Voting Machine Makers Are Finally Playing Nice With Hackers

For well over a decade, the relationship between voting machine companies and security researchers has been fraught. The manufacturers have long resisted allowing unfettered access for bug-hunters, even as major, longstanding vulnerabilities plagued voting machine models used throughout the 2000s and 2010s. A new collaboration, though, shows that the cold war has meaningfully started to thaw.

At the Black Hat security conference today, Chris Wlaschin, vice president of systems security and chief information security officer of the election technology giant ES&S, and Mark Kuhr, chief technology officer of the security firm Synack, detailed how the two companies would work together to allow for so-caled penetration testing on some ES&S products—and pointed to the larger project of bridging the longstanding gap between their two worlds.

“There’s been a lot of bad blood in the history of this, but I think this is a positive development,” Synack’s Kuhr told WIRED on Monday. “What we’re trying to do is move the ball forward here and get these election technology vendors to work with researchers in a more open fashion and recognize that security researchers at large can add a lot of value to the process of finding vulnerabilities that could be exploited by our adversaries.”

Synack will manage a program for ES&S in which security professionals vetted by Synack will examine and attempt to hack ES&S’s new model of electronic poll book, devices that election officials use to manage voter register data for elections. By throwing the device to the wolves, ES&S can learn about and fix potential security issues before malicious hackers find them. Wlaschin says the company plans to run additional crowdsourced penetration tests on other products as well. ES&S is also announcing a revamped coordinated vulnerability disclosure program during the talk, creating a clear pathway for hackers to submit findings without fear of reprisal.

In the past, ES&S’s stance on disclosure and processes were notoriously opaque. And the company’s dominance in the US voting machine market has allowed it to exert influence over standards and regulation. All of this makes Wednesday’s Black Hat talk even more noteworthy.

“It is quite a change,” ES&S’s Wlaschin told WIRED ahead of the talk. “Given the times that we’re in and the focus on election security, ES&S has for some time been trying to work with security researchers to, number one, improve the security of our equipment and software and, number two, to improve the perception of election security.”

For years, voting machines were a black box, even as more and more states replaced old analog marking systems with computerized options. The Digital Millennium Copyright Act even made it illegal for security researchers to probe voting machines for potential vulnerabilities, which only changed in 2016 with a DMCA exception for voting machine security research.

That paved the way for the program known as the Voting Village, which launched in 2017 as a way for researchers to get their hands on voting machines, likely for the first time, and start hacking them. Part of the Defcon security conference, the Voting Village has also served as a sort of town hall for debate and innovation in voting security. In 2018, ES&S sent a letter to customers downplaying the importance of the Voting Village and its findings: “Attendees will absolutely access some voting systems internal components because they will have full and unfettered access to a unit without the advantage of trained poll workers, locks, tamper-evident seals, passwords, and other security measures that are in place in an actual voting situation.”

ES&S’s Wlaschin says the company already had mechanisms for vulnerability disclosure in place, but that he has worked to unify them and make it easier for the company to respond to research findings quickly. He joined the company in 2018 after more than 30 years in the Navy and leading information security efforts at the Department of Veterans Affairs and Department of Health and Human Services. He adds that the process of modernizing ES&S’s approach to vulnerability disclosure has been a positive one.

www.wired.com

Leave a Reply