![]() While many people at the Voter Hacking Village zeroed in on the weak mechanical lock covering access to the machine's USB port, Synack worked on two open USB ports right on the back. One talk revealed that the most common medical device used to monitor vital signs during surgeries (also manufactured by a W3C member) could be hacked by attacking its HTML components, so that it would report that a patient's pulse, oxygen, etc were fine, even as the patient was dying on the operating table.īrowsers are the control surface for an increasing slice of the "Internet of Things" - from voting machines to medical devices to cars - and we can ill afford to create no-go zones within them that can't be safely audited by security researchers. Many of the Skytalks presenters revealed defects in systems that used browsers and HTML5 to control them, and showed how the browsers and HTML5 components could be exploited to gain access to the systems they controlled. The Skytalks presentations are only cursorily described in the program, so vendors don't get advance warning that their products will be discussed in the room. At Skytalks, no recording or cameras are permitted, and speakers present anonymously to avoid legal retaliation. One of the tracks at Defcon is called "Skytalks," and it was founded after a W3C member (Cisco) had a security researcher arrested for going public with his investigation of defects in the company's products (he'd attempted to raise this alarm internally at Cisco without any luck). It's also why we've asked the World Wide Web Consortium to amend their existing policies so that its controversial video DRM standard won't become an impediment to investigating defects in systems that use browsers as their front ends. That's partly why the Electronic Frontier Foundation brought a lawsuit against the US Government to invalidate DMCA 1201. This is a huge problem that acts as a major impediment to securing these machines. That means that security researchers are allowed to tell you that a voting machine is insecure, but face jail time and huge fines for describing their methodology in the kind of detail that would allow you to independently verify their research. That means they can immunize you from liability for undertaking an activity (like bypassing DRM to investigate the security of a voting machine), but you still aren't allowed to share tools (or information that would help make such a tool). The LoC can only grant "use" exemptions, not "tools" exemptions. The Library of Congress granted a limited exemption to DMCA 1201 for voting machine research in 2015, and are likely to renew that exemption this year - but there's a (big) catch. One important note: voting machines increasingly use Digital Rights Management (DRM) to restrict software updates, which triggers Section 1201 of the 1998 Digital Millennium Copyright Act (DMCA), under which security researchers face potential criminal and civil penalties for revealing defects in products that are designed to control access to copyrighted works. The case for auditing and improving the country's voting machine security has never been made plainer, or more urgent. ![]() I was in the room for some of this, and attended some of the excellent accompanying talks. The winning team hacked their machine in minutes.Īlso, organizers revealed that many of these machines arrived with their voter records intact, sold on by county voting authorities who hadn't wiped them first. This year's Defcon security conference in Las Vegas sports a "Voter Hacking Village" where surplus voting machines (purchased in secondary markets like Ebay) were made available to security researchers who'd never had an opportunity to examine them, who were then invited to hack them in a timed trial. Nearly 20 years later, the country's voting security debt has mounted to incredible heights, and finally, just maybe, the security researchers are getting the hearing they deserve. Since the 2000 Bush-Gore election crisis and the hanging-chad controversy, voting machine vendors have been offering touchscreen voting machines as a solution to America's voting woes - and security researchers have been pointing out that the products on offer were seriously, gravely defective.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |