Take Two translates the day’s headlines for Southern California, making sense of the news and cultural events that affect our lives. Produced by Southern California Public Radio and broadcast from October 2012 – June 2021. Hosted by A Martinez.
After acquiring a decommissioned voting machine, Anne-Marie “Punky” Chun and her colleagues at Synack set out to hack it. It took them only a matter of hours.
“Just looking at the security hygiene, it wasn't very strong,” Chun told Take Two host A Martinez in an interview. “The encryption password, for example, was hard-coded as ‘ABCD.' And it was used on the whole machine."
Chun and her team test cyber security in, arguably, the most effective way: by breaking in themselves. So when they though about the best way to check the security of election data, they knew they had to find a voting machine, and preferably an older one.
“We wanted to take a look at what was lying under the surface of these voting machines, and not just the voting machines from 2016,” said Chun. “We wanted to know how systemic some of the vulnerabilities were in the voting machines. So we actually procured a system that had been used in three presidential elections before 2016, and we set it up during lunch in our office, and had our researchers go at it.”
By the time we came back at the end of lunch, we had a plethora of vulnerabilities, and we were able to actually manipulate the vote tallies on the machine.
The machine they tested, a decommissioned WinVote from Virginia, had been in use since 2004. Chun found this alarming.
“So looking backwards, you know, you have to wonder how long has this been a problem,” said Chun. “And why did it take us so long to actually discover the problem.
She and her Synack colleagues attended the cybersecurity conference Defcon in Las Vegas over the weekend, and election security was one of the biggest issues. Officials from all over the country attended, including LA country Registar-Recorder/County Clerk Dean Logan.
For Chun, this was a good start—but it was also just that, a start.
“What we're really looking at is a much bigger problem than just what we saw in 2016,” said Chun.
I think it is taking big stories like this to engage with Congress, to engage with policymakers and suggest that we take a more adversarial, proactive approach earlier on. I think that today, voting machine suppliers have been very concerned about the IP and haven't wanted to share the systems more broadly. But we do need more of a crowd-sourced approach here if we're going to make them more secure in the future.”