Skip to main content
Move the World.
voting machines

Lead image © jlmcanally / Adobe Stock, Andrew Brumagen

The nation's leading seller of voting machines has finally agreed to play nice with "red teams" — hacking pros who probe for security vulnerabilities.

The Plan:

At the Black Hat security conference on August 6, Election Systems & Software LLC (ES&S) announced that they would work with the security firm Synack to allow "penetration testing" on the latest models of their voting technology.

The two firms will work together to arrange professional hacking attempts on devices like ES&S's electronic poll book, which officials use to manage voter registration data. Doing so could help ES&S learn about security risks and vulnerabilities, so they can be fixed before criminal hackers exploit them.

They also announced they will crowdsource penetration tests on new products and those still in development, as well as making it easier for hackers to report their findings without risking legal consequences.

"The word's gonna get out that we are serious about this. Because hackers gonna hack, researchers gonna research." ES&S's Chris Wlaschin, vice president of systems security and chief information security officer at ES&S said, reports WIRED.

The Backstory:

Election equipment manufacturers, including ES&S, have been resistant to letting outside professional hackers test their systems.

In the past few years, the Defcon security conference hosted "Voting Village," where hackers have found vulnerabilities plaguing voting machines in use for decades. But election equipment companies have argued that such scenarios are unrealistic and don't represent real-world polling situations, where additional protections are in place to make it inconceivable to hack voting equipment. To provide unfettered access for hackers to "look under the hood" is a 180 shift in attitude.

To provide unfettered access for hackers to "look under the hood” is a 180 shift in attitude.

"There's been a lot of bad blood in the history of this, but I think this is a positive development," Mark Kuhr, chief technology officer at Synack, told WIRED. "What we're trying to do is move the ball forward here and get these election technology vendors to work with researchers in a more open fashion and recognize that security researchers at large can add a lot of value to the process of finding vulnerabilities that could be exploited by our adversaries."

Why This Matters:

An intense election is just months away, and people want assurance that their vote will count. But concerns about election security abound, with some people saying that electronic voting machines are just waiting to be hacked. A Politico survey found that in 14 states, hundreds of counties used paperless voting machines during the last presidential election — most of them plan to do the same this year. So, who ensures that votes are secure?

Some would be surprised by the loosey-goosey regulations.

There are no federal regulations on voting technology vendors, only state regulations. When it comes to requiring vendors to show cybersecurity plans or adhere to security standards, the states hold all the power. The voluntary standards created by the National Institute of Standards and Technology and the Election Assistance Commission aren't required unless states choose to adopt them.

The Center for American Progress published a report on election security in 2018, which concluded that all states "have taken at least some steps to provide security in their election administration." However, CAP deemed 33 states to have unsatisfactory post-election audit procedures, while 10 states do not provide cybersecurity training to officials, and 32 states allow regular absentee voters to cast their ballots electronically — a practice considered insecure by security experts. In other words: vulnerabilities exist that leave some votes susceptible to hacking.

ES&S isn't the only company taking steps toward adding third-party investigations. Dominion Voting Systems Corp., the second-largest vendor, is also writing a "vulnerability disclosure" policy, Kay Stimson, a spokeswoman for the company told the Wall Street Journal. And Hart InterCivic Inc. also said they are expanding vulnerability testing and working with DHS.

This year over half of the voters in the U.S. will cast their ballot on one of ES&S's voting machines. Because they are the top U.S. manufacturer of voting equipment, they also influence industry standards — which has traditionally been resistant to providing open access to hackers who fish around for bugs. This collaboration could mark a significant shift in the industry toward adopting more security research.

"It is quite a change," Wlaschin told WIRED. "Given the times that we're in and the focus on election security, ES&S has for some time been trying to work with security researchers to, number one, improve the security of our equipment and software and, number two, to improve the perception of election security."

Up Next

Coded
The Hackers Exposing Government-Wide Crime and Corruption
The Hackers Exposing Government-Wide Crime and Corruption
Coded
The Hackers Exposing Government-Wide Crime and Corruption
Displaying the power of unique technological abilities combined with dogged investigative journalism
By Michael O'Shea

Displaying the power of unique technological abilities combined with dogged investigative journalism

Hacking for Good
White Hat Hackers are Defending Hospitals From Rising Cyber Attacks
cyber attacks
Hacking for Good
White Hat Hackers are Defending Hospitals From Rising Cyber Attacks
Criminals are exploiting COVID-19 to launch cyber attacks. These volunteers have grouped together to fight back.

Criminals are exploiting COVID-19 to launch cyber attacks. These volunteers have grouped together to fight back.

Digital Detectives
Hackers Find Missing People for Fun
Hackers Find Missing People for Fun
Watch Now
Digital Detectives
Hackers Find Missing People for Fun
This search and rescue expert discovered that many missing people had nobody looking for them. Then he had an idea: what if hackers made a game out of finding missing people through the internet?
Watch Now

One unfortunate truth that anyone involved in a missing person case quickly learns is that there are more missing people in the world than there are available resources to find them. The first few days after a person goes missing are the most crucial for finding them safe and sound. However, since missing people tend to turn up on their own, these cases are initially given low priority. The exception is if there's a strong...

Computer Science
Is Quantum Hacking the Biggest Threat to Encryption?
Quantum Hacking
Computer Science
Is Quantum Hacking the Biggest Threat to Encryption?
While some security experts prepare for quantum hacking, others argue that the EARN IT Act is the threat to encryption we need to address right now.

While some security experts prepare for quantum hacking, others argue that the EARN IT Act is the threat to encryption we need to address right now.

Hacking
Ethical Hacking Challenge: Can You Take Over a Military Satellite?
Ethical Hacking
Hacking
Ethical Hacking Challenge: Can You Take Over a Military Satellite?
The U.S. Air Force is hosting Hack-A-Sat, an ethical hacking competition challenging participants to find security vulnerabilities in satellite systems.

The U.S. Air Force is hosting Hack-A-Sat, an ethical hacking competition challenging participants to find security vulnerabilities in satellite systems.

Future of Tech
Society Runs on GPS. What Happens When it Gets Hacked?
loran
Future of Tech
Society Runs on GPS. What Happens When it Gets Hacked?
GPS runs more than you’d think. It’s also more vulnerable than you’d think. The old-school radionavigation system Loran could save GPS from catastrophe.

GPS runs more than you’d think. It’s also more vulnerable than you’d think. The old-school radionavigation system Loran could save GPS from catastrophe.

Coded
The Unhackable Email Service
The Unhackable Email Service
Watch Now
Coded
The Unhackable Email Service
Edward Snowden’s email service of choice wants to make mass surveillance obsolete.
Watch Now

Ladar Levison’s email service counted Edward Snowden among its users. But, when the FBI demanded Levison hand over Snowden’s communications, Levison destroyed the company’s servers. Now, he’s back with a more secure version of the service that could make mass surveillance obsolete.

Coded
Nico Sell Thinks Hackers Can Be a Force for Good
Nico Sell
Coded
Nico Sell Thinks Hackers Can Be a Force for Good
After criminals hijacked the term, Sell is on a mission to change our perception of hackers.
By Michael O'Shea

After criminals hijacked the term, Sell is on a mission to change our perception of hackers.

Coded
Hacker Wins Election As Pirate Party Leader
Hacker Wins Election As Pirate Party Leader
Watch Now
Coded
Hacker Wins Election As Pirate Party Leader
Iceland's Pirate Party is trying to use a hacker mindset to improve their country and the world.
Watch Now

In the wake of the Panama Papers hacking scandal, computer programmer Smári McCarthy decided he needed to apply his "hacking for good" philosophy to politics. As a member of the Pirate Party - a political party formed around the concept of extreme transparency - Smári was elected to Parliament in Iceland and is trying to use a hacker mindset to improve his country and the world.