https://threatpost.com/def-con-2018...-back-from-election-officials-vendors/134980/
Excerpt
Exploits Abound
In terms of exploits, white-hats were able to show an array of disturbing hacks; these included everything from prank-level successes (i.e., hacking a voting machine to play gifs and music) to the deeply concerning (participants were able to hack a mock election to give an un-listed candidate the most votes; and an email ballot was altered so that the recorded vote was different from what was selected).
For instance, active Diebold TSX voting machines were found to be running on expired SSL certificates from 2013; and, the Diebold machine locks turned out to be easily hackable. A hacker was able to reprogram a Diebold TSX to play gifs and music after uploading a Linux operating system.
Also, Diebold poll book machines (specifically, the Express Poll 5000) were found to be vulnerable to having their easily accessible memory cards removed from the top of the machine and replaced with a market-purchased copy, pre-loaded with alternative voting poll information. This means that voters that attempt to vote at a polling place may find that they are no longer in the precincts records, or other voters could be added who could then vote in that polling place.
Disturbingly, the hack can easily be performed by a voter within five seconds, using a distraction or by a poll worker with access to all machines.
These machines also keep supervisor passwords on cards listed in plain text (plus, the root password is: “password”); also, they store personal records for all voters, including last four of Social security numbers, address and driver’s license numbers – all without protection by any encryption. The hackers were able to read and write the database inside, using the simple database program SQL lite; although exploiting this vulnerability would require physical access to the pollbooks to make use of the info.
Meanwhile, Election Systems & Software (ES&S) Vote Counter machines, the kind used by counties to count ballots from municipalities, were found to have active ethernet ports, exposing them to several vulnerabilities.
One hacker found that if you remove the back panel on an ES&S m650, one of these ports could be used to completely control the machine; thus, he was able to get serial console access to the machine. Also, the machine is running a version of QNX operating system with no password.
In addition, a zip drive on the front of the machine would allow someone to load a corrupted version of software with no digital verifications by the machine that the update is legitimate; the new software will override the software on the machine. In fact, any file named “update” on an inserted zip disk will immediately be executed at the highest privileged level – regardless of the kind of program it is. In other words, it’s a short-cut method of running arbitrary code.
in the “precocious” column, an 11-year-old was able to hack a replica state-level Secretary of State website within 10 minutes. In all, 39 kids aged 6 to 17 attempted to hack replicas of the websites of six swing states; 35 kids were able to complete an exploit. They tampered with vote tallies, party names and candidate names (including “Bob Da Builder” and “Richard Nixon’s Head”); and changed the total vote counts to numbers like 12 billion.
The kids were given an introductory walkthrough of how to perform an SQL injection, and from there they “ran with it and were able to complete the hacks,” DEF CON media contacts noted.
Excerpt
Exploits Abound
In terms of exploits, white-hats were able to show an array of disturbing hacks; these included everything from prank-level successes (i.e., hacking a voting machine to play gifs and music) to the deeply concerning (participants were able to hack a mock election to give an un-listed candidate the most votes; and an email ballot was altered so that the recorded vote was different from what was selected).
For instance, active Diebold TSX voting machines were found to be running on expired SSL certificates from 2013; and, the Diebold machine locks turned out to be easily hackable. A hacker was able to reprogram a Diebold TSX to play gifs and music after uploading a Linux operating system.
Also, Diebold poll book machines (specifically, the Express Poll 5000) were found to be vulnerable to having their easily accessible memory cards removed from the top of the machine and replaced with a market-purchased copy, pre-loaded with alternative voting poll information. This means that voters that attempt to vote at a polling place may find that they are no longer in the precincts records, or other voters could be added who could then vote in that polling place.
Disturbingly, the hack can easily be performed by a voter within five seconds, using a distraction or by a poll worker with access to all machines.
These machines also keep supervisor passwords on cards listed in plain text (plus, the root password is: “password”); also, they store personal records for all voters, including last four of Social security numbers, address and driver’s license numbers – all without protection by any encryption. The hackers were able to read and write the database inside, using the simple database program SQL lite; although exploiting this vulnerability would require physical access to the pollbooks to make use of the info.
Meanwhile, Election Systems & Software (ES&S) Vote Counter machines, the kind used by counties to count ballots from municipalities, were found to have active ethernet ports, exposing them to several vulnerabilities.
One hacker found that if you remove the back panel on an ES&S m650, one of these ports could be used to completely control the machine; thus, he was able to get serial console access to the machine. Also, the machine is running a version of QNX operating system with no password.
In addition, a zip drive on the front of the machine would allow someone to load a corrupted version of software with no digital verifications by the machine that the update is legitimate; the new software will override the software on the machine. In fact, any file named “update” on an inserted zip disk will immediately be executed at the highest privileged level – regardless of the kind of program it is. In other words, it’s a short-cut method of running arbitrary code.
in the “precocious” column, an 11-year-old was able to hack a replica state-level Secretary of State website within 10 minutes. In all, 39 kids aged 6 to 17 attempted to hack replicas of the websites of six swing states; 35 kids were able to complete an exploit. They tampered with vote tallies, party names and candidate names (including “Bob Da Builder” and “Richard Nixon’s Head”); and changed the total vote counts to numbers like 12 billion.
The kids were given an introductory walkthrough of how to perform an SQL injection, and from there they “ran with it and were able to complete the hacks,” DEF CON media contacts noted.
