The report from DEF CON’s Voting Village found one bug that alone could flip the Electoral College. Another has gone unfixed for 11 years.
The number and severity of hackable vulnerabilities in voting machines across the U.S. is “staggering,” according to a Thursday report from computer security researchers at the DEF CON cybersecurity convention, which took place in August in Las Vegas.
Among other vulnerabilities, the report cites a voting tabulator that can be remotely hacked and is in use in 23 states.
“Because the device in question is a high-speed unit designed to process a high volume of ballots for an entire county, hacking just one of these machines could enable an attacker to flip the Electoral College and determine the outcome of a presidential election,” the report states.
Another vulnerability, which was present on voting machines used in 2016, contains a vulnerability that was first disclosed to the public in 2007, the report states.
The report was released during a conference in Washington. Rep. Jackie Speier, D-Calif., who opened that conference, criticized voting machine companies for not allowing ethical hackers to probe their machines for vulnerabilities.
“The veracity of our voting system has been inadequate for a very long time and we have not taken it seriously,” Speier said.
Speier called the conference one of the “two most important things happening in our country,” a reference to the Senate Judiciary hearing focused on sexual assault allegations against Supreme Court nominee Brett Kavanaugh happening at the same time.
Congress allocated an additional $380 million for states and localities to improve election systems earlier this year.
Homeland Security Department officials have said that funding is likely insufficient for all the necessary upgrades and many upgrades will not be complete before the 2018 midterms.
The DEF CON report cites vulnerabilities produced by the supply chain for voting machine parts, which is “global and has essentially no process identifying what sources machine parts come from.” That opens up the possibility of malware or spyware implanted by U.S. adversaries, the report states.
State and local election officials often claim that critical voting functions are “air-gapped,” meaning they’re not accessible via the internet, but DEF CON hackers were frequently able to remotely access those systems, the report found.
In one case, hackers found a vulnerability affecting an electronic card that millions of Americans use to activate voting terminals that could be remotely reprogrammed with a mobile phone.
Ethical hackers found a similarly broad slate of vulnerabilities during the 2017 conference.