Page:Report of the Select Committee on Intelligence United States Senate on Russian Active Measures Campaigns and Interference in the 2016 U.S. Election Volume 1.pdf/41

From Wikisource
Jump to navigation Jump to search
This page has been proofread, but needs to be validated.

   
COMMITTEE SENSITIVE—RUSSIA INVESTIGATION ONLY

functions on this machine."[1] A researcher was able to hack into the WinVote over WFEi within minutes using a vulnerability from 2003.[2] Once he had administrator-level access, he could change votes in the database. Researchers also discovered available USB ports in the machine that would allow a hacker to run software on the machine.[3] One said "with physical access to back [sic] of the machine for 15 seconds, an attacker can do anything."[4] Hackers were less successful with other types of machines, although each had recorded vulnerabilities.[5]

  • (U) The 2018 DEFCON report found similar vulnerabilities, in particular when hackers had physical access to the machines. For example, hackers exploited an old vulnerability on one machine, using either a removable device purchasable on eBay or remote access, to modify vote counts.[6]
  • (U/ ) DHS briefed the Committee in August 2018 that these results were in part because the hackers had extended physical access to the machines, which is not realistic for a true election system. Undersecretary Krebs also disagreed with reporting that a 17-year-old hacker had accessed voter tallies.[7] Some election experts have called into question the DEFCON results for similar reasons and pointed out that any fraud requiring physical access would be, by necessity, small scale, unless a government were to deploy agents across thousands of localities.
  • (U) ES&S Voting Systems disclosed that some of its equipment had a key security vulnerability. ES&S installed remote access software on machines it sold in the mid-2000s, which allowed the company to provide IT support more easily, but also created potential remote access into the machines. When pressed by Senator Ron Wyden of Oregon, the company admitted that around 300 voting jurisdictions had the software. ES&S says the software was not installed after 2007, and it was only installed on election-management systems, not voting machines.[8] More than 50 percent of voters vote on ES&S equipment, and 41 states use its products.
  1. (U) Elizabeth Wise, "Hackers at DefCon Conference Exploit Vulnerabilities in Voting Machines," USA Today, July 30, 2017, https://www.usatoday.com/story/tech/2017/07/30/hackers-defcon-conference-exploit-vulnerabilities-voting-machines/523639001/.
  2. (U) Matt Blaze, et. al., DEFCON 25: Voting Machine Hacking Village: Report on Cyber Vulnerabilities in U.S. Election Equipment, Databases, and Infrastructure, September 2017, https://www.defcon.org/images/defcon-25/DEF%20CON%2025%20voting%20report.pdf, p. 4.
  3. (U) Ibid., p. 9.
  4. (U) Ibid.
  5. (U) Ibid., pp. 8-13.
  6. (U) Robert McMillian and Dustin Volz, "Voting Machine Used in Half of U.S. Is Vulnerable to Attack, Report Finds," Wall Street Journal, September 27, 2018. The machine referenced is the ES&S Model 650, which ES&S stopped making in 2008 but is still available for sale.
  7. (U) DTS 2018-3275, Summary of 8/22/2018 All Senators Election Security Briefing, August 28, 2018.
  8. (U) Hacks, Security Gaps And Oligarchs: The Business of Voting Comes Under Scrutiny. Miles Parks, NPR, September 21, 2018.

41
COMMITTEE SENSITIVE—RUSSIA INVESTIGATION ONLY
   

Retrieved from "https://en.wikisource.org/w/index.php?title=Page:Report_of_the_Select_Committee_on_Intelligence_United_States_Senate_on_Russian_Active_Measures_Campaigns_and_Interference_in_the_2016_U.S._Election_Volume_1.pdf/41&oldid=10938090"