Hackers' confab shows vulnerabilities in election machines amid testing concerns ahead of November

Hackers at a conference last weekend found numerous vulnerabilities in election machines while the U.S. Election Assistance Commission (EAC) confirmed that current voting systems to be used in the November election have not been tested by third parties for vulnerabilities.

While many vulnerabilities were found in election machines at the conference, Georgia is set to use outdated election machines for the November presidential election, and the EAC doesn’t have a standard testing process in place to search out vulnerabilities in election equipment.

At the annual DEF CON hacker conference in Las Vegas this past weekend, hackers hacked into election equipment from various manufacturers, including voting machines, e-pollbooks, and ballot tabulators, according to Politico. They found many vulnerabilities that they will release in a report soon, and noted that some of them haven't been fixed for a long time.

DEF CON Voting Village co-founder Harri Hursti told Politico on Saturday that there were “multiple pages” worth of vulnerabilities found in election machines, which was similar to previous years and will be detailed in a full report in the coming weeks.

“If you don’t think this kind of place is running 24/7 in China, Russia, you’re kidding yourselves,” Hursti said. “We are here only for two and a half days, and we find stuff…it would be stupid to assume that the adversaries don’t have absolute access to everything.”

“There’s so much basic stuff that should be happening and is not happening, so yes I’m worried about things not being fixed, but they haven’t been fixed for a long time, and I’m also angry about it,” Hursti said.

Hursti didn’t immediately respond to requests from Just the News for comment on Wednesday.

Politico also reported that most of the machines tested at DEF CON “are used in at least one jurisdiction around the U.S.”

One state in particular has had election machine vulnerabilities for the past three years that will not be fixed before November.

In June 2023, a nearly 2-year-old report was finally made public arising from a Georgia lawsuit that showed Dominion voting machines had significant vulnerabilities, which led the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to issue a public advisory in 2022 based on the findings. At the same time, CISA said that although vulnerabilities were found, there was no evidence that "flaws in Dominion voting machines were ever exploited," according to CBS News.

However, Georgia election officials said last year that the machines won’t be updated until after the 2024 elections because it's such a massive undertaking.

Gabriel Sterling, the secretary of state office's chief operating officer, said at the time that Georgia would wait until 2025 to update the voting machines because "legally, logistically and just risk-management wise, this was the safest wisest course."

He also said the new software, to his knowledge, has never been used in any election in the world.

In addition, Sterling said the new software has been certified by the EAC, "which is great, but like any new software, real-world deployment always finds things that may not work the way people intended it to."

EAC Vice Chair Donald Palmer told Just the News on Wednesday that Georgia in particular has had issues updating its Dominion Voting Systems equipment due to a lack of resources. While the EAC tested and updated the Dominion machine, Georgia is having a “funding and timing issue” with it, Palmer said. The state needs to allow for “access to the machines for a length of time.”

Regarding last weekend's hackers conference, Palmer mentioned that “the systems that are being tested at DEF CON are not the frontline systems.”

The voting systems at DEF CON are not updated or “certified to EAC standards” as they are “not supported by manufacturers,” Palmer said.

Also, EAC doesn’t “have any information that” the current voting “systems have any vulnerability that has been exploited.”

Palmer noted that Congress is considering the SECURE IT Act, which he said would allow “vulnerability testing of current voting systems with third parties.”

He added that the “real challenge” is for future “testing for newer systems, those that are being used in the 2024 election.”

Currently, for voting systems to receive EAC certification, they go through “penetration testing,” where they ensure that “any known vulnerability has been resolved,” Palmer said. This testing is only for voting machines and ballot tabulators.

EAC certification of election equipment is voluntary, but even if it isn’t “formally required by states,” the equipment eventually goes through EAC testing on the manufacturing side, he said.

However, Palmer explained that the EAC doesn’t currently test to find vulnerabilities in the voting systems that are being used. “Congress is looking at setting up a system where independent researchers conduct vulnerability testing” annually, providing results “back to the manufacturer and the EAC,” and done with the “latest, frontline voting systems,” Palmer said.

The EAC currently has the Engineering Change Order, which is a process that allows for the “quick turnaround of software updates,” he added. This occurs when the manufacturer identifies vulnerabilities and send them to the “EAC for a quick resolution,” which “can be done in 1-3 days.”

If there is a “known vulnerability” in an elections system, the “key is whether it has been exploited or can be,” Palmer said. “Right now, we don't have any reports indicating the exploiting of vulnerabilities with voting equipment certified by the EAC. We take vulnerabilities very seriously.”

Phill Kline, director of the Amistad Project and former Kansas attorney general, told Just the News on Wednesday that election machines are ‘“vulnerable,” and there is “no way to ensure” they’re “fixed because people who should have the authority – local election officials – have no legal authority to do the job nor understanding of how to do it.”

With increasing the use of voting machines following the 2000 presidential election, the U.S. “didn’t fix the Bush v. Gore problem,” but “just made our elections less transparent,” Kline explained.

He added that these are “worse issues than the hanging chad. The hanging chad everyone could understand,” and “everyone understood that the standard should be the same everywhere in Florida. It was real simple to understand,” which allowed for “accountability and a way to debate and participate in the process.”