Scattered around a bevy of tables in the election hacking village here at DEF CON 30 are all the devices – opened wide – that are supposed to keep elections safe. Oh, the irony. It’s unclear how some of these devices ended up here, another unsolved mystery.
Luckily, they contain a myriad of tamper-resistant defenses, but from the looks of the tables, none of that has stopped, or hardly slowed cracking them open to take a look.
Since the tamper resistance seems to be about as effective as sticking your hand out the car window is at resisting the wind, how much faith should we put in the digital circuitry inside or the software that runs on it, the real “secure” brains?
Here, equipment manufacturers have been resistant at best to security researchers, litigious at worst. During the last US presidential election cycle, even the mention of foul play was enough to attract lawsuits. That doesn’t help research.
That sentiment has cooled, if only cautiously, but it’s still unclear how close to a lawsuit you’d be by even asking about the insecurity of some of these machines.
Luckily, similar vendor dynamics have already played out in other realms like the PC, mobile, and cloud. Players in those spaces have long realized it’s better to dialog with researchers than to threaten them. Even at DEF CON, in the car hacking village, there are manufacturers willing to dialog.
Not that DEF CON is really filled with researchers – more like curious hackers-in-training looking at shiny, digital things. But some are also the next generation of defenders, so they can’t all be bad. Some will eventually be making house payments and helping to defend us all, so we need to invest in them, like by bringing a pile of voting machines to a cluster of tables and leaving them unattended, so their warrantees can be horribly violated.
At one village talk the presenter responded to how much an individual vote really matters by saying something like “Look at how hard foreign adversaries are working to change them: they wouldn’t spend that much effort if a vote didn’t matter.” Maybe she’s right in a sort of overarching sense, but a few votes flipped here and there would be devilishly hard to thwart at scale. Speaking of scale, she was here appealing to the community to help her scale the message, in ways not many outside of a DEF CON context know how to do.
RELATED READING: Election (in)security: What you may have missed
Activists reaching out to the community does seem like a good move.
Even if there were perfect security, a shady bet at best, thousands of volunteers litter the backwoods, the cities, and the in-between, operating these machines in a non-perfect manner. Add to this what happens once the votes come in, get tallied and digested by all the machinery, in near real time, to create election results. For instance, it’s rare in election recounts that the results are the same to the number. Errors happen.
The US government has offered a whopping bounty of US$10 million for tips about foreign adversaries meddling with elections, but in nation-state economies, the economic advantage of a favorable trade deal from a swung election would handily eclipse that amount, so it may still be worth it to play.
In the end, the vendors here at DEF CON have to warm up and welcome researchers trying to help, even if aspiring hackers have to acknowledge some sort of “do no harm” statement they have to agree to in order to gaining entrance into the medical hacking village.
That part was useful, since a friend of mine there was able to get root on a medical device in that village. But he’s a Good Guy. That part made the medical device manufacturer much happier, if only cautiously. Once he agreed to disclose everything he did, their relief increased palpably. So, I guess his actions improved their mental health in the end?