Hacking and national security experts say that U.S. voting machines are vulnerable and could allow Russia to access to them, according to a new report out of DEFCON, one of the world's longest-running hacker conferences.
The report concludes that it is incredibly easy to hack U.S. voting machines, and the system is not nearly as safe as it's portrayed by election officials because many voting machines contain foreign-manufactured internal parts that may be susceptible to tampering. Hackers also do not need advanced knowledge of voting machines to hack them -- it would take only a few minutes or hours for someone with the technical knowledge to infiltrate the machines.
At the Voting Village conference in July, DEFCON set up a hacking village to draw attention to cyber vulnerabilities in U.S. election infrastructure. It invited participants to hack 25 pieces of election equipment including voting machines and electronic poll books, and produced a report afterwards.
The report, which was released Tuesday at an Atlantic Council event, showcased DEFCON's findings. At the Voting Village convention, one IT professor broke into a voting machine within an hour and a half. A Danish democracy-tech researcher remotely hacked the AVS WinVote system within minutes.
"Our voting systems are not secure," said Douglas Lute, a former U.S. ambassador to NATO, in a forward to the report. "Russia has demonstrated successfully that they can use cyber tools against the US election process. This is not an academic theory; it is not hypothetical; it is real. This is a proven, credible threat. Russia is not going away. They will learn lessons from 2016 and try again. Also, others are watching. If Russia can attack our election, so can others: Iran, North Korea, ISIS, or even criminal or extremist groups."
The report also found that voting machines do not need to be connected to the internet to be hackable. At points along the supply chain, hackers can infect machine parts with malware before they reach the U.S. Additionally, local election officials use software on a computer that is connected to the internet – and therefore subject to hacking – to create a ballot that is then uploaded onto the voting machines with memory cards or USB sticks.
In some cases, a hostile actor might want to tamper with a U.S. election not to change the winner, but to create enough chaos to delay the reporting of a result, causing panic in the financial markets. If this were known ahead of an election, a hostile actor could profit from that mayhem.
Currently five states still use entirely paperless systems with no paper backup: Delaware, Georga, Louisiana, New Jersey and South Carolina. These systems are the most insecure because the lack of a paper trail makes an audit afterwards impossible.
In June, CBS News' Jeff Pegues reported that congressional investigators were intersted in whether Trump campaign associates obtained information from hacked voter databases. Earlier, a Department of Homeland Security official testified that 21 states had voter databases targeted. CBS News, however, learned that the number was actually higher. A former U.S. official told CBS News at the time that nearly twice that many states showed evidence of a breach.
Just four manufacturers create most of the voting machines on the market. They were not interested in participating in DEFCON to learn how to make their machines safer; they insist they are safe enough already.