At hacker convention, a spotlight on weaknesses in election security

Hackers, lawyers, security officials and government employees gather annually in Las Vegas for the Def Con security convention. This year, hackers were able to penetrate a touch screen voting machine used in a 2014 Virginia election in less than two hours. Robert McMillan, who covered the conference for the Wall Street Journal, joins Hari Sreenivasan from San Francisco.

Read the Full Transcript


    On Friday, hackers were able to penetrate a touch screen voting machine in less than two hours. The machine was used in a 2014 Virginia election, and the hack was part of a demonstration of election system security weaknesses at DefCon in Las Vegas.

    The annual event is attended by hackers, but also by security and technology firms, government employees — some undercover — and, of course, reporters. DefCon wraps up today.

    And joining me now from San Francisco is Robert McMillan of "The Wall Street Journal" who has been covering the conference.

    Robert, that headline, you know, someone hacking elections machine in two hours, that has everyone kind of interested. This is not a machine that is in use today but it was just a few years ago.


    Yes, and it was in use for years and it was definitely hackable for years. I mean, that's — that was the thing that really caught my attention just sitting there next to a guy with a laptop who's connecting to a voting machine that, you know, is stating that it was used in Fairfax County in 2014. He connects to it wirelessly and takes complete control of it right in front of me.


    And, you know, there's been so much talk about the Russians and their involvement in the elections, and repeatedly, the Department of Homeland Security and other agencies, says there weren't any votes manipulated from one side to another. The hack that was just demonstrated here, what's the extent of the damage that it can do?


    Well, it could have — it could have altered the votes. It could have done anything to this one voting machine, you know, and it would have been undetectable after it happened. So, there's definitely concern about this one particular machine.

    I think broader picture about what vote — you know, what we need to worry about with voting machine security is only becoming clear right now. You know, I think for a while, people are really focused on the integrity of just these devices, you know, 10 years ago, we had audits of voting machines and there was a lot of discussion of this.

    But with what happened last year, the whole scenario of what could be hacked and how it could be hacked and the concept of the network being attacked, people are rethinking voting machine security right now.


    What was intriguing is, is that this voting machine was used in 2014, but the hacker looks like they had found a hole that was kind of — Microsoft had issued a patch for that years ago.


    Yes. I mean, this voting machine, it's called a WinVote machine. It's widely considered to be like the worst voting machine ever. So, the fact that it — that this happened to people that followed this is not surprising. I mean, we've known for years that these vote being machines were vulnerable. But it's hard to get access to them. And so, the act of actually seeing somebody do it is pretty rare.


    The strength and the weakness of our entire system is the fact that there isn't any uniformity in the kind of machines that exist in every jurisdiction all over the country and there's also no central I.T. staff that says, OK, here's the update, a software patch that's going to go out to everything at the same time, or that a hacker can get into one central system and hack everything at the same time.


    Yes. I mean, the conventional was that our systems were so diverse that it would be difficult to compromise them in a widespread way. But I think what we're learning about the 2016 effort, you know, the fact that there were so many states affected — now, these weren't voting machines. These were, you know, the machines that keep track of the registered voters, but the fact that remotely, people were able to access county systems like this, and what — you know, what might have — what might have happened after that is still a question mark.

    So I think the whole network of voting machines and people are really reevaluating this question of how susceptible the United States is to sort of a centralized voting attack.


    All right. Robert McMillan of "The Wall Street Journal", joining us from San Francisco — thanks so much.


    My pleasure.

Listen to this Segment