By Donie O’Sullivan and Sarah Mucha, CNN
The vulnerabilities in America’s voting systems are “staggering,” a group representing hackers warned lawmakers on Capitol Hill on Thursday — just over a month before the midterm elections.
The findings are based on a project at the Voting Village at the Def Con hacking conference held in Las Vegas last month, where hackers were invited to attempt to break into voting machines and other equipment used in elections across the country.
The hacking group claims they were able to break into some voting machines in two minutes and that they had the ability to wirelessly reprogram an electronic card used by millions of Americans to activate a voting terminal to cast their ballot.
“This vulnerability could be exploited to take over the voting machine on which they vote and cast as many votes as the voter wanted,” the group claims in the report. (See the report here.)
(Jake Braun, White House liaison for Homeland Security under President Barack Obama, discusses his event that challenged children to hack mock election results websites at the annual Def Con hacker convention in Las Vegas. Courtesy of CNN and YouTube. Posted on Aug 12, 2018.)
The security of America’s election infrastructure has come under increased scrutiny since 2016, when it emerged that Russian hackers had targeted state-level voting systems, in addition to hacking the emails of the Democratic Party and the Hillary Clinton campaign and orchestrating an elaborate disinformation campaign on social media.
A voting tabulation machine the group says is used in more than two dozen states is vulnerable to be remotely hacked, they said, claiming, “hacking just one of these machines could enable an attacker to flip the Electoral College and determine the outcome of a presidential election.”
At @defcon hacking conference and just learned how easy it is to physically gain admin access on a voting machine that is used in 18 states. Requires no tools and takes under 2 minutes. I’m concerned for our upcoming elections. pic.twitter.com/Kl9erBsrtl
— Rachel Tobac (@RachelTobac) August 12, 2018
Additionally, the group says they identified another flaw in the same machine that had been used in the 2016 election.
The issue had initially been identified a decade ago, prompting the group to complain that even when issues are detected, they are not fixed.
A spokesperson for the machine’s manufacturer, Election Systems & Software (ES&S), said that while the company is no longer manufacturing the machine in question, the M650, there are approximately 270 units actively in use in the U.S.
Adding, “it has a solid, proven track record when used in a real election environment with proper physical controls.”
Speaking at a briefing on the report on Capitol Hill on Thursday, Rep. Jackie Speier, a member of the House Intelligence Committee, called the vulnerabilities in US election infrastructure a “travesty.”
She said, “we were ripe for the plucking by the Russians [in 2016],” and warned that “we’re ripe for the plucking by the Russians, and the Chinese and the Iranians in future elections.”
Hackers face criticism
While the hackers say their endeavor is a civic exercise to expose flaws in election machines so they can be remedied, they have faced criticism.
A spokesperson for ES&S said that the conditions at Def Con where machines are accessible to hackers with “zero controls” does not reflect reality.
The company said in a statement, “The totality of security measures—such as voting machines never being connected to the internet, tamper-resistant seals, along with more advanced technology found in newer equipment—provides for an environment that would be difficult to compromise without detection.”
In most parts of the country, secretaries of state oversee elections.
The National Association of Secretaries of State (NASS) has also been critical, with a spokesperson saying in a statement last month, “Our main concern with the approach taken by DEFCON is that it utilizes a pseudo environment which in no way replicates state election systems, networks or physical security.”
But not all secretaries of state are critical.
Alex Padilla, California’s secretary of state, who attended Def Con last month, told CNN there it was important for officials responsible for election integrity to engage with groups of white-hat hackers like those at the event.
A white hat hacker is a computer security expert who exposes flaws in systems so they can be addressed.
In total, organizers of the Voting Village at Def Con said they gathered 30 pieces of election machinery, most of which was purchased through eBay and government surplus auctions, they said.
Calls on Congress
The report released by the group on Thursday was co-authored by Voting Village organizers, including Jake Braun, a former White House official who served as national deputy field director on President Barack Obama’s 2008 presidential campaign.
The report implores Congress to act, saying that individual states that are responsible for overseeing elections do not have the capabilities to protect themselves from hackers backed by America’s adversaries.
(Learn More. Top U.S. intelligence and homeland security officials are raising alarms about potential efforts to influence the 2018 and 2020 elections. Courtesy of the Associated Press and YouTube. Posted on Aug 2, 2018.)
“National defense is not the role of state and local government. Further, no state or local government will ever be able to raise enough capital to defend itself from a determined nation state.
Thus, having codified the basic security standards developed by local election officials above, Congress must finance the implementation of these security standards,” the report read.
CNN’s Alex Marquardt contributed to this report.