LAS VEGAS -- While President Trump appears to be debating whether the voting system in the U.S. was compromised by the Russians, hackers at Defcon were hard at work trying to understand its vulnerabilities.
Defcon is the annual hacker conference in Las Vegas, and the buzz this year centered around the Voting Machine Hacking Village.
A dozen electronic voting machines, like those you might see at your local polling place, were set up along the walls of a conference room. In the center were tables where hackers took some machines apart.
In the corner, three men sat at a table trying to hack into a cartridge used to store votes on one machine.
“So we still have wrong communication parameters," a hacker named Bryan said to one of the others. "Bang your head again."
Bryan, who declined to give his last name, is a '"white hat" hacker, which means he works to protect computer systems.
To do that he needs to learn how the bad guys break in. Some of the work to figure that out can be illegal, which is why hackers at Defcon like to stay anonymous.
In fact, until 2015, hacking voting machines -- even to do research -- was against the law unless you got a special waiver, said Matt Blaze, a computer science professor at the University of Pennsylvania.
“So far, only a few dozen people who are computer scientists thinking about this have been able to get access to these machines,” Blaze said.
He helped set up the voting village at Defcon, which took place over four days in late July. A decade ago, Blaze obtained a waiver to study electronic voting machines in California and Ohio.
“And my team of graduate students and I were able to very quickly discover a number of really serious and exploitable problems with those systems,” he said.
But Blaze said researchers missed more important targets: the companies that supply the electronic voting machines and county election offices.
Unlike voting machines, which aren’t generally connected to the internet, the companies that supply them and county offices that tabulate the votes are online.
The risk, said Blaze, is that hackers could get their hands on the list of registered voters that is checked on Election Day, the description of the ballots that are presented to voters and the systems that count the final tallies.
Security researchers need to better understand all the computing systems used in voting, Blaze added. So the hackers at Defcon set up a computing network that mocks ones used at a typical county voting office.
And they asked hackers to have a go at it.
On the first day, three hackers attempted to figure out a password in order to get the list of voters. A day later, they succeeded, said Gil Brice, who helped set up the mock network. He said a few other hackers got into the database of the mock county voting office.
“The manufacturers and the states can’t bury their head in the sand,” Brice said. They can’t say, “‘Yes it’s already secure, we don’t have to worry about it.’ ”
Brice said that, in less than 48 hours, hackers at Defcon demonstrated that the computer systems used in voting in this country aren’t really as secure as you might think.