From https://www.politico.com/newsletters...indings-759382

First in MC: DEF CON reveals election security findings

By TIM STARKS
09/26/2019 10:00 AM EDT
With help from Eric Geller, Mary Lee, Martin Matishak and Matthew Brown

HAPPY THURSDAY and welcome to Morning Cybersecurity! It’s a weird tradition we have here. Send your thoughts, feedback and especially tips to tstarks@politico.com. Be sure to follow @POLITICOPro and @MorningCybersec.

FIRST IN MC: VENDORS, WE HAVE A PROBLEM
Popular new electronic voting machines “have not been designed with security considerations in mind,” and their weaknesses “open the door for various methods to attack the election process,” DEF CON’s Voting Machine Hacking Village said in its 2019 report, provided first to POLITICO. Hackers visiting the village found several flaws in these ballot-marking devices, including default passwords and clear-text administration credentials in the ES&S AutoMARK and an unencrypted file system on the Dominion ImageCast Precinct. BMDs are also susceptible to denial-of-service attacks, the report found, because resolving errors (including deliberate ones) requires a reboot.

Village organizers concluded that BMDs’ flaws raise “broad questions about their security and impact on overall election integrity if they were to be put into general use in elections.” But the problems uncovered went beyond BMDs, which are common replacements for paperless devices because they retain the convenience of a touchscreen. The village brought in other equipment, and the report said hackers used new and previously identified exploits to breach “every one of the devices in the room.”

Testers found a machine hard-coded to ping an overseas IP address with no explanation, and an e-poll book made by VR Systems — believed to be a victim of Russian hacking in 2016 — lacked a firmware password, enabling hackers to boot it into any operating system they wanted. Village organizers said most of the discovered attacks were possible under live-election conditions.

These findings demand scrutiny of BMDs, nationwide use of paper ballots and risk-limiting audits, as well as “dramatically increased funding” for local officials, the village’s organizers said in their report, which will be officially released later today. They also criticized voting machine vendors’ security engineering practices. “Historically, security measures provided by the hardware / low-level programming have been systematically turned off in all classes of devices used as part of the election infrastructure,” they wrote. “Unfortunately, this was found to be true also with newer generations of voting equipment in the Village.” Dominion did not respond to a request for comment, nor did the Election Assistance Commission. ES&S said it "look[ed] forward to reviewing the report."