How to Hack a Voting Machine
Hacker Rachel Tobac talks to OneZero about DEF CON 2019 and fighting back against election hacking
Rachel Tobac doesn’t seem like those hooded hackers you see in standard stock art. She’s friendly and welcoming and the first to offer that she didn’t come from a technical background. In short, she has all the skills of a successful social engineer who could convince you to turn over your passwords without even knowing it. But Tobac isn’t interested in your passwords — she’s more interested in showing you and your company how to protect them.
After a video of Tobac hacking a voting machine at the hacker conference DEF CON went viral in 2018, she made improving election security a personal mission. She now works with organizations to help lock down their human processes against social engineering threats.
Tobac spoke to OneZero from her burner phone a few days after returning home from DEF CON in Las Vegas this year.
This interview has been edited and condensed for clarity.
OneZero: I want to start by asking you what you call yourself. A social engineer?
Rachel Tobac: I would call myself a hacker. Sometimes people like to use the phrase “white hat hacker,” because they’re trying to differentiate themselves from criminals. And sometimes people use the phrase “black hat hacker” to describe a criminal, but I prefer to just call them criminals. So I would say I’m a hacker, not a criminal.
Tell us what brought you to DEF CON the first time.
My husband is a cybersecurity researcher, and he went to DEF CON many, many moons ago. He called me on a Friday night when he was in Vegas and said, “Rachel, I lied when I told you that you didn’t need to come to Vegas for DEF CON. You need to buy a ticket out tonight.”
I was in a conference room at work. At the time, I was a community manager. I was completely nontechnical, not involved in the hacking space or world in any way. I had a background in neuroscience and statistics in psychology, and I was like, “Evan, I love you, but why do you think I would go to a hacker conference? It’s gonna be way over my head, and I’m not going to understand anything. I’m not going to belong.”
And he said, “Well, you know how you always say that you call Comcast and get the bill lowered every month? That’s what they do at DEF CON. They have this social engineering competition called Social Engineering Capture the Flag, and they get people to go into a glass booth and hack companies live, and I think you should do the competition.”
I ended up trying out for the competition, and I was a winner for three years in a row (second place each year), which is pretty wild.
How has DEF CON changed since you started going?
DEF CON this year was huge and very distributed. [DEF CON organizers told OneZero that more than 30,000 people attended.] When I started, it was definitely smaller, so it’s cool to see how much it’s grown and how much more the media is aware of what DEF CON is doing. I spoke with CNN and the Today show, and both of them used the word “hacker” to describe someone who was helping other people.
To see that shift happening in the public sphere is so cool, because we used to really have to differentiate between hackers and criminals, and now they’re working on getting the language right.
You spent most of your time in the DEF CON Voting Village, which they say is the only public third-party assessment of voting infrastructure in the world. Tell us what it’s like there.
The Voting Village is one of my new favorite places to spend time at DEF CON. It has dozens of voting machines that were used recently in elections, and you get a chance to take them apart and try to get them to do things they’re not supposed to do.
They had an accessibility-based machine that was used in the 2018 general election in Williamsburg, Virginia. We were able to break out of the voting terminal and affect the memory and crash the machine in less than a minute, and all we needed to do was plug in a USB keyboard. It was super fun for me to be able to work alongside other hackers and test out that exploit and learn what we can do about it.
Did you need physical access to all of the machines that you were able to hack?
The exploits I learned required physical access to the machines. What was really interesting is that the AccuVote-TSx attack that I posted on Twitter can be done without tools, and it takes only about a minute or so to do the entire attack. So, if you’re behind a curtain or your poll workers aren’t paying attention, all you have to do is pull out a card reader and reboot the machine to get admin access and do nefarious things.
Not all polling places work the same way. Sometimes the voting machines are out on the floor and the poll workers are around and doing a great job of watching. Other times, the poll workers might not be paying attention. These machines are also in storage for many, many months of the year, where tampering could occur.
We know it’s an impossible goal to make the software and hardware that we use in elections invulnerable. Because of that, the solution is to use a system that doesn’t rely on having perfect software for a high-integrity election.
The only way you can have a 100% success rate of being compromised in an election is if you don’t vote.
To circumvent the issues we find from having fallible software, we need to have voter-marked paper ballots that are counted by computers — which, of course, could fail or be hacked — and they have to be followed up by risk-limiting audits so we can verify the computer-counted outcomes.
This is called software independence: creating an election system that doesn’t rely solely on software, so if tampering does happen, we can find that during the risk-limiting audit.
Do you think tampering with elections is all about disrupting the election, or are these just chaos monkeys trying to disrupt people’s confidence in the election?
I think both are really big issues. Actual election tampering is a real threat. We want to make sure there isn’t actual tampering or error during the election process. Those voter-marked paper ballots counted by computers and risk-limiting audits eliminate a lot of those issues. It’s just that it takes a lot of pressure and funding from the government. We also have to make sure people vote no matter what. Election security folks are often the first ones in line at their polling places (when they’re not volunteering at the polling center themselves).
What do you say to people who see your videos and think, “Well, I guess my vote won’t count.”
What I say to that is the only way you can have a 100% success rate of being compromised or disrupted in an election is if you don’t vote.
The very best thing you can do is to put pressure on your government and make sure that we can have things like risk-limiting audits while we secure our processes, which will take time.
Also, people like Matt Blaze, who’s at the forefront of security researchers, are volunteering as poll workers. And the big thing they’re really imploring people who are interested in election security to do is to volunteer to become poll workers. You’re going to know what to expect and what to look for.
What else can we be asking for in terms of election security?
Learning about these exploits is really interesting and really important for us to secure our election processes, but the most important thing is that you go out and vote. Don’t self-own.