Skip to main content
banner image
venafi logo

Voting Machine Hacks: Attacks on SSL and Certificate Trust May Break Elections

Voting Machine Hacks: Attacks on SSL and Certificate Trust May Break Elections

Voting machine compromise
August 8, 2017 | Eva Hanscom

DEF CON is one of the most famous cyber security conventions in the world. Industry workers, journalists, federal government representatives and hackers all attend the event to discuss, and challenge, prominent technology platforms and security solutions. DEF CON often acts as an opportunity for attendees to test their hacking skills and bring light to risks and vulnerabilities that exist in trusted technologies.

As a result of our current geo-political climate, it’s not surprising that much of the news out of DEF CON this year focused on voting machines. Cyber attacks on voting machines represent a profound national, and political, issue. Attendees at DEF CON wanted to test the strength of their security.

“At this year’s DEF CON there was a ‘Voting Machine Village,’” says Nick Hunter, senior digital trust researcher for Venafi. “The conference provided 30 different voting machines used in American elections, including: the Sequoia AVC Edge, AccuVote TSX, Diebold Expresspoll 4000 and E-poll book. Attendees were encouraged to hack these voting machines to identify risks and vulnerabilities.”

The results, unfortunately, were quite disturbing. For example, the E-poll book machine was compromised within an hour. In addition, a researcher discovered an OpenSSL vulnerability (CVE-2011-4019) in the Diebold Expresspoll 4000 device, which allowed the full compromise of the machine.

“The DEF CON forum where they discuss the vulnerabilities from the show describes some pretty scary stuff,” continues Nick. “One user specifically calls out the use of ‘self-signed’ certificates still being used in machines. We see similar issues in IoT devices, where the manufacturer should be putting trusted CA issued certificates and rotating them. However, many organizations ignore this because they don’t have an easy way to do this. Instead, they simply embed a self-signed certificate.”

Systems using self-signed certificates are often targeted and used in attacks. This is because self-signed certificates tend to be less trustworthy than those issued by a trusted certificate authority. Consequently, if a system using self-signed certificates is compromised, there is no way to validate its identity. The machines it connects to will blindly trust the compromised system. And once a trusted session is established, all communication between machines is compromised.

Ultimately, this year’s DEF CON demonstrated that attacks on digital keys and digital certificate trust are prevalent in the machines that oversee our democratic process. This is distressing, especially as more states and nations utilize voting machines in their future elections.

Are you surprised by the voting machine compromises at this year’s DEF CON?

Like this blog? We think you will love this.
old ciphertext mechanism on a desk with an hourglass
Featured Blog

Traditional Cryptographic Attacks: What History Can Teach Us

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Eva Hanscom
Eva Hanscom

Eva is Public Relations Manager at Venafi. She is passionate about educating the global marketplace about infosec and machine-identity issues, and in 2018 grew Venafi's global coverage by 45%.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat