New for DEF CON 25, Voting Machine Hacking Village

It started out as a twitter post asking if anyone had a good voting machine hacking talk they could give, and it has ended up as a first year village.

Announcing the Voting Machine Hacking Village @ DEF CON 25

CONCEPT: Get a bunch of voting machines and start hacking on them to raise awareness and find out for ourselves what the deal is. I'm tired of reading misinformation about voting system security so it is time for a DEF CON Village..

Until now getting access to real voting machines has been almost impossible. The public has been assured by the vendors that the systems are safe, but who can verify that? The DEF CON Voting Machine Hacking Village provides you access to real voting machines, used in past elections and to be used in future elections. Now we, as community, can take a look ourselves and asses the security of these systems and help general public to get educated and the policy makers to get old-fashioned facts.

As a first year Village we will get everyone started on understanding the technology and systems these machines live in. By year three we hope to have a complete functioning stand alone voting network that we can test. Believe it or not no such network has ever been security tested or audited - only separate pieces.

THREE MODES: I am thinking we go at this three different way for year one.

1. Build a network and have network monitoring ports where people can play Man in the Middle or other active attacks to simulate an attacker at distance.
2. Have stand alone systems active and see what physical attacks are possible.
3. Hardware hack on the machines, dump their BIOS, EEPROMs, reverse engineer what we can, and generally learn what we can of how they are built and the quality of the code running on them.

We should try and capture as much information and results as possible and try to create a report in the end of our experiences to help others who want to continue the work.

Also VerifiedVoting will have some tables in the village and be present to help educate everyone who may have questions.

[Edited 26June 2017]
OPEN QUESTIONS:

• How many machines? Are they the most recent? [Looks like we'll have over 30 machines of different types to play with]
• Can we build a complete network or are we just looking at polling station "end user" machines? [Looks like getting the back end systems and software necessary to build a complete network is really difficult so we will add this as a goal for next year. The ES&S DS200 is the machine we need to find for this]

HOW YOU CAN GET INVOLVED: Does this sound interesting to you?

• Please post links to other work, tools, or sites people should be aware of.
• Post that you are interested so we can get an idea of how many people to expect, along with what aspect you want to get involved with.
• Have access to systems? Want to bring them or share documentation? Post here or DM me in private if you want to remain anonymous.
• Do you have prior experience hacking or testing voting machines and want to help run the village? Post here!

[EDITED 11 July 2017]

VOTING VILLAGE SPEAKING TRACK
When: Friday, 10:00 to 17:00
Where: Roman 1 on the Promenade Level.

10:00 - 10:45 Barbara Simons, Chairwoman, Verified Voting
An election system is much more than the voting machine or the booth, overview of the election IT systems, the threat models and procedural safeguards.
Barbara Simons is a computer scientist and past president of the Association for Computing Machinery (ACM). She is founder and former Chair of USACM, the ACM U.S. Public Policy Committee. Her main areas of research are compiler optimization and scheduling theory. Together with Douglas W. Jones, Simons co- authored a book on electronic voting entitled Broken Ballots.
Since at least 2002 Simons has been a critic of unauditable electronic voting and is generally credited as a key player in getting the League of Women Voters to change its stance on this issue. Initially the League had seen electronic voting mainly as a way to minimize invalidly cast ballots, but at their June 2004 convention she led a successful fight to get this policy reversed to one of giving priority to voting machines that are “recountable”.
She was a member of the National Workshop on Internet Voting that was convened at the request of President Clinton and produced a report on Internet Voting in 2001. She also participated on the Security Peer Review Group for the US Department of Defense’s Internet voting project (SERVE) and co-authored the report that led to the cancellation of SERVE because of security concerns. Simons co-chaired the ACM study of statewide databases of registered voters. She recently co-authored the League of Women Voters report on election auditing. In 2008 she was appointed to the Election Assistance Commission Board of Advisors by Senator Harry Reid

11:00 - 11:45 Introduction into hacking the equipment in the village.

12:00 - 12:45 Joe Hall Legal considerations of hacking election machines.

13:00 - 13:45 Harri Hurst Brief history of election machine hacking and lessons learned so far and why it is hard to tell the difference between incompetence and malice.
Harri Hursti is a Finnish computer programmer and former Chairman of the Board and co-founder of ROMmon where he supervised in the development of the world’s smallest 2 gigabit traffic analysis product that was later acquired by F-Secure Corporation.
Hursti is well known for participating in the Black Box Voting hack studies, along with Dr. Herbert “Hugh” Thompson. The memory card hack demonstrated in Leon County is popularly known as “the Hursti Hack”. This hack was part of a series of four voting machine hacking tests organized by the nonprofit election watchdog group Black Box Voting in collaboration with the producers of HBO documentary, Hacking Democracy. The studies proved serious security flaws in the voting systems of Diebold Election Systems.

14:00 - 14:45 General Doug Lute, Former U.S. Ambassador to NATO.
The governments can be changed by bullets or ballots, International and domestic interest to interfere.
General Douglas Lute is a U.S. public servant who served as the United States Permanent Representative to NATO from 2013 to 2017.

15:00 - 15:45 Common misconceptions and false parallels about voting technology. We can do online banking and use ATMs, why can’t we vote on touch screens or online?

16:00 - 16:45 Matt Blaze How did we get here: A history of voting technology, hanging chads, and the Help America Vote Act. I’ll bring a punch card machine and demo what can go wrong with it.

The Village Hacking space will be open:
Friday 1000 – 2000
Saturday 1000 – 2000
Sunday 1000 - 1500

[Updated 07-26-2017]
I am proud to announce that Harri Hursti, Matt Blaze, and Jake Braun will help run the village. They are subject matter experts with years of experience in voting technology. More announcements soon!

That's the short introduction, please start a conversation!

Here is an article that got written pretty quickly after I mentioned the idea on twitter. Top hacker conference to target voting machines

By Edward-Isaac Dovere

05/23/2017 04:34 PM EDT
Hackers will target American voting machines—as a public service, to prove how vulnerable they are.

When over 25,000 of them descend on Caesar’s Palace in Las Vegas at the end of July for DEFCON, the world’s largest hacking conference, organizers are planning to have waiting what they call “a village” of different opportunities to test how easily voting machines can be manipulated.

Some will let people go after the network software remotely, some will be broken apart to let people dig into the hardware, and some will be set up to see how a prepared hacker could fiddle with individual machines on site in a polling place through a combination of physical and virtual attacks.

At 2015’s DEFCON, hackers targeted onboard car software, and two shut down a Jeep’s brakes and transmission from miles away.

With all the attention on Russia’s apparent attempts to meddle in American elections—former President Barack Obama and aides have made many accusations toward Moscow, but insisted that there’s no evidence of actual vote tampering—voting machines were an obvious next target, said DEFCON founder Jeff Moss.

Imagine, he said, what a concerted effort out of Russia or anywhere else could do.

“That’s the point: we’re only going to play with them for a couple of days, but bad guys can play with them for weeks or years,” Moss said.

Moss (also known as Dark Tangent) is a former member of Obama’s Homeland Security Advisory Council. He said he’s concerned that no one has proven where the soft spots are—and the combination of non-disclosure agreements and private contracts have allowed misinformation to take root.

“Pretty much, just like everything else, it’s time for hackers to come in and tell you what’s possible and what’s not,” Moss said.

Moss and other organizers are at the early stages of planning, locating used voting machines on eBay and elsewhere, and they’re already anticipating the excuses that any success they have hacking will be dismissed by the companies as not being up to date with their systems.

“Election machines used in USA really do not have security standards - the voluntary voting system standard addresses air humidity and shock resistance, but not security. This means that the old systems which were designed with no security consciousness are not being replaced with responsibly designed successors,” said Harri Hursti, a Finnish computer programmer who has worked on election-related issues in Finland, the United Kingdom, Estonia, Argentina and the United States. “Also, vendors are frequently blatantly mispresenting the specifications and the properties of the equipment they sell to the jurisdictions.”

Jake Braun, a White House liaison to the Department of Homeland Security under Obama, and currently a cybersecurity lecturer at the University of Chicago and CEO of Cambridge Global, said he’s hoping the event helps produce a report for DHS and Congress about the problems.

“Up until now, the voting machines companies keep telling us everything is totally secure, when everyone in cybersecurity knows there’s nothing that’s totally secure, it’s all just a matter of risk mitigation,” Braun said. “It’ll be good to get some independent folks who don’t have an ax to grind one way or the other.”

He laughs at the voting machine companies which insist there’s nothing to worry about.

“That answer in and of itself shows a total lack of sophistication in cyber security,” Braun said. "Anybody who says they’re un-hackable just doesn’t know what they’re talking about.”

Moss said he’d be happy to have the voting machine companies be actively involved, bring their voting machines, and help learn from the event. He noted that Tesla sent its vice president in the past when hackers were targeting self-driving cars.

“You’re getting something that would be hard to pay for – why not embrace it?” he said.

He doesn’t expect the notoriously secretive companies will take him up on the offer.
“I think,” he said, “they’re going to freak out.”

I'm interested in participating in the MIM attacks over a network. Is there going to be a sign up for this or a first come first in when we get there? I don't want to miss out on an excellent opportunity to test our voting machines.

Ah interesting. I think the pcaps would be a good idea as well.

We have a group of two to four people from the Paradyn/Dyninst group (http://paradyn.org/). We work on a binary code analysis and instrumentation tool called Dyninst, so we are interested in reserve engineering the code of the voting machine and helping finding its vulnerabilities.

Looks like machines have been ordered, as per Dark Tangent's latest tweet:

Lots of good movement on the #DEFCON Voting Machine Hacking Village. Machines are ordered and are building a speaking agenda for Friday

Q: Are these up-to-date machines?
A: Current systems used, yep. One even uses a Z80 and claims ROP is impossible, but Harri Hursti and his team found a way around it

Q: Curious how these were procured. I've heard of anti-analysis/publication clauses in Ks and software licenses. Not a worry here?
A: Two things: 1 - eBay and 2 - three year DMCA exception for security research on voting tech, expiring end of 2018

I'm going to keep editing my original post (Post #2) with updates and information.

[Updated 21 June 2017]
EQUIPMENT WE HAVE SO FAR THAT IS IN USE:
This post will be updated as new equipment and software is available. Have something to bring? Let us know and we'll add to the list!


iVotronic DRE Touch Screen Voting Device by ES&S with PEBs (Personal Electronic Ballots)
The ES&S iVotronic is a direct recording electronic (DRE) voting system with a touch screen interface that records votes on internal flash memory.
For more information:https://www.verifiedvoting.org/resou...ess/ivotronic/
This machine is still widely used nation wide.

Sequoia LCD Touchscreen AVC edge voting booth with printer
The Advanced Voting Solutions (AVS) WINVote is a Direct Recording Electronic voting system with a touch-screen voting terminal equipped with a wireless local area network (LAN).
For more information:https://www.verifiedvoting.org/resou...t/avs/winvote/

This machine is still widely used nation wide

Advantech Diebold ExpressPoll 5000 Tablet
The ExpressPoll-5000 stores registered voter information for precincts, districts, or entire jurisdictions. Poll workers enter an identifying piece of information onto the large, easy-to-read touch screen to verify that a voter is registered.
While this is not a voting machine it is an electronic pollbook that is still used, for example in Ohio

Diebold Accuvote SX M N AVTSx
This machine is still widely used nation wide, and most importantly this was the machine used in Georgia

Diebold Accuvote TSX (DRE touchscreen) includes printer.
The AccuVote TSX is a touch screen direct recording electronic voting machine that records votes on internal flash memory. Voters insert a “smart-card” into the machine and then make their choices by touching an area on a computer screen, much in the same way that modern ATMs work.
For More Information: https://www.verifiedvoting.org/resou.../accuvote-tsx/
Used nationwide in the Georga

EQUIPMENT WE HAVE THAT IS DE-CERTIFIED BUT FUN TO HACK ON:

AVS WinVote (DRE touchscreen with WiFi)
The Advanced Voting Solutions (AVS) WINVote is a Direct Recording Electronic voting system with a touch-screen voting terminal equipped with a wireless local area network (LAN).
For more information: https://www.verifiedvoting.org/resou...t/avs/winvote/
This machines was previously used by Virginia board of elections, but has since been decertified.

So from the sound of things, it looks like there's going to be a pretty good selection of machines to screw around with. For the machines that are still in active service, it'd be interesting to set up a time-restricted environment like the tamper evident guys had last year with the bomb disarming event. Machines set up with a ballot of Pwnie nominees, a curtain, and a five-minute time limit could frame the threat model. Maybe an attacker would have to defeat a sticker and go through a generic lock to access the guts of a machine then put everything back into its pre-tamper state. If there are gaps in a simulated polling station build-out, such as the reference back end systems, there'll still be enough knowledge of what they do to extrapolate our findings.

[Updated June 26 2017]
We have been assigned two spaces next to each other, one is 1,000 sq foot and the other is 1,200sq for the hacking village. For speaking we have been assigned a new larger space that should hold 300 instead of 150. It's the best space left, but it means we'll have to start off small and then grow. Get there early if you are interested in hearing the talks.

For the village we'll have tables and machines set up, and for machines we have duplicates of we can check some out to other villages like hardware hacking, packet hacking, etc. We'll have some spare parts tools necessary for reading some of the serial ports and what not, and I'll post what additional tools you may want to bring to get the most out of it.

If I can be helpful I'm certainly interested in working on this village. While I don't have experience with the management of these systems, I have been an election officer for the last few elections and have knowledge about the operation and troubleshooting of these systems in a polling place

Want to play with the hardware? Here are some tools to buy:

SanDisk 32MB PCMCIA PC Card II Flash Disk ATA Memory - ATA-32MB-SD
-- It does not need to be this brand

Addonics AEPUDDU Pocket Ultra DigiDrive
-- Any brand PCIMCI - USB adaptor is ok

USB / TTL serial adaptors are useful JBtek® WINDOWS 8 Supported Debug Cable for Raspberry Pi USB Programming USB to TTL Serial Cable
-- Any brand is ok, however, some adapters sold in 5-packs are actually fakes which do not work properly

JTAG also is useful\
- But the modern JTAG adapters are not the best tool for the job, older models tend to be more compatible.

IRDA adapters
- The iVotronic systems use that as one of their interfaces

I have a Sequoia AVC Edge DRE with the voter paper-roll and printer, but without a results cartridge. It was last used in Washington DC during the 2008 presidential election. I could bring it -- or better, ship it to Caesar's -- especially if it could be used to demonstrate vote-switching.