Skip to main content
banner image
venafi logo

Voting Machine Hacks: Attacks on SSL and Certificate Trust May Break Elections

Voting Machine Hacks: Attacks on SSL and Certificate Trust May Break Elections

Voting machine compromise
August 8, 2017 | Eva Hanscom

DEF CON is one of the most famous cyber security conventions in the world. Industry workers, journalists, federal government representatives and hackers all attend the event to discuss, and challenge, prominent technology platforms and security solutions. DEF CON often acts as an opportunity for attendees to test their hacking skills and bring light to risks and vulnerabilities that exist in trusted technologies.

As a result of our current geo-political climate, it’s not surprising that much of the news out of DEF CON this year focused on voting machines. Cyber attacks on voting machines represent a profound national, and political, issue. Attendees at DEF CON wanted to test the strength of their security.

“At this year’s DEF CON there was a ‘Voting Machine Village,’” says Nick Hunter, senior digital trust researcher for Venafi. “The conference provided 30 different voting machines used in American elections, including: the Sequoia AVC Edge, AccuVote TSX, Diebold Expresspoll 4000 and E-poll book. Attendees were encouraged to hack these voting machines to identify risks and vulnerabilities.”

The results, unfortunately, were quite disturbing. For example, the E-poll book machine was compromised within an hour. In addition, a researcher discovered an OpenSSL vulnerability (CVE-2011-4019) in the Diebold Expresspoll 4000 device, which allowed the full compromise of the machine.

“The DEF CON forum where they discuss the vulnerabilities from the show describes some pretty scary stuff,” continues Nick. “One user specifically calls out the use of ‘self-signed’ certificates still being used in machines. We see similar issues in IoT devices, where the manufacturer should be putting trusted CA issued certificates and rotating them. However, many organizations ignore this because they don’t have an easy way to do this. Instead, they simply embed a self-signed certificate.”

Systems using self-signed certificates are often targeted and used in attacks. This is because self-signed certificates tend to be less trustworthy than those issued by a trusted certificate authority. Consequently, if a system using self-signed certificates is compromised, there is no way to validate its identity. The machines it connects to will blindly trust the compromised system. And once a trusted session is established, all communication between machines is compromised.

Ultimately, this year’s DEF CON demonstrated that attacks on digital keys and digital certificate trust are prevalent in the machines that oversee our democratic process. This is distressing, especially as more states and nations utilize voting machines in their future elections.

Are you surprised by the voting machine compromises at this year’s DEF CON?

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

man sitting on chair and thinking

Venafi Study: Are Financial Service Organizations More Likely to Suffer Certificate-Related Outages?

accessec, APIIDA, Crypto4A, Difenda

Six Groundbreaking Machine Identity Protection Developers Gain Funding

code signing certificates, Code Signing, Stuxnet, ShadowHammer

Study: How Well Are You Protecting Code Signing Certificates?

About the author

Eva Hanscom
Eva Hanscom

Eva Hanscom writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat