The Election System - Can We Fix It? Yes, We Can!
8:55PM Jul 26, 2020
election security in general is currently not doing so great. But our next speaker in addition to her pioneering work as founder and CEO of girls who hack is doing very impressive and interesting things to help address the flaws in the system and improve the situation for all of our sakes. Presenting the election system. can we fix it? Yes, we can. Please welcome the SI lab.
election system can we fix it? Yes, we can. solutions to improve the US election system with yours truly be asylum. First off Who am I I am a 13 year old girl In two years ago, I was the youngest speaker Hope it a lot has happened since then. I spoke three times at DEF CON in the voting village, the roots asylum and the bio hacking village. I also gave a talk on election security at DEF camp in Romania. I'm the founder and CEO of girls who hack tutta. Our motto is teaching girls the skills of hacking so that they can change the future. I provide physical and virtual lessons to any girl who wants to start her journey in cyber security. I am a maker in a hacker in my election hacking at the roots of silent was highlighted on a congressional hearing on election security. Here is me with the witness panel. going from left to right, we start off with Dr. Charles H. romand. He is the Director of Information Technology at NIST, which stands for National Institute of Standards and Technology. Next to him is Mr. Neil Kelly, who is a Registrar of Voters for Orange County, California. Then next to him is me. And next to me is Dr. latanya Sweeney. She is a professor of government and technology in residence at Harvard University. Next to her is Mr. Paul Xerox. He is the secretary for the oklahoma state election board. Then last but not least is Dr. Josh Ben Alo, he is a senior cryptographer at Microsoft Research. And while this talk will be focused on the US election system, the lessons here learned can apply to any election system worldwide.
So what did the rich society do?
The roots asylum held a mock election reporting system in us kids got to perform SQL injection to change the results. What is SQL injection you may ask? Here's part of my girls who have course on SQL injection.
The application that talks to the database is tricked into sending the attack query, an application, in this case, a web form, asking for a username and a password. Or one equals one is true. At the top you see the code from the web page. It says SQL equals select from users where name equals username and pass equals you pass. So it's requesting a username and a password so you can get it but the attacker writes this, um, Alice double quote or one equals one double quote. And then Alice pass double quote, or one equals one double quote. When she presses sign in, this gets sent to the database select from users where username equals Alex, or one equals one and pass equals Alice pass or one equals one. The SQL above is valid and will return all rows from the users and past table since or one equals one is always true. For kids and I, in the roots asylum did this attack last year and this year, you're thinking big deal. It was rigged for kids. But Russia use the same SQL injection attack and successfully broke into a state board of elections website where they gained access to voter records and exfiltrated them. They were then able to pivot into the network and who knows what happened after that. as outlined in volume one on pages 50 and 51 of the Mueller report. Now the election system, it has a huge attack surface, or 10,000 voting precincts, voter registration systems, voter databases, voting machines, reporting systems and of course, election officials. As Dr. latanya Sweeney set up the hearing on voting technology vulnerabilities. Every step introduces a vulnerability. There are problems everywhere. Most states lack the resources and technical expertise. Let's face it, they're election officials, not computer security experts. They have aging equipment. Many of the voting machines that have been pawned at the DEF CON voting village are still in use in many districts, they have a lack of consistent funding for security. A lot of the voting security money comes in a lump sum. This it fixes problems now, but not in the future. states need consistent voting security budgets, attacks by foreign adversaries with endless time and money versus the underfunded state and local election websites where Stephen Frank have to secure them along with all the other sites and help Bob print out his emails. This election security research team consists of one full time for part time and for contractors working on election security. There are more people working at a single McDonald's than there are at a working for our election security. So let's jump into some problems and solutions. This is me at the pen Sylvania voting machine review, we are allowed to examine the machines all we wanted. I drove them crazy. This simple to pick lock covers the USB port that contained the votes and software update port. So to start off, we're gonna start off with the voter registration systems. Voter Registration systems differ from state to state. Some have a standalone system while others tie in with their Department of Motor Vehicles driver's registration system. Everyone is trying to hack these systems all the time. If you monitor an intrusion detection system, which is a machine that examines all the network traffic, you will see constant attacks like SQL injection, cross site scripting, and other exploits from all over the world, including Russia, China, as well as tour exit nodes and others. The scary thing is get this election officials are not required to report any detected compromises or vulnerabilities in these systems. If the election was hacked, we wouldn't know. Yikes.
So how do we fix this? Well, the voter registration systems are things we know how to secure website and database security is something we know and have security standards and guidelines for. So let's use them. O OS, or the open web application security project has tons of resources to many to lists here. The NIST cybersecurity framework provides a way to identify, protect, detect and respond to any cyber attacks openscap which is security content automation, protocol, support Automatic configuration from Nur ability patch checking and security measurement, the SAFE Act is currently sitting in set. The SAFE Act requires many important things including voter verified paper ballots. These are important because the voter actually verifies their vote, and there's an analog paper trail. Risk living audits are where the votes are counted by humans to make sure the machines are accurate. Using risk losing audit and voter verified paper ballots are our best defense against election tampering. So you've built your reporting system. Now what test it First, make sure it actually works. Then have your team tested. Make sure you cover the basics like the OWASP Top 10 Then fix all the bugs. And don't waste your budget on having professionals come in. Just to tell you what you could have found out for yourself. then test it with hackers. Make sure it's fully tested before bringing in an external PES pen testing team. They will find things you never thought of. If you're thinking that these systems out there are secure. Well, let me tell you, they're not hackers have found SQL injection working on a state site. Just recently. states need to have a bug bounty, or at least a very clear channel for reporting vulnerabilities.
So you've registered to vote. What's next? voting machines,
voting machines you will The US would have a thriving voting machine industry. Unfortunately, this is not true. If you want to make a voting machine you need to make the entire system everything from the voter registration system voting machine tabulator and reporting system. This is why 80% of the US voting machines are made by two manufacturers, SNS and dominion. SNS bought global election systems which became dyeable. Again, this SNS senior programmer and VP was convicted of computer software tampering and embezzlement in 2004. They performed an emergency software patch in 37 swing states, these are case days they're capable of swinging the election one way or the other. Georgia and Tennessee have reported machines losing votes in predominantly African American neighborhoods, which is not right. These manufacturers keep their source code closed and will threaten the lawsuits. If people try to examine it. Wonder what they're hiding. The diable gems tabular was found a lowering vote counts. It's not that hard people vote gets the plus one. Or for my C Programming fans out there vote plus plus, many machines and tabulators have hidden backdoors that allow votes to be manipulated during the election. Here you can see in red what the gems tabulator said the vote count is but as you can tell by the human readable paper trail, the votes are higher.
Now, direct recording systems are voting machines that do not produce a human readable paper trail. These machines cannot, I mean, not be made secure. As was proven every year at the DEF CON voting village. The vote count can be undetectably manipulated. These types of machines are used in many countries around the world, including Brazil. Want to guess who makes those machines in Brazil?
Diebold you know, I would trust more than a direct recording system.
No. Another way to collect votes is with paper ballots. There are two types, hand marked paper ballots and balanced Marking devices, hand marked paper ballots is the best most secure option. These are marked by voter themselves, then scan with an electronic scanner are counted by hand and ballot marking devices, or originally made for handicapped voters. But with the demand for public for paper ballots, the voting machine manufacturers saw this as an opportunity to sell the more expensive bmds as paper balance. There are a few problems with these machines. If the machine flips your vote, what can they do? What's a human error or a machine error? So machines print out a barcode as a paper trail. So how do you know what a barcode says when you check it? That bar fat bar skinny or fat or fat bar skinny bar So overall bmds suck with new machines that take up to 10 minutes to switch screens while voting. I mean, make if you go to McDonald's and you go to one of their screens, when you flip the screen, it doesn't take that long like, catch up people. Texas machines are unable to read RFID voter card and that caused massive delays. Brand new yes and s machines reported zero democrat votes on print out. In the hand count reveal said Democrats won. Hmm. This just it? Dr. E's suck. Virginia changed to hand Mark paper ballots and the Democrats won for the first time in 20 years since they are yd d. e voting machines, huh? So Alright, let's hack a voting machine. The Accu vote is a direct recording system. Some of them have a printer so the voter can verify their vote. Some don't. In 2007, the source code was reviewed by the state of California. They found it was susceptible to viruses that could alter the vote count. My friends over at the hacker house, were able to load their own firmware into the machine and could do this election fixing software hack toy rigging election. They were also able to do this. And what does every hardware hacker ask? Can you play Doom on it?
Yes, yes, you can.
Let me ask you, where are your voting machines stored right now? How well are they secured while in cold storage?
Hey, Bob, where do you keep the spare traffic? Oh, you know by the voting machines where I eat my lunch, look at this, they're securing it with caution tape. Nobody can get past caution tape.
bad actors can purchase these machines off the internet, reverse the software and the firmware. Then install half software in firmware on the machines in cold storage. Well, these machines may have tamper evident seals. They're really not tamper evident. Here is me a DEF CON 25 removing tamper evident tape with acetone. I was then able to reapply it with no noticeable difference. So what can we do to secure voting machines in cold storage you may ask? Well, we can invest in more secure storage, monitored security systems and cameras, complex locks and buoy traps.
Okay, maybe not the last one wink.
Another way to help secure voting machines is to reinstall the software and firmware before the election, making sure to check software fingerprints and checksums before installing. Doing this will not only ensure the latest patch software is running, it will also wipe out any malicious code that may have been installed. So where does my vote go next? Different election systems have different ways of delivering their final vote count. ballots are printed out in triple get checked and signed by poll workers. These are then phoned in and sent by car to the auction office. USB sticks by car. Is that data file encrypted? If not, it can be manipulated. So machines report their accounts by cellular data transmission. This goes over the public Internet. But we all know how safe the public Internet is right? It is also worth saying that there is no established Chain of Custody rules for any of these delivery methods. So how do we secure it while in transit? Well, there are many ways to secure it while in transit. We can encrypt the records while being transmitted and while at rest. We can perform risk limiting audits to make sure that the paper ballot matters. Just what the machine recorded and just don't use the public Internet. The machine manufacturers want you to think cellular modems are not connected to the public Internet. But guess what they are. Here's a diagram the manufacturers could learn from. That's the voting machine over there on the left, transmitting over the air with its cellular modem to the cell tower that's connected to the public Internet where my friend Rainbow Dash is taking a nap. Then the vote tabulator is also connected to the internet behind a firewall, but we all know firewalls don't stop hackers. Now for the next step, the next step is vote count reporting systems. These just like the voter registration systems are standard things that We know how to secure and again, like registration systems, we should follow industry standards and guidelines. Remember this slide guidelines exist, let's use them. I'm going green, I'm recycling it. Now, let's talk about humans. Let's face it, they have so many flaws. That's why I like cats better. And let's face it, all the security in the world can protect against Bob clicking on a link he shouldn't. Spear Phishing campaigns exist and have been successful against voting machine manufacturers. using fake emails. They can direct users to fake websites that compromise their machines. As Mr. Kelly, the Registrar of Voters for Orange County, California, set up the hearing how well are my election officials trained not to click on links they're not so Post chances are not well enough. Sorry, Mr. Kelly. social engineering. Oh action officials must be regularly trained on how not to be social engineer. regular training is very, very important, not just during the election season. Fix the humans sacred form election working groups with local federal and state officials including the Department of Homeland Security, the FBI, as well as state Cyber Command in this no and shall be shared across the entire state.
In the end, what is the big fix?
We need to look at the election system as a very very, very hackable security problem. From the start. Security can't be something we just bolt on at the end. The election system is one big hardware and software system. So we need to change train our developers and engineers, teach them secure coding from the start. Teach them how to hack and think like a hacker. So they can better code systems that are more difficult to compromise and send them to security conferences, and hire hackers. They bring a different perspective. They think around outside and destroy the box. There's security minded individuals, to whom everything is a security puzzle just waiting to be solved. Also, don't be afraid to hire hackers without certifications in kids right out of school. They will bring an excitement and desire to prove themselves. What is the Best system.
I've made this really big, so you can take a screenshot.
The best system is one with hand marked paper ballots, and with risk limiting audits and now announcing genitive data secure, open vote my own election system. Secure open vote is an open source voting system using hand marked paper ballots. My goal is to make a complete end to end system. I figure I have the smartest friends, we could probably make a pretty awesome election. So I will also have their reporting system ready for DEF CON this year. So you can try and hack it yourself. And thank you for listening to my talk. If you'd like to learn more about me, girl to hack or secure europen vote, check out any of these sites over here. And don't forget to follow me on Twitter, Facebook and Instagram. Bye bye.
Before we start questions, did you want to make any comments or any additions to the video before we start taking questions?
There is one thing I want to mention and that's the, um,
your life. Sorry, your live now. Okay, hi. I'd mentioned
we're glad that you you're here with us to watch the video we're here with the speaker Bria cylab and she just has a couple of things she wants to
add to the
are like okay, so
Like audio at the end.
Okay, so Bruce, I love did you want to add some more things to the video?
Um, well my secure open vote election reporting system is going to be available to hack at DEF CON this year. And whoever can change the vote count gets cool hack five prizes.
I just wanted to mention that so try and hack it. What you can do, see what you can do.
Alright, that's all right. Sounds good. That sounds good. Um, for some more questions, so we're waiting for some more quick questions, but I want to know is there I want to know the update. Is there any update on any updates on any legal No. Got it. put some transparency in electronic voting? given the choice of voting in
person, or by mail
or by a mobile or electronic, Which do you think is the best method for voting?
I'm reading recently been researching voting by mail since that seems to be the hot topic with COVID going around.
And honestly, if you vote in person, it's better to do voting with paper, hand marked paper ballots, but voting by mail in it's easier because you have more time to think about it and fill in your vote. Um, you can do it any time. You don't have to be like, well, I can't go vote because I have to get to work or else I'm going to get fired or something like that. So you have more time to do it. So I feel like voting by mail also helps with that. Um, so yeah.
Got it. All right, let's go on to the next question. What states
seem to be doing better with electronic voting?
Um, honestly, since you specify to electronic voting, it's um, it's better any state that
uses paper, hand Mark paper ballots or slimming audits. I know I say this a lot about them, but it's always just better. Can't really secure anything electronic.
Understood. Thank you. Next question
is what is your opinion of Mayland voting in general?
The questioner will
refer reference to New Jersey. But, you know, what's your opinion on that?
Like I said, voting by mail.
I'm still just researching it, but It's It's way better and
it's just easier to use and more accessible to many people. So yeah.
effect. What do you think is the best thing that can be done to restore people's trust in elections?
Mostly if people would just know that you. If someone actually
like checked in, they actually have proof to say, hey, everything's secure. Look, we tested our election system. We tested everything. See, here's the proof. If the public knew that, like we tested it, and we actually cared about security, and we mentioned security, then I feel like they would just
trust in the election system more.
All right. Our next question is, how do you how would you recommend I helped my six
year old nephew and four year old niece get into security in hardware. My nephew loves hacking steals my iPhone. password all the time. Well, number one, definitely send them to conferences. Most conferences also have kids tracks.
DEF CON has the roots asylum. Every conference usually has talks and stuff for beginners. I'm beginners can be pretty much any age because it's for beginners. And then I also have my girls who hack and all of my courses on sorry with cyber security. Got it? Thank you. All right. Do you know of any other countries that are doing a good job with electronic voting?
I'm not really sure I focus more on the US election system. I'm not really sure because every other
country has like a different way of voting. So it always just depends on how it works.
Thank you. Are there any organization is trying to standardize the
internationally or the US regarding voting systems? Well, as I mentioned in my talk, the SAFE Act, I hope that passes and
honestly, there's not much that has been going on. There have been so attempts to try to secure everything
Are there any other crazy projects that you're working on to take over the world?
I'm building a giant robot army. I'm just kidding. But um, recently I've
been focusing more on election security. Mostly because the elections Coming up, I kind of postponed working on my horse bot, which if you go to PSI lab calm, I mentioned that and talk about it a bit, but mostly just going full on with elections. I'm also I'm for hope. I also have my two girls who hack classes on building a home lab in intro to web hacking. So I've been working on filming and editing those.
Well, it's for those workshops coming up.
I'm actually tomorrow at four
o'clock here at hope they're coming up and if you miss it, I'm also putting it
on girl to pack calm.
Very good. All right.
Next question is. Do you
have any ideas for getting Do people to actually go out and vote. Um, one thing I wish would happen is, as you probably know, the day when you have to go and vote,
it's not like a holiday, like you have work afterwards. So more people are like, Oh, I have to get work to work. The traffic's going to be bad and just like stuff like that. So they're like, I just don't have time to vote. So I feel like if we made it a holiday, then more people would have time to be like, Okay, I have time to go and vote because I don't have work and all this other stuff going on. I agree. There are some countries that do make it a holiday. I think it's a great idea.
Have you look at Have you looked at Microsoft's election guard software?
No, not yet. By will look it up now that you mentioned it. Okay.
Do you feel that you and other people of your age should be allowed to vote?
Well, I am only 13 I really, really wish I could vote. But I feel like
since now I'm in high school, some kids my age are still in high school, middle school. They're getting into
just politics in
general and learning how the government works. So I feel like I'm 18 is a good age to be able to vote because then you finished high school, you're going into college and you you've learned how everything works and you've had more time to let your brain develop and research some things and really get a true opinion on everything.
Right. Thank you. All right. What is your thoughts on different voting system? films such as
instant runoff, ranked choice star, etc similar systems.
Um, I'm not really sure about those. I don't really have an opinion opinion on any of those. Right.
Okay, any next question is about any suggestions or
comments on the topic of
well, I don't feel like it's that right honestly, um, everyone should truly just
voting should just be accessible to everyone and
voting should be something easy to understand
very accessible, it shouldn't be something hard to get,
I understand and, you know, it's amazing watching how the parties make all these crazy lines
in the neighborhoods, depending on you know, who is which party, etc. All right. Um, next question is, do you think would be a good idea to require everyone to vote? I'm actually not really, um, I feel like some people, they honestly just don't
know who to vote for. And the more votes the better the more people who get to vote, the more people voting, it's always just better. Um, but honestly, um, you shouldn't force anyone to do anything they don't want to or really have to. So yeah.
Thank you. It's a great question. So we've heard so much about blockchain technology.
do you know whether or not it would have a role in electronic voting like for auditing or non repudiation? I feel like blockchain and voting should not mix honestly. And I'll just leave it at that.
All right, um, I think that's all a wait. We've got one more. Okay. That's it
for all the questions and I want to thank you very much. Your talk was very interesting. And thank you very much for sharing it and sharing your time with us here at hope 2020 was very enjoyable. Thank you. Thank you. All right, we're going to take off to our info
Beamer and we'll be back with you in about
10 minutes. Thanks very much, everybody. Hang around. By excellent Hey, that was great.
off the air. Thank you. So that