Since the election, those voting machines have figured prominently in Trump supporters’ allegations of fraud, despite the company’s repeated denials and any actual proof the voting tallies were changed.The actual details of Byrne’s supposed hacker super-team, however, similarly thin.“I’m a free agent, and I’m self-funded, and I’m.
DEF CON After the debacle of the 2000 presidential election count, the US invested heavily in electronic voting systems – but not, it seems, the security to protect them.
This year at the DEF CON hacking conference in Las Vegas, 30 computer-powered ballot boxes used in American elections were set up in a simulated national White House race – and hackers got to work physically breaking the gear open to find out what was hidden inside.
In less than 90 minutes, the first cracks in the systems' defenses started appearing, revealing an embarrassing low level of security. Then one was hacked wirelessly.
“Without question, our voting systems are weak and susceptible. Thanks to the contributions of the hacker community today, we've uncovered even more about exactly how,” said Jake Braun, who sold DEF CON founder Jeff Moss on the idea earlier this year.
“The scary thing is we also know that our foreign adversaries – including Russia, North Korea, Iran – possess the capabilities to hack them too, in the process undermining principles of democracy and threatening our national security.”
At the 1st ever Voting Village at #DEFCON, attendees tinker w/ election systems to find vulnerabilities. I'm told they found some new flaws pic.twitter.com/VpYPXANUMT
— Bradley Barth (@BBB1216BBB) July 28, 2017The machines – from Diebolds to Sequoia and Winvote equipment – were bought on eBay or from government auctions, and an analysis of them at the DEF CON Voting Village revealed a sorry state of affairs. Some were running very outdated and exploitable software – such as unpatched versions of OpenSSL and Windows XP and CE. Some had physical ports open that could be used to install malicious software to tamper with votes.
It's one thing to physically nobble a box in front of you, which isn't hard for election officials to spot and stop. It's another to do it over the air from a distance. Apparently, some of the boxes included poorly secured Wi-Fi connectivity. A WinVote system used in previous county elections was, it appears, hacked via Wi-Fi and the MS03-026 vulnerability in WinXP, allowing infosec academic Carsten Schurmann to access the machine from his laptop using RDP. Another system could be potentially cracked remotely via OpenSSL bug CVE-2011-4109, it is claimed.
Greetings from the Defcon voting village where it took 1:40 for Carsten Schurmann to get remote access to this WinVote machine. pic.twitter.com/1Xk3baWdxv
— Robert McMillan (@bobmcmillan) July 28, 2017The 'security' of these WINvote machines is so bad. Running WinXP, autorun enabled and hard-coded WEP wifi password. pic.twitter.com/AlOiAPcRra
— Victor Gevers (@0xDUDE) July 28, 2017
We're told the WinVote machine was not fully secured, and that the intrusion would have been detected and logged, so don't panic too much. And not all the attacked equipment are used in today's elections. However, it does reveal the damage that can potentially be done if computer ballot box makers and local election officials are not on top of physical and remote security, especially with a growing interest from Russia and other states. Think of it as a wakeup call.
“Elections have always been the concern and constitutional responsibility of state and local officials. But when Russia decided to interlope in 2016, it upped the ante,” said Douglas Lute, former US Ambassador to NATO and now principal at Cambridge Global Advisors.
“This is now a grave national security concern that isn't going away. In the words of former FBI Director James Comey, ‘They're coming after America. They will be back.’” ®
PS: It turns out the machines weren't completely wiped of data, leaving about 650,000 voter personal records lingering on them, apparently. Hackers were also able to find administrative passwords for the machines via Google, and Rickrolled one box.
LAS VEGAS—In a city filled with slot machines spilling jackpots, it was a 'jackpotted' ATM machine that got the most attention Wednesday at the Black Hat security conference, when researcher Barnaby Jack demonstrated two suave hacks against automated teller machines that allowed him to program them to spew out dozens of crisp bills.
The demonstration was greeted with hoots and applause.
In one of the attacks, Jack reprogrammed the ATM remotely over a network, without touching the machine; the second attack required he open the front panel and plug in a USB stick loaded with malware.
Jack, director of security research at IOActive Labs, focused his hack research on standalone and hole-in-the-wall ATMs—the kind installed in retail outlets and restaurants. He did not rule out that bank ATMs could have similar vulnerabilities, though he hasn't yet examined them.
The two systems he hacked on stage were made by Triton and Tranax. The Tranax hack was conducted using an authentication bypass vulnerability that Jack found in the system's remote monitoring feature, which can be accessed over the Internet or dial-up, depending on how the owner configured the machine.
Tranax's remote monitoring system is turned on by default, but Jack said the company has since begun advising customers to protect themselves from the attack by disabling the remote system.
Free Slot Machine Las Vegas
To conduct the remote hack, an attacker would need to know an ATM's Internet IP address or phone number. Jack said he believes about 95 percent of retail ATMs are on dial-up; a hacker could war dial for ATMs connected to telephone modems, and identify them by the cash machine's proprietary protocol.
The Triton attack was made possible by a security flaw that allowed unauthorized programs to execute on the system. The company distributed a patch last November so that only digitally signed code can run on them.
Las Vegas Winning Slot Machines
AdvertisementBoth the Triton and Tranax ATMs run on Windows CE.
Using a remote attack tool, dubbed Dillinger, Jack was able to exploit the authentication bypass vulnerability in Tranax's remote monitoring feature and upload software or overwrite the entire firmware on the system. With that capability, he installed a malicious program he wrote, called Scrooge.
Scrooge lurks on the ATM quietly in the background until someone wakes it up in person. It can be initiated in two ways—either through a touch-sequence entered on the ATM's keypad or by inserting a special control card. Both methods activate a hidden menu that allows the attacker to spew out money from the machine or print receipts. Scrooge will also capture track data embedded in bank cards inserted into the ATM by other users.
To demonstrate, Jack punched the keys on the typed to call up the menu, then instructed the machine to spit out 50 bills from one of four cassettes. The screen lit up with the word 'Jackpot!' as the bills came flying out the front.
To hack the Triton, he used a key to open the machine's front panel, then connected a USB stick containing his malware. The ATM uses a uniform lock on all of its systems—the kind used on filing cabinets—that can opened with a $10 key available on the web. The same key opens every Triton ATM.
Two Triton representatives said at a press conference after the presentation that its customers preferred a single lock on systems so they could easily manage fleets of machines without requiring numerous keys. But they said Triton offers a lock upgrade kit to customers who request it—the upgraded lock is a Medeco pick-resistant, high-security lock.
Similar malware attacks were discovered on bank ATMs in Eastern Europe last year. Security researchers at Trustwave, based in Chicago, found the malware on 20 machines in Russia and Ukraine that were all running Microsoft's Windows XP operating system. They said they found signs that hackers were planning on bringing their attacks to machines in the US The malware was designed to attack ATMs made by Diebold and NCR.
AdvertisementThose attacks required an insider, such as an ATM technician or anyone else with a key to the machine, to place the malware on the ATM. Once that was done, the attackers could insert a control card into the machine’s card reader to trigger the malware and give them control of the machine through a custom interface and the ATM’s keypad.
The malware captured account numbers and PINs from the machine’s transaction application and then delivered it to the thief on a receipt printed from the machine in an encrypted format or to a storage device inserted in the card reader. A thief could also instruct the machine to eject whatever cash was inside the machine. A fully loaded bank ATM can hold up to $600,000.
Earlier this year, in a separate incident, a Bank of America employee was charged with installing malware on his employer's ATMs that allowed him to withdraw thousands of dollars without leaving a transaction record.
Jack was slated to give the same ATM vulnerability talk at Black Hat last year, but his then-employer Juniper Networks canceled the talk weeks before the conference after an unnamed ATM vendor expressed concern. He said on Wednesday that the earlier talk was withdrawn to allow Triton time to implement a patch to address the code-execution vulnerability targeted in his demonstration. The company released the patch eight months ago.
Jack said that so far he's examined ATMs made by four manufacturers and all of them have vulnerabilities. 'Every ATM I've looked at allows that ‘game over.' I'm four for four,' he said at the press conference. He wouldn't discuss the vulnerabilities in the two ATMs not attacked on Wednesday because he said his previous employer, Juniper Networks, owns that research.
Jack said his aim in demonstrating the hacks is to get people to look more closely at the security of systems that are presumed to be locked down and impenetrable.
Las Vegas Slot Machines Payouts
(AP Photo/Isaac Brekken)