduced in the Senate and bears the same name. (I wrote about the Senate version of the bill last month.)
“It’s critical that we provide our local and state election offices with the resources they need to harden their systems against cyberattacks,” Rooney said in a statement. “The funding provided by this bill will allow our communities to close vulnerabilities and prepare for the future, rather than sit around and wait for the next attack.” Himes said in a statement that the bill would “ensure that the first line of defense — those on the frontlines of administering elections — have the information, modern equipment, financial resources and federal support needed to protect our elections.” The Senate Rules and Administration Committee is scheduled to hold a business meeting to examine the Senate version of the Secure Elections Act on Aug. 22.
PWNED: Florida Gov. Rick Scott (R) wants an explanation from Sen. Bill Nelson (D-Fla.), his opponent in a Senate race, about his recent comments on election security, my colleagues Michael Scherer and Felicia Sonmez reported. On Wednesday, Nelson told the Tampa Bay Times that Russian hackers “have already penetrated certain counties in the state and they now have free rein to move about.” On Friday, Scott called the allegations a “very serious charge” and said Nelson ought to show evidence for his claims.
“'Either Bill Nelson knows of crucial information that the federal government is withholding from Florida election officials or is simply making things up,' Scott said,” my colleagues wrote. “He called on Nelson to 'come clean' and warned, 'Elections are not something to scare people about.'” Nelson issued a statement but did not elaborate on his comments about Russian hackers, Scherer and Sonmez reported. “I and several of my Senate colleagues are trying to make sure Florida officials are aware of the ongoing Russian threat so they take the steps necessary to safeguard our elections,” Nelson said in the statement.
Nelson's comments had already faced pushback last week. “The Florida Department of State has received zero information from Senator Nelson or his staff that support his claims,” Sarah Revell, the communications director for the agency, told the Tampa Bay Times in a statement on Wednesday.
— More information security news from Las Vegas:
- Researchers at the Fraunhofer Institute for Secure Information Technology in Germany found that vulnerabilities in an app allowing a user to spy on their romantic partner exposed passwords and data. “In the most worrisome example, an app called Couple Vow exposed 1.7 million user passwords, completely unprotected and in plain text,” Forbes's Thomas Fox-Brewster reported on Saturday. “Anyone who had access to an account wouldn't just have all the location, text and call data of whoever was being tracked, but all content sent through the app's messaging feature. A separate vulnerability in the app's database meant hackers (thankfully benevolent ones in this case) could grab all 1.7 million users' data in tranches of information.”
- Wired's Lily Hay Newman wrote that “the surprising ubiquity of fax machines is what inspired Check Point researchers Yaniv Balmas and Eyal Itkin to analyze the tech's present-day security posture. Vulnerable network printers are a classic target, and the researchers found that they could similarly exploit bugs in faxes to get inside private networks.”
- “Matt Linton, a senior software engineer at Google, says he was asked to leave Caesars Palace hotel in Las Vegas Thursday night after a tweet about hacking was reported to the Las Vegas Metropolitan Police Department,” Wired's Louise Matsakis reported. “The police have confirmed that Linton is not considered a threat, but until Friday afternoon the engineer said he was not let back into Caesars, which is hosting Def Con.”
If I had the time, budget, and motive to launch really good attacks in Vegas, I would:— Matt Linton 🐦👨💻⚕️⚒️🥋🎻 (@0xMatt) August 8, 2018
❌ Attack random Defcon nerds who are probably mostly broke and powerless
✔️ Attack ppl at BlackHat who are way more likely to be in positions of power somewhere with 💰 to drop on tickets
— More cybersecurity stories from Black Hat and Def Con:
— Journalist Kim Zetter and Katie Moussouris, chief executive of the cybersecurity company Luta Security, tweeted that hotel security personnel demanded access to their rooms. Maddie Stone, a reverse engineer at Google, said on Twitter that a man entered her room and didn't leave until she screamed.
Because I declined to have maid service in my hotel room at BlackHat, two security guys came to my room and demanded I open my door and let them do a walkthrough search. The hotel never gave me a headsup and the two guys thought I should just believe that they are hotel security.— Kim Zetter (@KimZetter) August 10, 2018
Current status: two members of hotel security banging on my door after I asked to go into my room and verify them with hotel security. I'm on speaker phone with hotel security, asking for a supervisor to come verify. I'm terrified. What the hell is this @CaesarsPalace #DEFCON— Katie Moussouris (@k8em0) August 11, 2018
Hes a Caesars maintenance employee who was supposed to go next door. Caesars doesnt know why he didnt knock, announce himself, respect DND sign, nor report it to mgrs after. Theyre doing reeducation on the topics. It doesnt change the terror but hopefully will prevent for others. https://t.co/FoBvbhNwDX— Maddie Stone (@maddiestone) August 13, 2018
From Beau Woods, cyber safety innovation fellow at the Atlantic Council:
For those trying to figure out how to avoid the hotel room (in)security checks, I’ve used this setup and so far no intrusions in two days. pic.twitter.com/oVaucxajGK— Beau Woods (@beauwoods) August 11, 2018
— “Despite making some strides in cybersecurity protections since 2016, cyber experts and researchers say, many candidates and campaigns have yet to implement standard safeguards to prevent breaches of their computer networks, websites and emails,” Politico's Martin Matishak reported on Saturday. “'It just doesn’t seem to be as urgent of a concern in the conversations I’ve had,' said Ronald Bushar, government chief technology officer for FireEye, which has long tracked the Russian hacker group that U.S. intelligent agencies say targeted the Democrats and Clinton.”
— “Attorneys for a Russian national accused of hacking U.S. technology companies want a psychiatric evaluation of Yevgeniy Nikulin to determine whether he’s mentally fit to face trial in January,” Bloomberg News's Kartikay Mehrotra wrote on Friday. “Nikulin was extradited to San Francisco from the Czech Republic in March, amid objections from the Russian government, after being charged with hacking LinkedIn and Dropbox.”
— More cybersecurity stories from the public sector:
— An Associated Press investigation found that “many Google services on Android devices and iPhones store your location data even if you’ve used privacy settings that say they will prevent it from doing so.”
“The privacy issue affects some two billion users of devices that run Google’s Android operating software and hundreds of millions of worldwide iPhone users who rely on Google for maps or search,” the Associated Press reported.
More private sector news:
— “The Twitter account of NBC national correspondent Peter Alexander appears to have been hijacked by hackers claiming to represent Turkey’s 'cyber army,'” my colleague Kristine Phillips reported on Sunday. “For at least a half-hour Sunday morning, Alexander’s Twitter account was filled with such tweets: 'Mr Trump, we will tear down blood vessels of those who are hostiles to TURKIYE. Be wise and learn about Turkish people in history.'”
- Senate Commerce Committee hearing to conduct oversight of the Federal Communications Commission on Aug. 16.
- Senate Rules and Administration Committee business meeting about the Secure Elections Act on Aug. 22.
Trump's response to racism draws criticism again, one year after Charlottesville:
Anger at Charlottesville police boils over at Heather Heyer memorial:
Lift off in NASA's mission to “touch the sun”: