DEF CON is one of the most famous cyber security conventions in the world. Industry workers, journalists, federal government representatives and hackers all attend the event to discuss, and challenge, prominent technology platforms and security solutions. DEF CON often acts as an opportunity for attendees to test their hacking skills and bring light to risks and vulnerabilities that exist in trusted technologies.
As a result of our current geo-political climate, it’s not surprising that much of the news out of DEF CON this year focused on voting machines. Cyber attacks on voting machines represent a profound national, and political, issue. Attendees at DEF CON wanted to test the strength of their security.
“At this year’s DEF CON there was a ‘Voting Machine Village,’” says Nick Hunter, senior digital trust researcher for Venafi. “The conference provided 30 different voting machines used in American elections, including: the Sequoia AVC Edge, AccuVote TSX, Diebold Expresspoll 4000 and E-poll book. Attendees were encouraged to hack these voting machines to identify risks and vulnerabilities.”
The results, unfortunately, were quite disturbing. For example, the E-poll book machine was compromised within an hour. In addition, a researcher discovered an OpenSSL vulnerability (CVE-2011-4019) in the Diebold Expresspoll 4000 device, which allowed the full compromise of the machine.
“The DEF CON forum where they discuss the vulnerabilities from the show describes some pretty scary stuff,” continues Nick. “One user specifically calls out the use of ‘self-signed’ certificates still being used in machines. We see similar issues in IoT devices, where the manufacturer should be putting trusted CA issued certificates and rotating them. However, many organizations ignore this because they don’t have an easy way to do this. Instead, they simply embed a self-signed certificate.”
Systems using self-signed certificates are often targeted and used in attacks. This is because self-signed certificates tend to be less trustworthy than those issued by a trusted certificate authority. Consequently, if a system using self-signed certificates is compromised, there is no way to validate its identity. The machines it connects to will blindly trust the compromised system. And once a trusted session is established, all communication between machines is compromised.
Ultimately, this year’s DEF CON demonstrated that attacks on digital keys and digital certificate trust are prevalent in the machines that oversee our democratic process. This is distressing, especially as more states and nations utilize voting machines in their future elections.
Are you surprised by the voting machine compromises at this year’s DEF CON?