One of the country's biggest hacking conferences became a test site this year for an urgent political question for the midterms: How to hunt for vulnerabilities in voting machines without fueling election misinformation.
Since 2017, the annual DEF CON conference — which wrapped up Sunday in Las Vegas — has featured a “Voting Machine Village” where attendees attempt to crack voting equipment ranging from registration databases to ballot-casting machines. The hackers at DEF CON — which takes its name from the military term for alert levels — have found vulnerabilities in nearly every machine featured during those years.
But this year, in the wake of a 2020 U.S. presidential election where false claims of election fraud abounded — including everything from disproven allegations that mail-in ballots were tampered with, to unfounded claims that some voting machines were programmed to change votes — the Voting Village got a lot more political — and the organizers worked to control the information coming out of it.
“If there is one theme this year, it’s hackers against conspiracies,” said Harri Hursti, the co-founder of the Voting Machine Village. “2020 and all the side effects have changed everything here.”
It’s a tough battle to fight, and one that offers a taste of the problems that the election security community will be grappling with in the run-up to the November elections and the weeks following — as they try to both make sure voting equipment is as secure as possible and to tamp down false claims that the equipment could be tampered with to change the outcome of the election.
The issue is personal for the hackers who come to the Voting Village, many of whom have spent years both researching election security and pushing election equipment manufacturers to publicly disclose these vulnerabilities — a move many of the companies have opposed.
“All the security improvements [have been] hampered by all the false claims, conspiracies — and fighting those,” Hursti said.
Following the 2020 presidential election, then-President Donald Trump tweeted out an NBC News report from DEF CON to allege security flaws in equipment from voting machine company Dominion. Hursti said other 2020 candidates also used clips from DEF CON to cast doubt on the security of elections.
Hursti noted the organizers can’t control how that news footage is used once it gets out in the world.
“When it’s in a digital format, the misuse of clips is inevitable,” Hursti said. “What we try to do is to make certain that the right message gets out.” That “right message,” he said, is that elections are safer because researchers are searching out these vulnerabilities.
At this year’s Voting Village, hundreds of attendees wandered among tables in a cavernous conference room at Caesar’s Forum, inspecting ballot scanners, voter registration devices and computers running voter database software. In some spots, groups of hackers crowded around tables to physically pull apart machines. At others, they whipped out laptops to connect to equipment and digitally scan the devices.
DEF CON attendees have a history of finding shocking weaknesses in the machines. At the 2018 event, an 11-year-old hacked into a fake version of Florida’s state election websites in less than 10 minutes. The 2019 edition exposed vulnerabilities in various machines that participants said could allow vote tallies to be changed, ballots to be displayed incorrectly, and internal software to be altered.
The findings have fueled calls to move back to using paper ballots or machines with paper records to verify votes. But organizers are quick to stress that it would be difficult to exploit the vulnerabilities on a large scale, and in many cases attackers would need to have physical access to the machines. The decentralized nature of how U.S. elections are run — with each state and even county using different voting systems and election protocols — is a further protection.
This year, though, the Voting Village included nearly as much attention to how to combat lies about widespread fraud in elections. A former National Security Council official spoke about how disinformation targets minority voters. Officials from Maricopa County, Ariz., discussed debunked yet ongoing conspiracy theories, often championed by Trump supporters, alleging widespread fraud in the county’s 2020 election results.
The Arizona officials methodically debunked claims including false allegations that Italians had used satellites to infiltrate voting devices in the county and that election officials had flown in thousands of ballots from Asia. (In fact, the officials said, no county machines were equipped with the technology to allow a satellite to have any impact, and these ballots could not have been flown in undetected.) They also noted steps they’ve taken since 2020 to try to prevent these theories from bubbling up in the first place, including putting in place a 24-hour video stream for the public to watch the vote counting and using stringent audit and accuracy counts.
Michael Moore, the information security officer for the Maricopa County Recorder’s Office, urged attendees during a session on Saturday not to accept claims of election fraud without proof.
“Please demand sources, demand data,” he said.
Maricopa officials said they’re still getting pummeled by misinformation around the county’s election security and voting integrity, along with physical threats for their continued efforts to debunk the claims.
Nate Young, the director of IT for the Maricopa County Recorder’s Office, described his work to debunk conspiracy theories as “a full-time job,” adding that “when I get to do my actual job, it feels weird.”
And officials are only expecting more of that in the months leading up to the midterm elections. Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, even told reporters before the conference that she is more worried about misinformation and threats against election officials than about cyber threats to the upcoming election.
Ben Hovland, a commissioner on the U.S. Election Assistance Commission, which tests and certifies voting equipment, said the need to divide their attention is making election officials' jobs more difficult.
“That’s really the challenge that our state and local officials are facing right now is that they don’t get to take their eye off the cyber ball, that is still a real threat, but they are dealing with…the harassment, they are dealing with weaponized information requests that have grown out of the disinformation, and that’s really challenging,” he said.
Still, even Maricopa County’s Young argued that an event like the Voting Village is important to finding vulnerabilities before they can be exploited on election night.
“I want these vulnerabilities to be found, that way we can identify those vulnerabilities in our own systems and shore them up,” he said.
And while full results have not yet been made public, some vulnerabilities in equipment quickly emerged during this year’s event.
A voting machine from China — which Hursti bought on Alibaba and had shipped over — was breached in five hours through a “slow and methodical” process, he said. If participants had been able to use what Hursti described as “free for all” methods, it likely would have been breached in under a half hour, he added. According to Will Baggett, a former CIA officer and digital forensics specialist who presented at the event, this process was made easier due to the machine coming equipped with WiFi, Bluetooth, a facial recognition scanner and a fingerprint reader. All of these features offer tempting methods for hackers to gain access.
“We don’t know what’s in there, but because we don’t know, we’re being methodical with it,” Baggett told attendees.