DEF CON 26: First Day Review and Voting Machine Hacking



By: James Lint

On August 8-12th, many of the smart hackers gather in Las Vegas for DEF CON, commonly described as a hacker’s convention. This is the 26th year of DEF CON, which is held in Las Vegas.

The conference theme for 2018 is “1983: The View from Dystopia’s Edge.” At the heart of this theme is the concept of the counter-future, an open-source alternative to totalitarian dystopia. It is a world where we use technology and ingenuity for empowerment and connection, rather than isolation and control.

Founder Encourages DEF CON 26 Conference Attendees to Make Connections

DEF CON founder Jeff Moss, also known in hacker circles as Dark Tangent (DT), gave the keynote speech. Moss mentioned this was the first year they had to use two Las Vegas hotels for the event, a testament to the growth of DEF CON. He also discussed the implementation of transparency reports about any violations of the DEF CON Code of Conduct.

Moss encouraged conference attendees, especially introverts, to use DEF CON 26 to connect to like-minded people. Interactions are also facilitated through different types of conference badges, which have connections and a memory chip.

The goal is for attendees to connect with as many people and types of badges as possible. This information is retained in the individual badges that have lights and computer codes with riddles. DEF CON badges are always interesting and use some type of riddle each year.

Voting Village Provides Opportunity to Hack Voting Machines

Voting Village is an area for DEF CON 26 attendees to hack a collection of various state voting machines. One group to take up this challenge was a group of young, white-hat hackers called R00tz.

R00tz consists of a group of 39 kids from ages 6 to 17. They attempted to hack replicas of the Secretary of State websites of six swing states; 35 kids were able to complete an exploit. The quickest exploit was done by an 11-year-old in 10 minutes.

The kids were given an introductory walk-through of how to perform a Structured Query Language (SQL) injection. From there, they moved forward and were able to complete the hacks.

R00tz tampered with vote tallies, party names and candidate names. Total vote counts were changed to numbers like 12 billion and candidate names were changed to things like “Bob Da Builder.”

Hacker Makes Voting Machine Play Photos and Music

One hacker was able to reprogram a voting machine to play photos and music after uploading a Linux operating system to the machine. While this type of hack cannot be easily carried out in the time it takes a voter to use the voting machine, it illustrates some systems’ software vulnerabilities.

Other DEF CON 26 Voting Machine Problems: Memory Cards and Cyber Ranges

Some of DEF CON’s voting machines were vulnerable because they had easily accessible memory cards. These cards could be removed from the top of the machine and replaced with a market-purchased copy, pre-loaded with alternative voting poll information.

As a result, voters using that machine a polling place could find that they are no longer in the records or other voters could be added. This hack can easily be performed by a voter within five second by using a distraction or by being a poll worker with access to all voting machines.

Some machines keep personal records for all voters, including the last four digits of Social Security numbers, addresses and driver’s license numbers. All of this sensitive personal data was not encoded.

DEF CON 26 hackers were able to read and rewrite the internal database in voting machines, using SQLite, a simple database program that is available everywhere. They discovered that the root password and administrative password are stored in clear text within the voting machine.

The root password of some voting machines is “password,” an easily guessed password that virtually anyone could determine and that all people should be taught NOT to use. While exploiting this type of software vulnerability would require physical access to the poll books to make use of the info, it’s entirely possible to access this kind of information. The real security failure is that the passwords are stored in clear text in the machine.

The Cyber Range Project and Vulnerable Voter Registration Databases

The Cyber Range project was a simulation of a state’s voter registration database that hackers attempted to penetrate and modify. At last year’s DEF CON, hackers created a report of the vulnerabilities, which has been read by many people in security operations.

This year, one enterprising hacker was literally one step away from totally compromising the system in a short time. Normally, this type of complex hack requires a longer period of time.

Last year, the Cyber Range was penetrated in 10 minutes. This year, it deployed a security code used by foreign military services to make it even harder to penetrate. But still, one hacker almost penetrated this database.

Security Professionals Must Keep Learning at Conferences Like DEF CON 26

Conferences are great places to attend and challenge your perceptions. DEF CON has many unorthodox people who might not fit the corporate mold, but they have the brainpower to come up with impressive thoughts on vulnerabilities that industry and cyber defenders must solve. Attending conferences with an open mind can definitely bring new cybersecurity knowledge to your organization.