Voting Village - An Overview of the Security Challenges Posed by State-Level Election Management System
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 374 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/50764 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | |
| Genre |
DEF CON Safe Mode251 / 374
11
35
63
70
74
86
90
98
102
103
104
105
106
107
109
110
113
114
117
119
121
122
123
124
126
127
128
130
136
137
138
142
146
151
152
153
154
159
160
161
163
165
166
167
168
169
171
177
189
214
226
231
232
239
240
246
247
250
255
256
265
267
268
269
270
271
272
274
279
280
283
289
290
336
337
344
360
362
363
364
365
367
00:00
Hacker (term)DatabaseHacker (term)SoftwareSystem administratorChannel capacityVideo gameMultiplication signComputer animation
00:53
Point (geometry)VotingFlow separationMeeting/Interview
01:25
Maß <Mathematik>Virtual machineVotingHacker (term)Electronic data interchangeHill differential equationTable (information)QuicksortVirtual machineLocal ringPhysical systemMultiplication signSoftwareRow (database)PhysicalismLevel (video gaming)Tape driveNumberShared memoryState of matterVoting
02:53
VotingPhysical systemGroup actionNumberOnline helpDatabaseMeeting/Interview
03:15
Image registrationVotingElectronic mailing listState of matterUniform convergenceInformationUniqueness quantificationInteractive televisionEmbedded systemEmailPhysical systemLocal ringBasis <Mathematik>Identity managementComputerMoving averageVotingState of matterDatabaseInformationImage registration1 (number)Centralizer and normalizerPhysical systemComputer animationSource codeXML
03:45
VotingInterior (topology)Mach's principleUniform convergenceImage registrationInformationTablet computerUniqueness quantificationState of matterEmbedded systemInteractive televisionEmailPhysical systemLocal ringBasis <Mathematik>ComputerIdentity managementSystem callAngleElectronic mailing listExplosionVolumeVotingVulnerability (computing)AdditionMereologySystem administratorDatabaseTraffic reportingState of matterSoftwareLocal ringInformationImage registrationTelecommunicationMalwareDependent and independent variablesGroup actionWhiteboardWorkstation <Musikinstrument>Operator (mathematics)Data managementComputer networkWebsiteInformation securityOrder (biology)Physical systemInjektivitätInstance (computer science)Computer hardwareSequelMetropolitan area networkXML
06:33
CodeState of matterEqualiser (mathematics)VotingPhysical systemInjektivitätOnline helpSequelSoftware maintenanceMereologyElectronic mailing listUniformer RaumImage registrationHacker (term)SimulationValidity (statistics)BitTouchscreenDatabaseEmbedded systemInteractive televisionoutputLoginLine (geometry)Point (geometry)Meeting/Interview
08:29
Electronic mailing listVotingInterior (topology)Image registrationState of matterEmbedded systemComputerInteractive televisionInformationTablet computerUniqueness quantificationEmailPhysical systemLocal ringBasis <Mathematik>Identity managementInteractive televisionElectronic mailing listCartesian coordinate systemVotingSoftware developerState of matterUniformer RaumEmbedded systemData managementLevel (video gaming)Image registrationPhysical systemAxiom of choiceCuboidDatabaseInternetworkingSource codeXML
09:32
Physical systemSoftwareState of matterWordSystem callÜberlastkontrolleSequelCartesian coordinate systemMeeting/Interview
10:34
Image registrationVotingData managementInclusion mapInflection pointGamma functionDampingState of matterPhysical systemPlastikkarteComputer configurationWebsiteClient (computing)Self-organizationBasis <Mathematik>Centralizer and normalizerElectronic mailing listMarginal distributionWeb pageConnected spaceMereologyStaff (military)Error messageData managementRight angleTraffic reportingSquare numberDatabaseWhiteboardVotingGame theoryProcess (computing)Data mining1 (number)Disk read-and-write headGodOffice suiteCartesian coordinate systemImage registration
12:56
Software maintenanceTerm (mathematics)Proper mapInformationStandard deviationStaff (military)WebsiteMeasurementState of matterArithmetic meanRow (database)Computer animation
14:23
Image registrationVotingMoving averageStandard deviationModal logicPoint (geometry)Computer clusterRight angleCASE <Informatik>Meeting/Interview
15:52
Design by contractPhysical systemCASE <Informatik>Vulnerability (computing)Meeting/Interview
16:20
Information securityState of matterSphereArithmetic meanWordVirtual machineVector potentialProcess (computing)Order (biology)Physical systemData managementTraffic reportingVoting
18:00
System programmingProduct (business)Information securitySoftwareService (economics)VotingQuicksortWordVotingFormal languagePhysical systemData managementAssociative propertyPoint (geometry)Virtual machineState of matterTerm (mathematics)Computer animation
19:16
CausalityBitPhysical systemConfidence intervalVirtual machineMobile appQuicksortProduct (business)Point (geometry)Multiplication signConnected spaceOrder (biology)Cartesian coordinate systemKey (cryptography)ResultantVotingMobile WebMeeting/Interview
22:03
Product (business)VotingFrustrationPartial derivativeStatement (computer science)Exclusive orCodeAcoustic shadowChaos (cosmogony)CodeSoftware testingPhysical systemPower (physics)Point (geometry)Standard deviationSystem administratorLevel (video gaming)InjektivitätOnline helpStress (mechanics)Social engineering (security)State of matterTraffic reportingInclusion mapDatabaseRow (database)SequelVirtual machineVulnerability (computing)WordTerm (mathematics)Computer animation
24:15
Virtual machineProper mapImage registrationGoodness of fitMalwareVotingSystem administratorPhysical systemDatabaseData conversionTable (information)Link (knot theory)Term (mathematics)Moving averageSoftwareState of matterGroup actionPhishingData managementEmailLocal ringVulnerability (computing)Antivirus softwareOffice suiteConnected spaceTrailSocial engineering (security)Computer virusInternetworkingMultiplication signMeeting/Interview
Transcript: English(auto-generated)
00:01
Hi, my name is John Odom, and I'm currently the city clerk in Montpelier, Vermont. In that capacity, I'm also the election administrator, and boy has this been a year for that. We've got our own statewide primary coming up in about a week and a half, so even
00:21
taking a little time to record this is kind of challenging. I'm also a certified ethical hacker. I've been in charge of a couple networks and been a database administrator for various nonprofits, so I tend to have a little more hands-on knowledge
00:42
than most of my colleagues in the industry, but not as much as you might think because my life's a little busy and I don't get to practice this stuff very much. Anyways, I want to bring something to folks who participate in the voting village's attention,
01:03
and it's not something that has been ignored, but I think it's something that deserves a little more attention. To make the point about how concerned I am, I'm going to tell you a little story, and this is not exactly on topic, but I want to use it to make a
01:21
point. Several years back in Memphis, and some of you may have heard this story, there was a local election. Mayor was being elected, various local officials, and one clever person decided to compare the turnout from the tape, and most tabulators generate some sort
01:44
of tape, some sort of physical record at the time listing the votes. Compare that number with what was reported through the GEMS system, and I know also a lot of folks who have been participating in voting village share some concerns about that system. Well,
02:02
the numbers did not add up. According to the tape, 546 people in this particular precinct had voted, according to the tape, and the system only showed 330. They looked at this, they looked at other precincts, they found the same problem, especially in districts
02:25
with heavy minority populations. Big problem, it's the problem we talk about at DEF CON, but I want to pretend another scenario to you. Consider this happening on a statewide level. Not
02:41
district by district, not precinct by precinct, not through any one individual network of voting machines, but an entire state. There are statewide systems that manage databases. This mandated by the Help America Vote Act, which came in the wake of the 2000 presidential election
03:07
voting debacle. The hanging chads, the numbers that didn't add up, and it all went to the courts and it went to the Supreme Court. After that, there was a bipartisan group that
03:20
got together, federally mandated, and came up with several recommendations. Now, generally, they were very good recommendations. I don't want to disrespect HAVA at all. One of the recommendations, understandably, was that states should be working on their voter rolls through
03:44
one centralized system, one centralized statewide database that would contain all the voter registration information. But, obviously, you can see where I'm going with this. There are concerns about, or we have to be concerned, about the security of these systems. So, these
04:05
statewide systems don't all necessarily just hold the voter registration information. A lot of them, including in my home state of Vermont, are actually election management systems. Election administrators will report their information for election night reporting.
04:29
Sometimes we will work directly into these systems to manage it, to create our reports, to create our elections, local elections, and manage them directly out of that. So, there's a lot going on with these systems. They are very important,
04:44
and local administrators have come to really depend on them. Well, how are they doing? Could be better. I want to talk about the famous Mueller report. Now, tucked away in that is this little gem that I'm going to read here, part of it. It says, in addition to targeting individuals
05:04
involved in the Clinton campaign, Mueller's operation also targeted individuals and entities involved in the administration of the elections. Victims included US state and local entities, such as state boards of elections, secretaries of state, and county governments, as well as
05:22
individuals that work for the entities. They also targeted private technology firms responsible for manufacturing and administering election-related software and hardware, such as voter registration software and electronic polling stations. Now, here's the scary part. The
05:41
report says that they targeted that foreign actors targeted state and local databases of registered voters using a technique known as SQL injection, by which malicious code was sent to the state or local website in order to run commands. In one instance, in approximately
06:01
June of 2016, the working group was able to compromise the computer network of the Illinois State Board of Elections by exploiting a vulnerability, presumably a SQL injection-related vulnerability. This gave them access to a database containing information on millions of registered
06:21
Illinois voters. The group extracted data related to thousands of US voters before the election. All right, so beyond just the obvious scary here, you know, okay, a lot of you folks will know that code injection is a very big deal. Code
06:44
injection is, you know, it's where most of the hacks come from these days. But SQL? SQL injection is something we have been aware of for many years. We know how to harden against it. So my question is, why wasn't it already hardened against it? SQL injection is very easy.
07:10
One line fed through to a database from a simple login screen can get you in. We know input validation is the solution. So where the hell was the input validation?
07:23
What that says to me is, and you again to refer to voting village in the last few years, what's gotten a lot of attention was the simulation of the statewide voter databases. Got national coverage that kids could sit down at this simulation and they could hack right into
07:42
our dummy statewide voter registration system. Well, of course, the pushback and all the yelling and hollering from the secretaries of state were that this was a phony simulation, that their systems are actually far more secure. Somehow this was set up to be hacked
08:00
to make their point. Well, if SQL injection is a way to get into this stuff, I would argue that those systems, those dummy systems we made up maybe were not loose and accessible enough. So, all right, so let's talk about HAVA, the Help America Vote Act.
08:26
And I'm going to read a little bit from it. Part of the mandate is, each state acting through the chief state election official shall implement in a uniform and non-discriminatory manner a single uniform official centralized interactive computerized
08:42
statewide voter registration list defined, maintained, and administered at the state level. So, states have no choice but to do this. And again, the population's what they are. It's completely understandable. So, what do states do? Well, several do in-house development.
09:04
In Vermont, we used to. Our first database, our first election management system out of the box, out of HAVA was an internet-facing FoxPro application. It was pretty crude. But these days, and other states currently are still doing in-house
09:27
solutions, states like Colorado, Illinois, Kentucky. You could put together something pretty nice if you knew what you were doing. Obviously, then the networks they sit on, the municipal networks are potentially vulnerable too. But if you can get in by SQL injection,
09:45
why bother? Okay, but more and more often, you see these states using vendors. And these are vendors, it's like any niche application, any niche market, you're going to get niche vendors
10:02
who pop up specifically to serve that market. So, before this, we had somebody call around. I wanted to know what states used what, how many of them used one vendor versus another, how many of them were designing in-house. I don't know if I can really say this,
10:21
but word got out that we were calling around and there were high of people who are less than thrilled. And defensiveness in public systems should really make us all uncomfortable. Now, I want to look at one particular vendor right now, because I have a little more firsthand familiarity with it, called PCC. Now, here's a list from their website of their
10:49
current clients. Okay, now factoring out for the consulting only options here, that's 15 states doing database management in election application, hosting for voter
11:01
registration, election night reporting. So, who is PCC? Well, this is part of the problem. Who knows? Go to PCC's website and no staff is listed. Only board officers, not even the whole board. Now, I didn't do research on people who did show up. I probably should have, I could have,
11:24
but I didn't. I don't want to knock them without any basis or unnecessarily then. And they seem to be perfectly reputable people. The one I did look at, I didn't see any obvious big political connections. CEO Tom Ambergy was a big shot at central square technology,
11:47
for example, and they were recently at a major hack, a mage card attack. Now, you know, I don't want to beat them up too much for a mage card attack. They're good, but mage card attacks generally use JavaScript injections, so it's something that could be hardened for.
12:04
And with election systems, there's just no margin for error. You got to be ahead of these games. So, I wouldn't say that was a big concern of mine, but it does raise my eyebrow a little bit. But let's look at some of these proposals that PCC or organizations like PCC have put forward
12:33
to the states to try to get their business. I want to show you the one from Delaware and just pieces of it. It's of course very, very long, but I'm going to show you here a typical
12:45
page from the publicly posted proposal from PCC to run their election systems. Okay. When you look at this, this is what you'll see. Not much.
13:07
I, you know, I didn't do the measurement and everything, but from my glance, I would say at the most about 20% of this entire proposal is visible. So that's me being generous.
13:20
Now, of course, I understand companies have proprietary information. They have proprietary stuff that's standard for any RFP. You expect that, but come on, why even post it at all? I mean, this is something made available to the public, you know, public records, but it's not.
13:42
I mean, it's almost a joke. If I didn't know better, I'd say it was almost passive aggressive. But what bothers me the most in terms of the redactions is all the staff is redacted, and this is typical. So just like the website, we don't know who's working on this. And that
14:00
bothers me a lot because people have their own interests. They come from backgrounds, partisan backgrounds, nonprofit backgrounds. I think it's reasonable and I don't think it necessarily, you know, reveals any particular corporate secrets that we could have some idea
14:21
who the people are doing this stuff, either in an individual state or even at the company proper. Now, financials are also redacted. I know that's a thing. That's very standard, but I would argue that it shouldn't be. I think our right to know trumps any embarrassment
14:42
or discomfort of big companies. And publicly, we might not want one that's on the edge of bankruptcy, and we might want to see that. So here is the problem. There are very few companies doing this, and they are opaque. We don't know who they are.
15:05
That's basically it. We don't know who they are, and that's scary. That's very, very scary, at least to me. And it does matter. In Georgia, they had a recent problem, a debacle involving
15:21
their voter rolls, involving the voter registration. Now, this wasn't exactly what I'm talking about, but it makes the point about how badly you can screw up an election simply by screwing up voter rolls. You can disenfranchise people in a big election crush. They're just not going to get to vote, or they're going to have to fill out
15:44
an enormous amount of provisional ballots, which honestly might not necessarily get counted the way they should be. Now, during a court case involving this whole debacle, a lot of insecurities, a lot of vulnerabilities in the PCC system was brought to the attention of
16:06
the court. After that, Georgia decided to pull back. Their contract ran out, and they decided to pull it back in-house. So that's a pretty unusual step to take, and it shows you just how concerning those vulnerabilities were. Now, you know, we've got our public officials
16:24
doing this. Can we count on our public officials to be straight with us about this stuff if there's a problem? Well, obviously not. And again, I don't mean to knock secretaries of states, but they have their own interest. They have an interest in getting re-elected,
16:43
and that means they have interest in looking competent. Now, some of them like to talk about internal security a lot. You know, we've upgraded this to make it better. We've got better voting machines to make this better. We're doing our due diligence within the sphere that we control
17:02
in order to do a better job and get re-elected. They don't like to talk about the potential for things outside, and that means they don't necessarily like to talk about the walls that they've built that they're responsible for that are, you know, the dividing, the firewall,
17:22
pardon the expression, between the voters and the outside world where you could have malicious actors. And again, with the Mueller report, we're talking about advanced, persistent threats. We're talking about state actors, but not necessarily. So, secretaries of state have a
17:42
vested interest in saying everything's rosy and everything's wonderful. So, that is a problem. So, let's look at some of the other systems. I've been picking on PCC, but there are other systems out there, and folks might recognize, Voting Village
18:02
might recognize one of the other major, probably the other major election management system that's out there. It's from ES&S. ES&S are our old friends. For years, Voting Village has been hacking their machines, and they, more than any of their companies,
18:23
have been the most belligerent. Last year, I believe it was, they actually had folks sort of roaming about trying to make people uncomfortable about hacking, suggesting they shouldn't. These were the last folks to come around and say that Voting
18:41
Village had a point, and it was only after so much coverage. Again, I think it was last year. These folks are not good partners. They are not reliable partners in our experience. I don't want to get sued for slander here, but in my opinion, based on what we've seen, these are not good partners. And we will remember how quickly the National Association
19:04
of Secretaries of State last year was right there to defend them on their own terms, on ES&S's terms, and in some language that looked a little bit much like their own words sometimes. So, scary, scary stuff. And are these things we can test in Voting Village
19:23
the way we take apart the voting machines? Of course not. Of course not. We can make our own, you know, dummy systems like we have, and we should, and there's a lot to be made there, but we can't go and test these systems. It's hacking we can't hack, right?
19:42
So, I've thrown a bunch of terrible stuff at you here. The question is, what do we need? Do I have any solutions here? Well, first of all, transparency. Transparency, transparency, transparency. We should know who these people are. We should know who runs them,
20:02
what their interests are. We should know what their backgrounds are. We should know we should need to know whether these folks even have the competence to do what they claim to do. And I'm going to talk a little bit about the Iowa debacle, where during the caucuses,
20:26
for the primary caucuses this year, the Democratic Party was using these little specially designed, custom-designed apps, mobile apps, to report the results of the election. You've probably heard about this. They were a disaster. They were a disaster.
20:43
It took a very long time to sort of rebuild the mess that they created and actually generate a final voting tally. It was a big embarrassment to the Democratic Party. They were going to be using the same systems in Nevada, and then pulled that out.
21:03
Now, what I would say the biggest problem conceptually with that application was that it was made by, and you see this a lot, made by folks in the industry who made a lot of personal connections. These were folks who had worked for the Democratic Party, done IT stuff,
21:21
and they decided to go out on their own. They made a crappy product, but the crappy product was bought up because, oh, we know these people. These people are in our industry. They're in our world. We know them. We trust them. So, I don't know if the
21:40
same thing isn't going on with some of these voting applications. PCC, who knows who ESNS hired. That is a real, real problem in this industry. So, we need to know who's doing it because we need to know if they're competent, if they're reaching out for the best people, or if they're just reaching out for people who are connected with the company,
22:03
which gets us back to another point. This needs to be opened up. If we've got one or two or three companies doing this, that gives those one or two or three companies a lot of power. We need to have more genuine RFPs get this out there, and I'm not saying there are
22:24
angelic companies out there, but mixing it up a little would help. Now, second, we've got to test this stuff. I'm sure the secretaries of state do pen tests on their systems, but it sure didn't help for 2016. I don't know how a pen test misses a SQL
22:44
injection attack. There are pen tests and there are pen tests. Again, the secretaries of state have a vested interest in not finding vulnerabilities, and I've seen some of this. The pen tests tend to be minimal. So, we talk about standards for voting machines.
23:03
We should have standards for these systems, and reports should be publicly available. We need standards for penetration testing, and that includes testing for social engineering all the way down to the user level, all the way down to the level of the election administrator
23:22
who has their own account and talks to this database system. A thorough pen test is going to include tests for social engineering, and you don't generally see that, especially when you consider any kind of code injection. Notwithstanding, the biggest problem will always be malware.
23:43
It will always be malware. You can't really audit these systems, so we need those standards and, again, transparency. You have to redact most of a pen test, sure, and that just makes sense, but we could at least be able to see the executive summary of these pen tests as a
24:04
public document. I would argue standards. I would argue, again, transparency. Those are the big two words. Standards, transparency. That gets us a long way. Now, I cannot stress how much of a problem this is. You know, if we're talking about voting machines and systems,
24:23
which we love to talk about and we need to talk about, a presidential election on those terms would be hard to tank just by going after voting machines. But not these systems. There may be thousands, I think 7,000 is what I read, localized voting machine tabulation systems.
24:45
You know, that's a lot to get into and hack, although not for a local election, and local elections are every bit as important as national elections. It's all democracy, although, again, not impossible. But when you're talking about these online databases and these internet-facing user election management systems, we go from 7,000 targets down to 50. 50 targets.
25:11
That's a lot more appealing. It's a lot more dangerous. And these systems interact, okay? First of all, most states, you're going to see some kind of connection or some kind of
25:23
ties to the DMVs, to the Department of Motor Vehicles, you know, we always have the check off for do I want to be registered to vote to. There are states like Vermont, I'm proud to say, that have automatic voter registration. So those systems have to talk to each other some ways. There are safe ways to do it. There are unsafe ways to do it. We don't know, again,
25:45
how they're doing it. Tax departments. Some states even connect to their tax departments. So, obviously, any big extensive network to network, they're going to be as strong as their
26:01
weakest links. And those weakest links could be in the statewide networks talking to each other. The weakest links more often than not are the users. You know, in New England, you can have election administrators running jurisdictions of as few as 70 people.
26:22
They don't have a lot of good equipment, and they don't necessarily have a lot of sophistication in how to do proper hygiene, guard against social engineering, against spear phishing. I mean, if I were somebody, I'd take aim at one of those folks,
26:44
and I'd go right after them. There's also ERIC, which is something I don't know about. ERIC is a statewide system, which now covers about half of the states. I think it's roughly 25, with more looking at it, whereby states interact their databases so they can track
27:05
cross-state registrations. As it is, it's been a challenge for those states to track, to take someone off a roll in one state because they registered in another state. That's a challenge. It's a weakness that a lot of folks have made a lot of fuss about,
27:26
and honestly, they probably should. That stuff has been, you know, a matter of sending a piece of paper or an email from one secretary of state's office to the other. So, obviously, you're going to have systems like ERIC popping up. Now, my understanding, which is limited,
27:44
is that in ERIC, you're not having a situation where the statewide databases are talking directly to each other, which is great. But, obviously, again, there is the malware issue. Malware can ride along with all kinds of things, and at any given time, a third or more
28:06
of the malware out there in the wild could be zero-day. So, you know, it's the same problem we have with antivirus systems. They can only be so up-to-date. They can only be so current. So, anyway, I'm not going to say, I hope I didn't scare you. I hope I did. That's why I'm here.
28:25
I think that's why a lot of us are here, are to scare people into action and to scare people into making things better. Again, I'm not trying to knock anybody down. I'm just trying to draw a lot of attention to this problem, and this is a problem we could go into a lot more technical
28:42
detail on, and, you know, I could talk for, you know, an hour or two if I wanted to, but I want to keep this accessible. I know for the election administrators who were watching this, and also I only have about 20 or 30 minutes to do it, but it's a conversation I think we need
29:01
to have a lot more of. Thanks. Thanks very much for listening. Thanks for Voting Village for having me, and hopefully I'll see you next year, maybe even in person.