“If there’s a theme this year, it’s hackers versus conspiracies,” said Harri Hursti, co-founder of the Voting Machine Village. “2020 and all the side effects changed everything here.”
It’s an uphill battle, and one that offers a taste of the issues the election security community will face as the November election approaches and in the weeks beyond – as they both try to to ensure that voting equipment is as secure as possible and to quell false claims that equipment could be tampered with to change the outcome of the election.
The problem is personal for the hackers who come to the polling village, many of whom have spent years both seeking election security and pushing election equipment makers to publicly disclose those vulnerabilities — a move many companies objected.
“All security improvements [have been] hampered by all the false allegations, conspiracies — and fighting them,” Hursti said.
After the 2020 presidential election, then-President Donald Trump tweeted an NBC News report from DEF CON to allege security flaws in equipment at voting machine company Dominion. Hursti said other 2020 candidates also used DEF CON clips to cast doubt on election security.
Hursti noted that organizers cannot control how these news clips are used once they are released to the world.
“When it’s in a digital format, misuse of clips is inevitable,” Hursti said. “What we’re trying to do is make sure the right message gets through.” That “good message,” he said, is that elections are more secure because researchers are looking for these vulnerabilities.
At this year’s polling village, Hundreds of attendees strolled between tables in a cavernous Caesar’s Forum conference room, inspecting ballot scanners, voter registration devices and computers running voter database software. In some places, groups of pirates crowded around the tables to physically dismantle the machines. At others, they brought out laptops to connect to equipment and digitally scan devices.
DEF CON attendees are used to finding shocking weaknesses in machines. In the 2018 event, an 11-year-old hacked into a bogus version of Florida state election websites in less than 10 minutes. The 2019 edition revealed vulnerabilities in various machines that participants said could allow vote counts to be altered, ballots to be displayed incorrectly, and internal software to be modified.
The results fueled calls to return to using paper ballots or machines with paper records to verify votes. But organizers are quick to point out that it would be difficult to exploit vulnerabilities on a large scale, and that in many cases attackers would need to have physical access to machines. The decentralized nature of how U.S. elections are run — with each state and even county using different voting systems and election protocols — is an added safeguard.
This year, however, the polling village has paid nearly as much attention to how to combat lies about widespread voter fraud. A former National Security Council official has explained how disinformation targets minority voters. The officials of Maricopa County, Arizona has been debunked yet again ongoing conspiracy theories, often championed by Trump supporters, alleging widespread fraud in the county’s 2020 election results.
Arizona officials have methodically debunked the allegations, including false claims that The Italians had used satellites to infiltrate voting machines in the county and that election officials sent thousands of ballots from Asia. (In fact, officials said, no county machines were equipped with the technology to allow a satellite to impact, and those ballots could not have been airmailed undetected.) They also noted the steps they’ve taken since 2020 to try to stop these theories from bubbling up in the first place, including setting up a 24-hour video feed for the public to watch the vote count and using rigorous precision audits and counts.
Michael Moore, the chief information security officer for the Maricopa County Registrar’s Office, urged attendees during a session Saturday not to accept allegations of voter fraud without proof.
“Please demand sources, demand data,” he said.
Maricopa officials said they were still beset by misinformation about election security and the integrity of the county’s vote, as well as physical threats for their ongoing efforts to debunk the allegations.
Nate Young, the IT manager for the Maricopa County Recorder’s Office, described his work debunking conspiracy theories as “a full-time job”, adding that “when I can do my job, it feels weird to me”.
And officials only expect more in the months leading up to the midterm elections. Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency, even told reporters ahead of the conference that she is more concerned about misinformation and threats against election officials than cyber threats to the upcoming elections.
Ben Hovland, a commissioner for the United States Election Assistance Commission, which tests and certifies voting materials, said the need to divide their attention makes the job of election officials more difficult.
“That’s really the challenge that our state and local officials are facing right now is that they can’t take their eyes off the cyberbullet, it’s still a real threat, but they’re facing…the harassment, they face with weaponized information requests that are born out of misinformation, and it’s really difficult,” he said.
Still, even Young of Maricopa County argued that an event like the polling village is important for finding vulnerabilities before they can be exploited on election night.
“I want these vulnerabilities found, that way we can identify these vulnerabilities in our own systems and fix them,” he said.
And while the full results have yet to be made public, some equipment vulnerabilities quickly surfaced during this year’s event.
A voting machine from China – which Hursti bought from Alibaba and had shipped – was hacked in five hours through a “slow and methodical” process, he said. If participants had been able to use what Hursti described as “free for all” methods, he likely would have been breached in less than half an hour, he added. According to Will Baggett, a former CIA officer and digital forensics specialist who presented at the event, this process was made easier thanks to the machine equipped with WiFi, Bluetooth, a facial recognition scanner and a fingerprint reader. All these features provide tempting methods for hackers to gain access to them.
“We don’t know what’s in there, but because we don’t know, we’re methodical with it,” Baggett told attendees.