SOS staffer attends Def Con conference, says Colorado looks good

Colorado election officials at Def Con’s voting hacking village. Left to right: Dwight Shellman, county support manager for the Secretary of State, Amber McReynolds, Denver elections director, and Jennifer Morrell, Democracy Fund consultant. (Photo by Joe Kiniry, who led the team at Free & Fair that helped develop software for Colorado’s first-in-the country risk-limiting audit. )

Secretary of State staffer Dwight Shellman returned from a hacking convention with the message that although Colorado’s elections are secure from the types of voting machine and website attacks demonstrated at the conference, state and local officials need to remain vigilant.

The 26th annual Def Con conference featured a large number of “villages” in which attendees learned about and sometimes attempted to hack a broad range of technologies and platforms, including automobile software and cannabis cultivation technologies. .

Def Con’s voting village logo. (Def Con photo)

Shellman, the county support manager for the state Elections Division, focused most of his attention on the Voting Village, which invited participants to test “more than 30 pieces of electronic voting equipment” and “defend or hack mock office network and voter registration databases,” according to Def Con’s website.

He witnessed kiddie hackers gain access — but said the whole story wasn’t reported.

The devices available at the Voting Village primarily consisted of paperless touchscreen machines manufactured in the early-to-mid 2000s, and most of them were successfully hacked. The successful hacks that were observed occurred on paperless touchscreen devices, which Colorado does not use.

None of the physical security measures that Colorado employs, such as security cameras, locked voting centers, National Guard monitoring, a paper trail of ballots, or risk-limiting audits, were in place in the voting village.

Def Con 26 attendee badge. (SOS photo)

Colorado Secretary of State Wayne Williams has been praised for his efforts in cybersecurity and making Colorado “the safest state to cast a vote.” Colorado already had implemented many of the measures recommended after election officials learned of Russia’s efforts to interfere with the 2016 election.

“The vulnerabilities discovered and demonstrated at the Voting Village really don’t pose a threat to Colorado,” Shellman said.

“First, most of the hacks would be difficult to perform under real-life security conditions, even if Colorado still used those devices. Second, the hacks I observed occurred on paperless touchscreen devices. We don’t have any of those in Colorado – there is a paper ballot or record for every single vote cast in this state. Third, all of these older systems have been largely retired in Colorado.

The other hacking event in the voting village was of election night reporting (ENR) systems. This event gave Def Con attendees age 8 to 16 the opportunity to hack into replicas of the Secretary of State websites for several battleground states, including Colorado. None of the actual websites were used — replicas were created for the purpose of the event.

A convincing replica of the Election Results and Data page of the Colorado Secretary of State’s website, purporting to display results from the 2016 presidential election. A young girl “hacked” the replica and changed Donald Trump’s name, party affiliation and vote total. But no page of the real website looks like this, and the replica contained a vulnerability enabling the girl to practice a certain type of attack.

“Some kids were able to penetrate and alter candidate names and vote totals very quickly, which generated a lot of critical media coverage that quickly went viral,” Shellman recalled. “But the media coverage was really misleading. Not a single media report mentioned the replicas contained intentional vulnerabilities enabling the kids to learn about and perform … attacks.”

The Secretary of State’s IT department continuously scans and monitors all of the systems for vulnerabilities. The U.S. Department of Homeland Security’s HIRT team recently visited the Secretary of State’s office in a “hunting” exercise to penetrate the SOS network and found nothing significant to report.

Def Con was held in Las Vegas Aug. 9-12.