Hackers attending the flagship cybersecurity conference Defcon this year were able to break into a wide variety of voter legislation and ballot machines in roughly 90 minutes, leading to fears that the outcomes of presidential elections could be influenced by cybercriminals in the near future.
Ever since the 2016 US presidential poll, when hackers linked to Russia were accused of tampering with voting machines in a slew of States, so-called "election hacking" has hit the headlines. To test for flaws, Defcon officials brought in 30 separate voting machines.
One "WinVote" machine, from a now-defunct US company called Advanced Voting Solutions, had a hardcoded password of "ABCDE", Cnet reported.
Another machine could be hacked via its Wi-Fi connection using a known Windows XP exploit that was more than four years old, but left unpatched.
The old machines, used for registrations, were purchased on eBay or bought from government auctions. Shockingly, reports suggested that some were still storing hundreds of thousands of records.
In one case 600,000 records linked to citizens living in Tennessee were allegedly discovered.
"Our voting systems are weak and susceptible," Jake Braun, a former White House advisor and now-cybersecurity lecturer at the University of Chicago, told The Register. "Thanks to the contributions of the hacker community today, we've uncovered even more about exactly how."
He continued: "The scary thing is we also know that our foreign adversaries – including Russia, North Korea, and Iran – possess the capabilities to hack them too, in the process undermining principles of democracy and threatening our national security."
In one instance, a hacker was able to crack the WinVote machine's operating system, Windows XP, and install Windows Media Player to then blast Rick Astley's "Never Gonna Give You Up" from the built-in speakers. That was certainly in line with the playful ethos of Defcon.
Some hackers were able to crack the machines within an hour-and-a-half, with many more sitting for hours tinkering with the hardware and software to locate vulnerabilities.
There remains little independent research into the digital protections of such machines.
While each US state will have its own system (meaning it is highly-unlikely an entire presidential election could be hijacked on a national scale) experts fear that cybercriminals could target key battleground states to swing the results. To date, this remains largely hypothetical.
TJ Horner, an Android developer and student, tampered with the ExpressPoll 5000 voting machine during Defcon and found that he was able to exfiltrate data and even falsify voter information. "Your imagination is the limit," he noted in a blog post published on 30 July after the event.
According to Cnet, a security firm called Synack was able to exploit one machine via its USB ports. Without needing any type of authentication, the white-hat hackers plugged in a mouse and keyboard and took over the operating system by pressing "control-alt-delete".
"The exposure of those devices to the people who do bug bounties or actually look at these kind of devices has been fairly limited," Brian Knopf, an internet of things (IoT) researcher with cybersecurity firm Neustar told the publication, which attended the event.
He added: "Defcon is a great opportunity for those of us who hack hardware and firmware to look to these kind of devices and really answer that question: 'Are they hackable?'"
It seems the answer is yes.