Skip to main content
banner image
venafi logo

Voting Machine Hacks: Attacks on SSL and Certificate Trust May Break Elections

Voting Machine Hacks: Attacks on SSL and Certificate Trust May Break Elections

Voting machine compromise
August 8, 2017 | Emil Hanscom

DEF CON is one of the most famous cyber security conventions in the world. Industry workers, journalists, federal government representatives and hackers all attend the event to discuss, and challenge, prominent technology platforms and security solutions. DEF CON often acts as an opportunity for attendees to test their hacking skills and bring light to risks and vulnerabilities that exist in trusted technologies.

As a result of our current geo-political climate, it’s not surprising that much of the news out of DEF CON this year focused on voting machines. Cyber attacks on voting machines represent a profound national, and political, issue. Attendees at DEF CON wanted to test the strength of their security.

“At this year’s DEF CON there was a ‘Voting Machine Village,’” says Nick Hunter, senior digital trust researcher for Venafi. “The conference provided 30 different voting machines used in American elections, including: the Sequoia AVC Edge, AccuVote TSX, Diebold Expresspoll 4000 and E-poll book. Attendees were encouraged to hack these voting machines to identify risks and vulnerabilities.”

The results, unfortunately, were quite disturbing. For example, the E-poll book machine was compromised within an hour. In addition, a researcher discovered an OpenSSL vulnerability (CVE-2011-4019) in the Diebold Expresspoll 4000 device, which allowed the full compromise of the machine.

“The DEF CON forum where they discuss the vulnerabilities from the show describes some pretty scary stuff,” continues Nick. “One user specifically calls out the use of ‘self-signed’ certificates still being used in machines. We see similar issues in IoT devices, where the manufacturer should be putting trusted CA issued certificates and rotating them. However, many organizations ignore this because they don’t have an easy way to do this. Instead, they simply embed a self-signed certificate.”

Systems using self-signed certificates are often targeted and used in attacks. This is because self-signed certificates tend to be less trustworthy than those issued by a trusted certificate authority. Consequently, if a system using self-signed certificates is compromised, there is no way to validate its identity. The machines it connects to will blindly trust the compromised system. And once a trusted session is established, all communication between machines is compromised.

Ultimately, this year’s DEF CON demonstrated that attacks on digital keys and digital certificate trust are prevalent in the machines that oversee our democratic process. This is distressing, especially as more states and nations utilize voting machines in their future elections.

Are you surprised by the voting machine compromises at this year’s DEF CON?

Like this blog? We think you will love this.
Featured Blog

How DoS/DDoS Attacks Impact Machine Identity, Digital Certificates

For safe and secure utilization of machine identities such as SSL/TLS cer

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Emil Hanscom
Emil Hanscom

Emil is the Public Relations Manager at Venafi. Passionate about educating the global marketplace about infosec and machine-identity issues, they have consistently grown Venafi's global news coverage year over year.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more