Hackers penetrate voting machines used in 2016 election at SLC cybersecurity conference

SALT LAKE CITY — Huddled in the corner of a small room in the Salt Palace Convention Center are a group of hackers and a row of 12 voting machines.

The machines, all of which were used during the 2016 election in Utah, are now strewn in pieces across a table as attendees of HackWest’s first annual cybersecurity conference pour over them, searching for vulnerabilities.

And they’ve found a pretty major one.

Any hacker can enter a voting booth, remove the card reader from the machine, turn off the machine, then power it back on again. Once the voting machine has turned back on, the screen will display a “no card reader” error message. All the hacker has to do from there is pop the card reader back in, and the machine will display the system setup.

With access to the system, hackers can see the network address and what is encrypting the system.

“If you know what encryption is being used, you can do what is needed to hack that encryption. You can focus your attack,” said Jake Blaney, a volunteer at HackWest.

And hackers may not even need to crack the encryption to accomplish their goal. If a voting machine is compromised, those votes are immediately suspect.

“It just creates doubt in the integrity of the system, and if that doubt is there, you could do it in a district you may not be in favor of, and those votes get thrown out,” Blaney said.

Though the idea may seem sinister, that’s not these hackers’ intention. While HackWest focuses on teaching attendees how to be better at penetrating the system, it’s because that’s the best way to protect it, said HackWest founder Sean Jackson.

“You defend better if you know how they’re going to attack you,” he said. “We want to show what some would say are the dark arts. We show you how to break in. And then once you know how to break it, you need to know how to fix it.”

If Jackson were trying to hack, say, a journalist from KSL, he’d start by looking at her social media posts, what she shares (or overshares) and come up with a list of interests, he said.

“I can fake a common interest to gain your trust and then send you a link saying, ‘I know you like white kittens, here’s some great pictures of white kittens.’ You click the link, which goes to a site that I control that has malicious code, and I’m attacking your browser,” he said — though he mentioned that browsers will often notify users before taking them to sites that are susceptible to third-party hacks.

Most cyberattacks that target businesses exploit vulnerabilities in similar ways, but via email, Jackson noted.

Hackers also often use a tactic called “social engineering,” which essentially involves taking advantage of human nature and someone’s willingness to help another in distress.

This can include asking someone to visit a website or hold open a door. People will readily do something that might compromise security if they see someone in need.

“We’re good people, we’re friendly, we’re kind,” Jackson said. “If you can appear needy or you need some help, you can bend someone’s emotions to help you. And then if you can do that, you can manipulate their emotions in some other way to make them do something they wouldn’t normally do."

Which is part of the reason Jackson hopes an understanding of cybersecurity can extend beyond the IT world. While most feel intimidated when they hear the word “cybersecurity,” taking steps to becoming more secure doesn’t have to be overly complicated, he said.

Even small steps, like coming up with good passwords or being extra vigilant with emails can pay off. It’s not just IT people that have to ensure a company’s data stays safe, Jackson said.

4 ways to keep your business safe from cyberattacks

While securing a business from cyberattacks can be a lengthy and expensive process, here are four tips to help get you started.

“Together, we’ll be more secure,” he added.

The HackWest conference will resume again next March.

Related topics