In our previous post, we discussed the Black Hat conference in Las Vegas, and some of the key trends we saw at that event. However, this time we’d like to talk about Defcon – the older, dressed-down brother of Black Hat that’s now in its 25th year, and really draws out a lot of the hardcore hacking (in the good sense of the term) community.
Defcon is organized into “villages”, each focusing on a specific area of digital, physical or social hacking. With villages including biohacking, car hacking, crypto and privacy, lockpicking, wireless, and even an “off-the-record” village where presentations cannot be photographed or recorded, there are countless options for learning about the latest in offensive and defensive security. This year, a new village has arisen at Defcon, and will be present through at least Defcon 28 in the year 2020: the voting machine hacking village.
Voting machines have often been viewed by the security community as the “bad child”. They provide a service that is absolutely critical to ensuring the democratic process, and consequently, they should rightfully be among the most secure technologies available, with effective physical controls (given that they are located in private voting booths), strong authentication and encryption for both data in transit and at rest. However, as the community at Defcon’s voting machine hacking village proved, reality is a long way from where this technology should be from a security perspective. During last week’s hacking clinic, over 30 different voting machine units were present, representing multiple vendors and models as Defcon attendees attempted to break them.
So how were the results? Not good. Multiple voting machines – all of which models either are still in use or were previously used in state and national elections – were found to be susceptible to broad range of attacks, ranging from the simple (plugging in a USB keyboard and mouse to the exposed USB ports, and pressing CTRL+ALT+DEL to get to the Windows Task Manager and running a shell), to the mundane (exploiting unpatched OS issues that date back for several years). And unfortunately, encryption is not a strong suit of may voting machines, as the voting record data in many cases was located in unencrypted text-based files.
So what does all of this tell us? It tells us that even among technology vendors, some of the most basic rules of defensive security need to be better-implemented. And these rules don’t just apply to voting machines; they also apply to Internet of Things (IoT) device vendors, cloud technology vendors, and anyone else who provides hardware-based components as part of their go-to-market solutions:
- Patching is vital. The fact that several voting machines at Defcon 25 were susceptible to known vulnerabilities that were previously patched by vendors is astounding, especially when known exploit code for those vulnerabilities is in the wild. Patching, while not the most glamorous aspect of security, is perhaps the single most vital thing that an organization can to do mitigate the risks of vulnerabilities.
- Encryption is there for a reason – use it. Today, there’s no reason for sensitive data to not be encrypted either when at rest (such as when stored in a file on disk, or in a database), or in transit (such as when communicated between systems). Without encrypted data, systems that are compromised through other methods (such as exploiting patches) leave their sensitive data exposed to the world.
- Don’t ignore physical access. While most organizations’ critical systems are located in access-restricted offices or data centers, there are many exceptions: public kiosks and hospitality PCs, for example, are two very common types of systems that exist in many businesses and are usually attached to networks. Physically compromising these systems, especially by plugging in devices to exposed ports (which doesn’t require any deconstruction of the device) can often lead to compromise of the system through unanticipated methods – and it can also function as an ingress point for malware. If you have systems that are located in public locations, ensure that you’ve conducted a physical audit of the system to ensure that users are not able to compromise them through open ports. If necessary, deactivate or block the ports with physical locks.
Voting machines are only one type of device in the world of the IoT; the reality is that there are many, many different types of IoT devices that are insecure. For vendors, following basic security standards for things like patching, vulnerability management, encryption and physical security can lead to reduced risk exposure and increased longevity.