A summary of the “Voting Village” event posted last week said hackers at Defcon “compromised every single machine over the 2.5-day event, many of them with trivial attacks that require no sophistication or special knowledge on the part of the attacker.”
“In most cases, vulnerabilities could be exploited under election conditions surreptitiously…an attack that could compromise an entire jurisdiction could be injected in any of multiple places,” according to a full version of the report.
In many cases, physical ports were unprotected, passwords were either left unset or in their default configuration and security features went unused or in some cases, were disabled, the report added.
Attendees were given access to over 100 machines at the event, including direct-recording electronic voting machines, electronic poll books, Ballot Marking Devices, Optical scanners and hybrid systems.
One machine, based on an old PC hardware, had no BIOS password set on the machine. The BIOS (Basic Input Out System) controls the basic functions of a PC.
“Consequently, participants were able to boot an arbitrary operating system off a live CD… Ultimately, the device was used as an entertainment device, amusing visitors with Nyan Cat,” the full version of the report said.
On another system, a keyboard and Ethernet connection could be plugged in by simply removing the top of the machine’s case. The casing is secured by only by 3 screws and does not have any tamper-evident seals. “Immediate root access to the device was available simply by hitting the Windows key on the keyboard,” the report continued.
Another device, one that combines an optical paper ballot scanner and ballot marking device and allows for access by the blind and visually impaired, has a single locking mechanism for the entire ballot box. “If picked, ballots could easily be stolen using common items such as a standard trash picker,” the report stated.
Participants were able to access common computer ports on the device such as USB, RJ45, and CompactFlash slots on this machine “without using destructive force…[and] boot settings also allow for the system to be booted from an external USB on startup.”
The report recommended the use of paper ballots, as well as rigorous post-election audits.
Hackers have previously said that election machine keys are available on the internet. On the flip side, federal officials have also sought out so-called "white hat" hackers to help protect U.S. national security and infrastructure.