TJ Horner isn’t old enough to cast a ballot yet, but according to the completely unsecured voter database on an old ExpressPoll 5000 voting machine, he’s registered to vote in Fishersville, Virginia.
Horner was able to do so because many of the electronic voting machines at DEF CON 2017’s Voting Village were “very, very vulnerable.” While most of the machines were models that are no longer in use, Horner and dozens of other hackers at DEF CON in Las Vegas on Sunday proved that the electronic U.S. voting infrastructure is far from secure.
After arriving at the Voting Village, Horner, who is 16, decided to sit down for some quality time with the Diebold ExpressPoll 5000, a model that Horner told Inverse on Monday was decommissioned some time ago. Still, the company’s website boasts that 15,000 of the units were distributed across the country, and since Horner found an unsecured voting record from the 2008 election still sitting on the machine (don’t worry, he deleted it), they were definitely used. It took Horner about 45 minutes to break in.
Horner’s primary attack was an “arbitrary firmware injection,” where he used an adapter to upload his own version of the machine’s permanent software and operating system, giving him control of the device. With that, Horner told Inverse he could install malware that only let members of party “A” register, and not party “B” or another exploit, which worked because the machine wasn’t coded to verify that incoming software was actually from Diebold, its manufacturer. “So, anything is possible at that point,” Horner says.
One of the biggest flaws he found was that the machine’s database, stored on a file called PollData.db3 on its internal memory, was completely unsecured. That meant any hacker with access to the machine could see the names, addresses, partial social security numbers, political parties, and polling data for everyone registered in that machine’s system. It also meant they could change it, which is how Horner managed to register to vote in an election he was only eight years old during. (Of course, he noted, the system was all local — he’s not actually registered to vote.) “It’s basically like storing all the voter registration cards in a safe, except the safe doesn’t have a lock,” Horner says. “And the safe is also the size of a smartphone, so you could walk away with it.”
“Your imagination is the limit when you have access to the entire database,” Horner writes of his hack, which goes into far more technical detail. And while Horner spent his time mastering the ExpressPoll 5000, other hackers were busy taking over different machines.
Some even got Rick Astley’s “Never Gonna Give You Up” to play out of a machine. At DEF CON, it’s all in good fun, but in the real world electronic voting machines could be a major flaw in U.S. democracy’s already-fragile armor.Photos via TJ Horner (1, 2)