 So our next presentation is Securing Voting Systems Beyond Paper Balance, and Todd Beardsley is the Director of Research for RapidSeven. We've got over 30 years of hands-on security experience from in-band telephony switching to moderate internet of things implementations, had experience with 3Com, Dell, and Westing House as both offensive and defensive practitioner. Let's welcome Todd Beardsley. Hi. Thank you so much, Dan. Yeah, holy moly. I don't, like, I'm like three and a half times older than her and definitely not three and a half times better. So, yeah. So, yeah. Hi. I'm Director of Research at RapidSeven, and congrats. You get to see my research project that I've just started. I have very little in the way of real results, but let's go talk about them. I'm a CVE board member. I work with the Katie Turnbull Shoes here, or like two presentations ago. You know, I've been around vulnerability disclosure for quite a while now. I was also an election judge for a little while there, technically Republican. It's super easy to be a Republican, just vote in the primary, and then you get to vote twice against the guy you don't like. So, I'm sorry, oh, Texas. So, yeah, let's just jump into it, right? A lot of what we see in the news today and a lot of what we see here at the voting village are all about the insecure voting machines. That is not this talk. I am not going to be talking about insecure voting machines at all. It's a big deal. I am not denigrating anybody else's research. It's all, you know, super important to cover that. You know, paper ballots are great. There's a whole bunch of IT around them, namely this. It just got released a couple of days ago by Motherboard, reported by Kim Zetter, that it turns out there's a whole IT infrastructure supporting these voting machines. And that's kind of where I live anyway. So, I thought, hey, how about I go talk to every county official I can find all across America. And I work at Rapid Seven, so I've kind of dragged into my whole Rapid Seven state and local sales force into dragging me into every meeting that they have now. And it's fine. I get like five minutes, 10 minutes with implementers, people who are thinking of buying our products, who are already thinking about security. So it's a little bit of a self-selected population. But yeah, so I guess what I'll go through now is what I'm trying to ascertain here. First off, from the interviews I've had so far, I'm very impressed with the in-house talent at the state and local level. I think we, a lot of us have, I don't know, we have a cartoon of a government official in our head that's kind of not super happy with their job. And it's a very not-my-job kind of attitude towards security. I have not seen that. The folks I've talked to, they're very passionate. They know where the problem, they know where many of the problems are. They know that they are underfunded, understaffed. And hey, they sound like every other IT department. They're not terribly unique in that. But they're not uniquely unqualified for this challenge. So I'm pretty happy with the caliber of talent. I was surprised. I was the worst as well with this cartoon in my head of what they were like, right? So yeah, the in-house talent, I think, is doing okay. When I talk to them, I ask them, so how are you securing your election systems? They are super into air gaps. As we see that doesn't always work so great, there are sometimes the air gaps, they touch. And that's no good, right? So air gaps are great. But the problem with air gaps are the unusual, unknown places where you have these crossover points, right? So as a core strategy, not bad, but I want to get kind of more into how can we bring more traditional network security to the election infrastructure, starting with penetration testing. Penetration testing is super, duper scary to people who run election networks. They're kind of scary to people who run regular networks, too. Like we've done a lot of work over the last 20 years of kind of normalizing pen testing and normal production networks. It was not that long ago where it would be insane to hire hackers, to like knock over your stuff in production. Now we do it, like fairly commonly. I want to bring this to the election networks, especially the ones that do last longer than election day. We can get into that a little bit, oh, yeah, yeah, on this one. So like a lot of times the biggest challenge for pen testing that has been reported to me is that these networks are very, some of these networks are very short-lived in some districts. These networks may live a day, one day three times a year or six times a year, depending on how many elections are in that district and how much they're responsible for, which is rough. Pen testing and production on election day is fraught for sure, but hey, I think it's something worth talking about. I think you can definitely do some pen testing in a mock election. That is absolutely going to take time, money and training to bring up when you can have a fake election day and unleash the hackers then. That would be delightful. And I guess fundamentally like I want to know, as a pen tester, I would very much want to know like the radio profile of the tabulation machines that spend most of their time powered off when you power them on, what's their near field communication, what's their Bluetooth, what's their Wi-Fi, are they searching for this kind of stuff? Has anyone noticed? Has anyone checked? That's one thing that I'm very interested in learning and this is what I recommend on these calls that I'm on. I'm interested in the threat modeling. Again, I'm not going to be talking too much about the physical attacks on the local physical attacks on the voting machines themselves, but I am interested in where these state local governments think the bad guys are coming from and what their goals are. Obviously, it doesn't really matter too much if, an attacker can do a couple things, right? They can be subtle and they can change a few votes, say, let's just notionally, if you can change the votes in the tabulation system, you could change a few and maybe get your guy or you could change a lot and kind of ruin democracy. I'm pretty sure that most people that I've talked to that are working in IT here are concerned about the latter much more than the former, which I think is accurate and real. I think that's a useful thing to do. When it comes to a physical attack, though, one of our favorite attacks is, you know, scattering, you know, poison USB sticks in the parking lot and waiting for someone to pick it up and plug it in where they shouldn't. Is that the kind of attack that would be useful for an adversary? Maybe not so much on election day, but maybe two weeks, three weeks, a month before election day. Is that the kind of thing that we're training these IT professionals to keep an eye out for? So things like that. Vulnerability management with the nodes in these election systems is not great. Like I said, a lot of times these endpoint machines are powered off, they don't get normal scan and patches, right? They're not subject to that regime. And as a result, it turns out there's a lot of Windows XP still living in state and local government. It's okay because they never touch the Internet and no one's actually reading their mail or doing anything on these things. Again, this is where pen testing can start testing that assumption. And that's really what pen testing is about. It's not so much testing your technology, it's just testing your assumptions about those technologies. If I had a rock solid guarantee the bad guys could never get into my internal network, whatever that is, I might not care so much about patching or passwords or 2FA or anything like that, right? But I don't know until I test. I think coupling pen testing and normal pen testing, normal vulnerability management will go a long way towards helping these folks out. A lot of times the IT administrators of these election networks have to deal with multiple data sources. It's something we don't often talk about. We often think of like election day and we have the voting machine and then those get put on a USB and then driven over to the high school gym and then they all get read in. But there's other data sources, right? There's absentee voting, there's provisional ballots. More and more states are supporting Internet voting. Mostly for these days it's mostly for military folks. They are voting over the Internet. As an attacker, like those secondary sources are gold for me. I very much want to get into those because I know those are even less tested. It's more unusual. This is the recipe for bugs. Bugs and vulnerabilities. Again, I don't have to be subtle here. For example, a write-in candidate on an absentee ballot is a super manual process. There is a person who tends to write that thing down. If I can fake up a million of these, that's pretty great. I can now throw all absentee ballots away. So that might be useful for someone who is not super interested in having stable elections. When it comes to, you know, it is election night. It's time to transmit the results usually up to the state from like a local district or county or parish or whatever. It was made apparent to me that there are many ways to do this across. This is one of the problems, of course, that we are talking about a lot with running elections in America where we don't have one federal election. We have thousands of local elections all in the same day. And they all have their own special way of transmitting results. Almost always this is over some kind of extra net. It might be secure email was told to me once. I don't know what that is. There might be VPNs. There might be, I don't know, it might be an FTP server. You know, we've seen that before. So I know one, Illinois in particular has already kicked off the cyber navigator program, which is like the coolest name ever. I don't mind saying cyber. I'm one of those. But the cyber navigator program, part of that mandate is a whole pile of money for what is essentially a private ISP that these election officials all are on. And so it's pretty robust. It's probably the most advanced network out there for transmitting results that we have today. So if anybody here work in state local government, by the way, I've been bagging on you guys a lot. But you are doing God's work. So thank you. Yeah. So, yeah, like I think that what we need to be doing here is having regular and routine reviews of these extranet touch points in particular. Again, sometimes they are very short lived. Sometimes they're on all the time. So, like, if they're on all the time, this is a great place to start thinking about pen testing, pen testing, bold management, all the things. I'm going to say a lot of the same words over and over again. Finally, I want to talk a little bit about sudden upgrades. We're going to have a lot of these by the end of the year. Many, many districts have state mandates to refresh and update their election infrastructure mostly in the form of these voting machines. We did it, guys. We told everybody to update these things. And now they have to actually use them. This is a little bit of a disaster for them. They have 20 years of tooling that now they have to suddenly make sure it works with whatever the new shiny is that they don't even know what it is yet. Because it's still, you know, there are districts and communities that are still figuring out which, you know, which of the usually three manufacturers are they going with? How is that going to work? Who's going to run it? Are they going to be contracting that out? They've got 20 years of sometimes very custom, very local scripting. And if this sounds like a disaster recovery nightmare, it is. That's, and this is going to be a slow rolling disaster starting in December, culminating in around March when the primary elections are. So congrats. So I'm sorry. We were very good at that telling you that the voting machines suck and now you get a whole new pile of suck to go with it. And you have three months to do it. So hey, we could all do anything in three months, right? Yeah, that's going to be hard. And speaking of disasters, there is one other area I want to cover that I talk about a lot is disaster recovery. In the last, what is it? Last six months, eight months, a lot more municipalities have been getting hit with ransomware lately. It's a trend. And, you know, why do you rob banks? Because that's where the money is. Apparently the money are in small cities and towns for ransomware folks. So this is, I cannot imagine like the cyber insurance industry. I don't know how cyber insurance works at all. And I don't think anyone does. And everyone's losing their shirt over this. So it's going to be changing real quick. But these localities have to be treating, you know, fire flood and ransomware like all as the same thing. I would love to be able to pay my way out of the path of a hurricane. Hurricanes, however, don't also have like sideline jobs in, you know, child sex trafficking, which sometimes is what ransomware is funding. So not super cool to pay that off. So naughty, naughty, I understand it's your data, but like, I don't know, test your disaster recovery a ton. So anyway, this is the project I'm working on right now. I should have like real results and stats. Like this is super rough and I'm very happy and thankful for Dan for having me up here today, Dan and Mary. But I believe by, oh, before March, let's say RSA, right, or maybe South by, I'll have actual data on all of this stuff. Like what are people actually doing, you know, some better data points. One of the stories, the Politico story that I decided at the beginning often has a mention there where political, Politico were able to survey IT folks, you know, several hundred of them. And so like the IT departments around the country are responsive to this. They do want to talk about it and that's very helpful for me. I'm happy I have an army of sales guys who will like, wrote me into these calls, you know, but like, I guess finally, that's it. I have a ton of time for questions and answers. I will not take up all of your time. I don't feel like I have to take all of the time. But this is an opportunity for me to hear like, what do you want to see out of this project? It's very survey based. What are the kinds of things that you'd like to learn ideally before March when the primary season kicks off? You know, in that. Yeah. It's not a one size fits all kind of attack. That's a great point. And just to, I guess, summarize. The comment was the complexity works both ways. You know, attackers are not super big, giant fans of complexity either. Attackers have hours and, you know, jobs and deadlines and, you know, deliverables and stuff just like everybody else. It's so weird. You know, and so like complex things are hard. And the decentralization of the U.S. election system has some upside in that like you don't get to upset the whole election. You only get to upset parts. Of course, the problem here is as we've seen in the news over the last couple years is that the adversaries that we're most worried about are super good at profiling which districts matter. Which is why mainly like I'm very interested in talking to folks in Ohio Wisconsin, Michigan, Pennsylvania, Florida. I don't super care about Texas elections. We'll go the way we go. But those districts I do care about. Mm-hmm. Mm-hmm. Sure. I... Mm-hmm. Oh, that's really interesting. Mm-hmm. So the question is, is voting early tip our hand to the bad guy? And if so, what do we do with it? I think voting early actually solves one of the most fundamental problems we have with voting in America is voter turnout. You know, internet voting, electronic voting, early voting, absentee voting, voting by mail all help with voter turnout. And that is, I think, far and away the number one problem. Like, and I think that's one of the things that we're most worried about. I think far and away the number one problem, like, and voter turnout is a security problem. If we had Estonian levels of voter turnout, it would make the job of attackers much, much harder. Because, you know, it's a larger voting pool and so like the kinds of changes you'd have to make would be commensurately much, much more significant. So yes, ma'am. I cannot hear you. Ah! Absolutely. So the question was like, what are some technical details about air gapping? I am super excited to be writing about that as I get more data on it. But generally speaking, it means that notionally anyway, the voting machine never, never touches the internet. The tabulation happens either over serial or USB to a particular laptop that also has never touched the internet. And then results are then handed like sneaker netted over to other systems for transmission and the live updates for or given counties. Which is insane to me that I don't think it's actually a lot of sneaker netted. I think someone has snuck a cable in there somewhere. But we'll find out. Yes, in the green. For sure. Absolutely. So the comment is that the... Yeah, and if you are trying to fool me as an election judge that you're no longer a registered voter, your name doesn't match my Byzantine ID laws. So the comment was absentee voter fraud. Is a thing. And... For sure. And I do think that the voter registration... The upside of the voter registration is that that is like in the purview of kind of regular IT for these county, you know, county and state and local governments. Which tells me that they're much more amenable to things like traditional voting scanning, traditional pen testing, traditional assessments, disaster recovery, all the normal things. Those are not on these like kind of weird, ephemerial election networks that are like hard to test patch and maintain. I think that... Oh wait, no, I got one more in the orange right there. I'm pointing right at you. I think it's a great opportunity, I mean there is a lot of fear and they will come... I believe that state and local governments are going to come kicking and screaming into the world of pen testing just like the rest of networking did. And just like how corporate networking does. I don't know like a fortune... What is it? Fortune 2000 company. Like every one of them has a pen test. And all of them are in production. And the economy is chugging along. So I do think that the expanding voting time, so like having two weeks of early voting, oftentimes it is the same network. Those networks are much longer lived. And so those would be a fine time. You're dealing with even in the case of a disaster, hey, guess what, you get to test your disaster recovery power. And I'm flip about it, but I do think pen testing is crucial to any modern, robust security solution. And I'm a little biased. I used to be a pen tester too. But yeah, I think I'm about done. So thank you so much, folks. I will be hanging around outside the hall here and not blocking doorways. And if you want to talk to me more, great. I am findable at kubase.io slash Todd B. So Twitter, email, whatever. Thanks so much. And please, if you want to help out, I'm looking for collaborators. Thank you.