 Hi everybody, thank you for coming today. I know that it's getting somewhat late, but what I want to talk about is the other targets that surround the election system. Now I know that a lot of us are concentrating on the voting machine and certainly I have been, but there's other ways, as we've probably heard some of the other speakers mention, that elections can be swayed. So what I really want from everybody to get out of this is to understand that the voting machine is very important and we have done a lot of research into it and things like that, but there's other things that we need to consider. So this is me and I've put this slide deck together just because a lot of times with security we think that this is done by these people in a dark room in a closet and things like that. No, I mean we are normal people. I'm a private pilot, fixed wing drone pilot and love life and freedom and everything else. So this is normal people doing normal things that are finding just how easy it is to get vulnerabilities and to compromise our election systems. So I'm from the purple state of Florida and I promise I did not plan this out and if you guys have seen Harry going around the voting village he's wearing a purple shirt. So somehow we must get the memo. So Florida is always in the news about something, whether it's alligators or if it's the recount of 2000, the gubernatorial race of 2018 and of course it was the scene for hacking democracy where Harry and Bev and Dr. Hugh Thompson did a lot of filming in Florida and just so happens that I'm from Florida also. So the voting machine, I knew I couldn't get out of here without at least talking a little bit about the voting machine. This is one that we've simulated the whole election system and you'll see as I talked about the various components of this is that the first one that I looked at was in 2016 in preparation for DEF CON and it was so riddled with vulnerabilities and things like that that we decided that hey, let's just make our own with all the other components of it and that way we can talk about the security aspect because it wouldn't be that much fun if I brought the real voting machine to Black Hat back in 2016. But something that I find as I looked into this voting machine and along with the other components of the modern day election system is that a lot of the basics aren't even being done and I know we've heard that quite a bit. Some of these and I use the air quotes hard drives are just regular compact flash cards and if you guys go over to the voting village you'll see some of those compact flash cards. Some of these air quote hard drives, maybe they wanted to make them a little more secure by embedding the hard drive onto the board itself and they used a type of chip called a BGA or ball graph array. This is nothing more than a memory chip that's soldered to the board so a little manipulation and we're back to square one. This is something that's really important as you see these machines, regardless of the operating system, I've looked at two separate ones and both of them were different operating systems but it wasn't even the basics weren't utilized. So there's no encryption, full disk encryption and those kind of things and even our phones have those on them now and most laptops, I mean if you have an Apple product you click file vault and it's done and so there's you know tons of things that aren't even being met by basic security. So just a slight disclaimer because I know I always find one person in the crowd that says you know debunks you know things that we try to say but these are just the machines I looked at, two of them from two separate manufacturers and the last one was used in the last election and the other one was used in the 2016 election. So anything I talk about throughout this presentation is just the hardware that I've had the utmost privilege of exploiting. So the memory cartridge is whether it's made by Sequoia or any of the other vendors there's some kind of medium that flows back and forth and so one thing that I hear a lot of is these machines are not connected to the internet and most the ones I've seen they did not have a direct internet connection but if you take and put a memory card or anything inside of a machine that doesn't have internet connectivity then you put it in a machine that does have internet connectivity and then you put it back into the other machine when you have internet connectivity you just have really really long ping times and latency and stuff like that a lot of us in the business call it the sneaker net right so you don't have an ethernet you have a sneaker net between them and so these voting cartridges are perfect for reading and writing stuff too moreover since they're not encrypted at rest whenever I received the voting cartridges it was pretty simple this form factor here while it you know some of us that have been around for a little while understand that that's a PCMCIA or laptop card and so for a couple bucks on the internet you could buy one of these things and and they're very outdated and you plug it in and the ones that I bought actually had the election system ballots still on there now I couldn't see who voted for who but I could see who had points in different areas in the tally and stuff like that but what this gave me was a glimpse into how these machines work and because that was available on one of the major online auction sites I was able to grab this no full disk encryption so this is a very high value target that I acquired as a good guy but it allowed me to make my own ballot which was pretty cool and the machine accepted it and did its integrity checking and all that fancy stuff and seemed to load it up so that was pretty cool so you know as we move forward with these and I know that a lot of people talk about these not being connected to the internet just rest assured that unless you're using things like write blockers and all kinds of stuff really this is to me is one of the highest value targets because this is used to not only load the the ballots but it's also used to write the information then to the cartridges that are transferred so you can do things like stuffing the ballot box virtually and things like that this is something I've been focusing on quite a bit lately is this piece of the election infrastructure is what myself and my friends and everybody else hopefully stays up late at night on election night to see that real-time dissemination of voting right it's almost like the Superbowl's like yes this state's reporting and this much stuff well this dissemination system is something to me that's greatest concern because there's not a standard protocol and procedures for how does this information get disseminated and so as one of the other speakers we're talking about some people use Twitter and stuff but in general what I found is that there's not so much a nationwide central repository most of this stuff is stored out on cloud servers whether it's you know name your your major provider but whenever I was looking into this into these buckets and shared drives currently as of three days ago because I wanted to make sure that my talk was current that this is still a factor in one of the states that is storing the same data from the election results the unofficial results in the same bucket of data or shared drive whatever you guys want to call it as the division of corporations records and so now we know a security professional right I mean let's get least privileged access and now something I wonder is is that if they didn't take the a little bit of forethought to say you know what why don't we at least get our own bucket or own shared drive and have just this in there now someone can be compromised from the division of corporations at this specific state and could could change this file or manipulate it now the news media or whoever's pulling that information so they could be the first one to call a state that file I mean there's no hashes and keys and md5s and all the stuff that us look at when we download stuff so you know that this information could hit the news media very quick and me being from the purple state of Florida they could call the election for one candidate or the other and that may have people staying home because they're like oh well they already had it moreover you know this free flow of information I really do love it but when you think about it they're using things like exit polling data I know that my wife was involved with one of these exit poll things and they instructed her to download an app and she was supposed to pull these people I'm like wait a second let me take a look at this application you just downloaded to your phone so you know where's the security and the integrity and we just heard not a couple days ago that one major online dating app was leaking not only pictures and stuff like that but you know so this information is flowing pretty quickly and we need to make sure that this is you know there's at least some kind of standards and stuff in place that control how this data is stored where it's stored at and things like that and then simply with the app that I looked at on her phone it said that if there was not any data for the exit poll like maybe you know someone didn't want to do that you could you could click that and then they would use historical analysis for that precinct area so I just think that really as we talk about this part of the election system which it is a part of this real-time dissemination of data I mean this needs to be looked at to make sure that someone doesn't manipulate this to you know sway the outcome of an election or call some kind of unrest and distrust are these smart cards these are awesome I think I still have one on me that we actually made ourselves these smart cards is what they tell a lot of people well you know we we use a security encryption and you got to have a card and from the best that I could tell is is that you go up and you get one of these smart cards and then that just allows you to vote but your information isn't stored on there but digging in a little bit more we've seen tons of exploits in the smart cards and I don't want to have a show of hands because I don't want to incriminate anybody but you know back in the day there was a certain digital satellite broadcast company that had a lot of had a lot of issues with their smart cards right rumor is it was hacked before it even went up and so smart cards are notorious for vulnerabilities and stuff but what's more interesting is is that on the output of these cards it's simply serial commands right so it does some processing inside with the cpu does all the stuff so if in the demonstration I gave back in 2016 we were able to simulate a compromise of one of these smart cards and we were able to you know vote multiple times and stuff like that now that would probably get detected because you know too many people voted for that precinct that's registered and stuff like that but you know when you look at this as one of the targets of the modern election system there's there's more work that needs to be done I mean there's all kinds of things into this from cloning to manipulating to glitching and all kinds of stuff so we've talked about the communications path a little bit on this here really this is how this information is loaded to the machines and how it goes from the machine back and into the dissemination but moreover the communications paths I'm talking about with this is in the peripherals of the machines these are the the printers that print out that all official tally that says this is the the stuff that how people voted and you sign it as the poll worker and turn it in I have one demonstration that I gave into one of the voting machines where my boss because I kind of like him because he you know pays my bills I made it where he won the election and when the tally came out it was completely legit and stuff to the eye of the poll worker and they needed to sign it well there was a compromise in the path that were no matter how the machine voted then I could make it print out whatever I wanted by looking at the candidate so it was pretty technical as far as to try to evade detection but the end result is is that whoever was the winner the name that I inserted would automatically be the winner of that particular one yeah so all together you know all these devices another thing is is that the for americans with disability act type requirements you know these audio files that are loaded onto the machine you know when someone plugs into that headphone jack one I can replace you know the file on the machine but moreover I could have also audio inside of there that maybe it's just white noise and then they have an issue with the machine or something like that but more over I can put in the audio file and tell it you know left is this candidate right is that candidate so when you look at these paths you know it's not just the machine it's everything that's connected to it network wise and peripherals and stuff like that we've had demonstrations where those paths can become compromised to then put out different results of course social media this is something that's really starting to to play out and also like we saw with Cambridge Analytica and things you know a lot of people just like the front page of the paper no one really would read I don't I don't get the paper anymore but I've heard that no one reads past the fold right whatever's at the top same thing with Twitter and Facebook and stuff like that not too many people go and do in-depth stuff Google you know that's why they charge so much to be one of the top search results so with social media anybody can say anything they want and also too they can profile groups of people and by seeing who your friends are and stuff like that to then feed this information websites is a real real big one also because anybody can register any domain for anything right so we see this a lot like someone doesn't like a major company is like this company sucks calm well candidates names through domain squatting and stuff like that can can also be used by adversaries to be a target where if you want to do more research maybe type type in the candidates name but moreover you know through domain squatting stuff like that you put some thing out there that's a very highly controversial subject and say they're for or against it you're seeing a lot of these Facebook and Twitter are doing the shadow banding and those kind of stuff and so I've gotten a couple personal invites to join our slack channel or join our discord channel because we can post whatever we want and these I think are just highly susceptible because one if you're sending out all these invites to slack and discord for these private channels but also that is just a megaphone where people can get in there and say whatever and so you know I think with a lot of the social media and things like that with some of the censoring and banning regardless you know what your views are of that you know you're seeing these private channels that are being created and to me those are you know just ripe for the pickings so the question is we get all the time what's going to happen you know in my professional opinion what's likely to play out is there it only takes one machine and one precinct and one county to be compromised that's it then the other problem is is that we don't really have the mechanism to understand whether that happened or not and one particular machine that I had the luxury of playing with I was able to put devices and components in and out of that machine and us as security folks we're like oh why don't we just go to the logging data why I found out that that particular machine was only logging data that the vendor actually cared about which is the ballot load did you know so they don't care if you or in this particular one they didn't care if I put a network card in and out of the machine they didn't care about that you know that was never locked so the problem is is that with hacktivists and things like that or other folks all they got to do is say it and then how do we prove it I don't think that you know I think we're more able to see things you know injected with bogus data like I said with the media and and things like that where you know those systems become compromised and then you know of course defacing insider threat and the reason why I put insider threat is because this is one of the areas that I hear all the time and we've heard a couple other speakers talk about it is that they say that well you would have to have physical access to this machine and so I roll back to my first slide you mean you mean the guy that's like happy go lucky and loves life and stuff yeah I'm not going to go break into a precinct and do this but when you read the SOPs on official government letterhead that says you should plug the machine in at night at your house and I'm kind of you know ad-libbing here so the batteries are completely charged I mean it only takes a few seconds in any of these attacks so the fact that you know the insider threat just go you know volunteer to be a poll worker or something like that so saying that you know someone that's highly sophisticated would have to have access to it it's not that just like I mentioned with the satellite card days right I mean you could buy the equipment where someone could just press a button and do it so the insider threat to me would be the biggest to the physical machine but the rest of it is you know through disinformation so with that I'm trying to speed it up a little bit because I know the other one ran a little long so anybody has any questions I guess I could take one or two or see you at the back oh right here the first thing I zeroed in on really quickly is you said they're going to get an email uh yeah I mean there's uh to me that would be one of the first I'm not saying the email is not secure but you know when you look at that now you know what is what email address is getting uh registered or how they send in this email and all the other things around that and then you said a telephone uh what's going to happen is that cell phone perhaps right yeah um because sim jacking is not a real thing in modern times right so yeah I mean you know any of these systems they can be secure and that's what I tell everybody like we have the technology to solve this right I mean we have things with open ledger technology and we have but right now you know I try to stay out of the political part as a professional but we can't even decide if we're going to show our ID or not or when we go to to the polls so I mean now we're going to collect phone numbers and stuff like that so yeah I see a lot of concerns and issues with that oh yes ma'am yeah so I think there's definitely a future for blockchain and I'm really that's why I'm very excited that DARPA is uh at the voting village and they're working towards that open source voting system because I think the more eyes that we have on this the better we are uh I mean case in point with the voting village now I mean we have thousands of uh and you know experts look at that and they're finding vulnerabilities left and right and so when you think about it when you open source and I know there's two camps and I'm in both camps with open source technology but I think for what's at stake I think that we need as many eyes looking at the source code and things like that so blockchain is definitely one of them and you know like I said I've been on the on conference calls with some congressmen and women and a few senators and very quickly the conversation deteriorates not from the election security but it states rights and sovereignty and stuff like that so I think anything that's out there that could probably solve the problem we need to get over some of the uh social uh sociological issues first before we even attempt to do that so yes sir in the back sure yes um definitely so this would be the last question because I'm getting getting the cue from the back uh I think what we're doing right now is what our best hope is in the short term is the education piece of it because before folks like harry and and and team started looking at this these were essentially just devices that no one really you know looked at and now I think education even my mom if she goes to vote and she sees anything wrong without voting machine she is going to be hyper aware so the more we can educate and and and it's a very complex ecosystem that has you know with a modern day election system so maybe there's a senator or person or IT professional at a county or something like that so I think we got to do a course correction for this big ship that's uh that we're sailing on so I think in the short term there is hope uh like I said I don't think that there's going to be widespread exploits into the voting machines that's going to change the outcome of the election just I don't I don't see that but now that people are educated I guarantee you there's any glitches whatsoever it's going to hit uh the the the social media outlets and tv's and stuff like that so well I appreciate everybody coming and um like I said I'll be floating around in the back if anyone has any other questions and stuff and with that enjoy your defcon