Secretary of State staffer Dwight Shellman returned from a hacking convention with the message that although Colorado’s elections are secure from the types of voting machine and website attacks demonstrated at the conference, state and local officials need to remain vigilant.
The 26th annual Def Con conference featured a large number of “villages” in which attendees learned about and sometimes attempted to hack a broad range of technologies and platforms, including automobile software and cannabis cultivation technologies. .
Shellman, the county support manager for the state Elections Division, focused most of his attention on the Voting Village, which invited participants to test “more than 30 pieces of electronic voting equipment” and “defend or hack mock office network and voter registration databases,” according to Def Con’s website.
He witnessed kiddie hackers gain access — but said the whole story wasn’t reported.
The devices available at the Voting Village primarily consisted of paperless touchscreen machines manufactured in the early-to-mid 2000s, and most of them were successfully hacked. The successful hacks that were observed occurred on paperless touchscreen devices, which Colorado does not use.
None of the physical security measures that Colorado employs, such as security cameras, locked voting centers, National Guard monitoring, a paper trail of ballots, or risk-limiting audits, were in place in the voting village.
Colorado Secretary of State Wayne Williams has been praised for his efforts in cybersecurity and making Colorado “the safest state to cast a vote.” Colorado already had implemented many of the measures recommended after election officials learned of Russia’s efforts to interfere with the 2016 election.
“The vulnerabilities discovered and demonstrated at the Voting Village really don’t pose a threat to Colorado,” Shellman said.
“First, most of the hacks would be difficult to perform under real-life security conditions, even if Colorado still used those devices. Second, the hacks I observed occurred on paperless touchscreen devices. We don’t have any of those in Colorado – there is a paper ballot or record for every single vote cast in this state. Third, all of these older systems have been largely retired in Colorado.
The other hacking event in the voting village was of election night reporting (ENR) systems. This event gave Def Con attendees age 8 to 16 the opportunity to hack into replicas of the Secretary of State websites for several battleground states, including Colorado. None of the actual websites were used — replicas were created for the purpose of the event.
“Some kids were able to penetrate and alter candidate names and vote totals very quickly, which generated a lot of critical media coverage that quickly went viral,” Shellman recalled. “But the media coverage was really misleading. Not a single media report mentioned the replicas contained intentional vulnerabilities enabling the kids to learn about and perform … attacks.”
The Secretary of State’s IT department continuously scans and monitors all of the systems for vulnerabilities. The U.S. Department of Homeland Security’s HIRT team recently visited the Secretary of State’s office in a “hunting” exercise to penetrate the SOS network and found nothing significant to report.
Def Con was held in Las Vegas Aug. 9-12.