DEF CON – “don’t worry, the elections are safe” edition

Don’t worry, choices are safe. Our security researcher Cameron Camp gives us highlights from the DEF CON 30 conference.

Scattered around a multitude of tables in the election hacker village here at DEF CON 30 are all the devices – wide open – that must keep elections secure. Oh, the irony. It is unclear how some of these devices ended up here, another unsolved mystery.

Fortunately, they contain a myriad of tamper-proof defenses, but from the tables, none of that has stopped, or hardly slowed them down to take a look.

Since tamper resistance appears to be about as effective as sticking your hand out the car window is at resisting the wind, how much faith should we have in the digital circuitry inside or the software running on it, the real “safe” brains?

Here, equipment manufacturers have been at best resistant to security researchers, at worst litigious. During the last US presidential election cycle, even mention unfair play was enough to attract lawsuits. It does not help the research.

That sentiment has cooled, albeit cautiously, but it’s still unclear how close to a lawsuit you’d be by even asking about the insecurity of some of these machines.

Fortunately, similar vendor dynamics have already played out in other areas such as the PC, mobile and cloud. Players in these rooms have long realized that it is better to dialogue with researchers than to threaten them. Even at DEF CON in the car hacker village, there are manufacturers willing to dialogue.

Not that DEF CON is really full of researchers—more like curious hackers-in-training looking at shiny, digital things. But some are also the next generation of defenders, so they can’t all be bad. Some will eventually make house payments and help defend us all so we need to invest in them eg. by bringing a stack of voting machines to a cluster of tables and leaving them unattended so that their guarantees could be horribly violated.

At a village talk, the presenter responded to how much an individual vote really matters by saying something like “Look how hard foreign adversaries are working to change them: they wouldn’t spend so much effort if a vote didn’t matter.” Maybe she’s right in some sort of overarching sense, but a few votes were flipped here and it would be devilishly difficult to thwart at scale. Speaking of scale, here she appealed to the community to help her scale the message, in ways that not many outside of a DEF CON context know how to do.

Activists reaching out to the community seems like a good move.

Even if there were perfect security, a shady bet at best, thousands of volunteers dot the woods, cities, and in between, operating these machines in a less-than-perfect way. Add to this what happens when the votes come in, are counted and digested by all the machinery, in near real time, to produce election results. For example, it is rare in electoral totals that the results are the same as the number. Errors occur.

The US government has offered a whopping US$10 million bounty for tips on foreign adversaries meddling in elections, but in nation-state economies the financial benefit of a favorable trade deal from a swing election would easily eclipse that amount, so it could still be worth playing.

Ultimately, the vendors here at DEF CON have to warm up and welcome researchers who try to help, even if aspiring hackers have to acknowledge some kind of “do no harm” statement they have to accept in order to access it medical hacking village.

That part came in handy when one of my friends was able to root for a medical device in that village. But he’s a good guy. That part made the medical device maker much happier, albeit cautiously. When he agreed to reveal everything he did, their relief increased noticeably. So I guess his actions improved their mental health in the end?

William

Leave a Reply

Your email address will not be published.