LAS VEGAS — Nineteen tables are spread across a ballroom the size of an Olympic swimming pool, each with its own set of voting machines. Hackers crowd around them, tinkering, unscrewing, and more or less destroying anything with a power button.
This is the Voting Village at DEFCON, the annual “ethical hacker” conference in Las Vegas and one of the few places where pretty much anyone has permission to do whatever they please to equipment that would otherwise be locked away.
At the last in-person DEFCON, in 2019, well before “Stop the Steal,” the “audit” in Maricopa County, and the conspiracy theory that Nancy Pelosi’s husband owns one of the country’s largest voting machine manufacturers, attendees packed the village. Now, two years later, the issue has become even more of a national obsession.
DEFCON is a meeting place for the different stakeholders in the world of cybersecurity: grungy hackers, nerdy academics, security researchers, election officials, voting machine manufacturers, and representatives from the Election Assistance Commission (EAC), the federal agency whose security guidelines nearly every state relies on to some extent. For a few days, DEFCON enthusiasts and conspiracy theorists gather together and race to see who can prove voting machines are insecure.
With its made-to-be-shared antics, the village regularly produces viral tweets and national headlines. It also has quick impact: Following demonstrations at the convention in 2017, Virginia’s Department of Elections recommended decertifying some of its machines effective immediately. “Multiple types of DREs, some of which are currently in use in Virginia, were hacked, according to public reports from DefCon,” the agency wrote.
Before the 2020 election, these stunts were vaguely concerning to the general public but largely confined to the elections industry. This has since changed: After former President Donald Trump’s defeat in 2020, material from DEFCON is now being used to sow the Big Lie that Trump actually won the election. Last year, Trump tweeted a video from the conference to support his baseless accusations of fraud. Many of the village’s experts, like one of its organizers, Harri Hursti, were approached by lawyers working to challenge the results of the 2020 election. Even if they refused to cooperate, their work was included in the infamous “Kraken” legal briefs that were supposed to prove the presence of widespread voter fraud (they did not).
Countless audits later, many Republican officials are still arguing that our election infrastructure could have been compromised in 2020. Meanwhile, the federal agency that leads the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure, called the 2020 election “the most secure in American history.”
And then there is DEFCON. The experts here agree that there was no evidence of widespread voter fraud in the 2020 election, and many have worked hard to debunk those conspiracy theories. But with its sensationalist rhetoric, flashy theatrics, unstructured hacking, and lack of context about how elections operate, DEFCON also emphasizes the vulnerabilities that are possible, even when they’re not necessarily probable. As a result, the event serves as easy fodder for dis- and malinformation, showing how even well-intentioned experts are being used to prop up the Big Lie.
Throughout the 2021 conference, VICE News spoke to roughly 40 attendees. Most couldn’t explain the difference between certain voting machines, many didn’t remember whether they cast a ballot on paper or a digital touchscreen, and almost none, including an election official, knew which machines were in their local polling sites. Still, they argued that the U.S. needs to fundamentally restructure elections.
“We know every single machine in this room can be hacked,” Hursti said on the first day of the August, 2021 convention. “And every future machine can be hacked.”
For the event last August, all of the Village’s presentations had moved online due to COVID, and about 50 people were in the ballroom at any one time. The morning of the first day, two men started cheering at a table near the entrance.
They were fiddling with screens about the size of a laptop, and it sounded like they had a breakthrough. “We found two credentials on the database,” one told VICE News.
“When it said ‘password,’ we were expecting some kind of encryption,” he said, “but there wasn’t, so we were just really surprised.”
For the next 20 minutes, the twentysomethings inspected the desktop’s recycling bin and debated whether it was safe to transfer data using a USB drive they’d found on the floor. They were shocked how easily they could access administrator files—but did they know what this machine actually did? They both paused. “Is it an electronic poll book?” I offered up. They looked at each other.
“I don’t think anyone knows what they are,” one of the dozen or so onlookers said, laughing. “They’re just getting into them.”
The people at the village came because they love hacking, not voting.
With its sensationalist rhetoric, flashy theatrics, unstructured hacking, and lack of context about how elections operate, DEFCON also emphasizes the vulnerabilities that are possible, even when they’re not necessarily probable.
Popularized at the village over the past couple of years, the perception that voting machines can be hacked and votes flipped is now common. Republican officials have pushed or are pushing for audits not just in Arizona but also in Pennsylvania, Michigan, Wisconsin, Georgia, Florida, Virginia, Texas, and even Utah, which broke for Trump by 21 points in 2020.
Perhaps more troubling, the paranoia around voting machines is interfering with the administration of elections. In May, the Ohio Supreme Court had to order the Stark County commissioners to appropriate funds for a new set of voting machines after the all-Republican group refused. That same month, an elections supervisor in Colorado allegedly granted unauthorized access to her county’s voting machines, whose passwords ended up on a far-right conspiracy theory website. And in Michigan in October, a Republican township clerk who was later stripped of her duties had QAnon memes on her social media and refused to allow routine maintenance on a voting machine, which then went missing.
Regardless of how you cast your vote, it relies on at least one of the machines present at DEFCON. If you do it in person, the poll worker probably checks you in using an electronic pollbook, the tablet that verifies your identity and issues your ballot. Then, you may vote on a touchscreen, either a direct-recording electronic machine (DRE) or a ballot-marking device (BMD).
The people at the village came because they love hacking, not voting.
If you use a hand-marked paper ballot, whether at the poll site or via the mail, it’s almost certainly counted using an optical scanner, and even if you’re simply registered to vote but have never actually done so, your personal data—potentially your birthday, home address, party affiliation, Social Security number, and a photo of your signature—are stored in a database connected to the internet.
However, no one—not the EAC, the voting machine manufacturers, or election officials—seriously argues that these machines are 100 percent secure.
“There is no technical mechanism currently available that can ensure that a computer application—such as one used to record or count votes—will produce accurate results,” reads a 2018 report from the National Academies of Sciences, Engineering, and Medicine. “Testing alone cannot ensure that systems have not been compromised,” it states, “and any computer system used for elections—such as a voting machine or e-poll book—can be rendered inoperable.”
For that reason, some election security activists say that the only secure voting system is hand-marked paper ballots (with machines available for voters with disabilities, per federal law).
That’s the argument made by the Coalition for Good Governance, a non-partisan nonprofit organization advocating for election transparency and verifiability. Despite Georgia recently investing tens of millions of dollars in a new electronic voting system, a pending lawsuit by the coalition claims that it’s “inherently not secure enough for use in public elections.”
“They’re wrong, they’re hurting democracy, and they’re still doing it, aiding Trump in the process.”
Some see this line of argument, and the activists behind it, as not just misguided but also downright dangerous.
“Trump used their arguments after they’ve claimed without evidence for years that the machines were hacked,” said David Becker, executive director and founder of the Center for Election Innovation and Research, a nonprofit that helps election officials secure their election technology. “They’re wrong, they’re hurting democracy, and they’re still doing it, aiding Trump in the process.”
Over the last few years, questioning election security has slowly moved to the mainstream. “There have always been rumors in the election space,” said Michelle Shafer, a former senior executive in the election technology industry and now an elections consultant. She points to the 2006 conspiracy theory, now living a second life, that Venezuela secretly controls our elections. “But [the conspiracies] were more things that people laughed about. Like, it didn’t reach the level of consciousness where everyday people on the street would have heard of any of these [voting machine] companies.”
The 2016 election created the perfect conditions for these fringe theories to metastasize into the ordinary. Defying historically inaccurate polling data, Trump won the Electoral College by 107,000 ballots but lost the popular vote by nearly 3 million.
The left was horrified, and no one capitalized on it better than Green Party presidential candidate Jill Stein. In less than a month after Election Day, she raised $7.3 million from nearly 161,000 donors to initiate recounts in Wisconsin, Michigan, and Pennsylvania, where the campaign sued to examine the state’s voting machines.
In court, Stein’s expert witness, Alex Halderman, a professor of computer science at the University of Michigan, said that an audit of the machines was the only way to truly know if they’d been compromised. The manufacturers in the industry wouldn’t be of help. They’re “shockingly secretive,” Ben Adida, the executive director of VotingWorks, a nonprofit building its own voting machines, told VICE News recently. “You can’t get at their user manual,” he said. “You can’t try out their interface online. You can’t get your hands on these machines.”
The federal judge wasn’t convinced and denied Stein’s petition to inspect the machines. The same thing happened after the 2018 election in Georgia, in which roughly 80,000 votes “went missing” in the lieutenant governor’s race. The Coalition for Good Governance asked a judge to order a new election and require hand-marked paper ballots, which the court denied in an 8-0 ruling, writing that any attempt to overturn an election requires “evidence—not merely theories or conjecture.”
Claims that were unsuccessful in court have found a receptive audience at DEFCON.
Some argue that being asked to provide evidence before they’ve been given permission to examine the machines is an impossible dilemma. However, claims that were unsuccessful in court have found a receptive audience at DEFCON.
During a presentation in 2018, Halderman inserted his own code into a DRE during the same step of the pre-election process when election officials would upload the layout of the ballot.
In Halderman’s mock election, George Washington earned the most votes, but the winner was Benedict Arnold (hackers are nothing if not cheeky). “Every U.S. voting machine subjected to rigorous independent security review suffered vulnerabilities that would enable vote-stealing attacks,” Halderman told the audience.
This was the same year that child hackers headlined misleading stories about the convention: “Kids at hacking conference show how easily US elections could be sabotaged,” declared the Guardian.
However, what the teens really “sabotaged” was a copy of the website used to report preliminary, unofficial results to the public. “The sites are not connected to vote counting equipment and could never change actual election results,” said the National Association of Secretaries of State at the time. This context is rarely invoked at the convention, further conflating what’s possible with what’s probable.
Often, rhetoric from security researchers suggests that the threat is terribly imminent. As one computer scientist told VICE News after DEFCON, “If someone demonstrates to you that there’s a bullet in the revolver chamber and you choose to play Russian roulette with that gun, who’s at fault?”
Later in the conference, I walked over to a group of hackers working on another machine. A woman there told me that the election results were unencrypted and could be modified. It had taken only 15 minutes for her and the rest of the group to unscrew the machine’s cover, expose the USB and ethernet ports, and connect their keyboards to the device.
Like many of the hackers there, she refused to tell me her name or hometown. But, she said she votes in a church in a small town in New Jersey and thought she’d have more than enough time and access to repeat this process in a real election. “It should not have been that easy,” she told VICE News. “This makes me have absolutely zero faith in the integrity of our elections.”
It’s not that easy.
Every voting jurisdiction has a chain-of-custody procedure for every step of the process: locking machines in a secure location, protecting them with tamper-evident seals, running logic and accuracy testing to check for malicious code.
“If someone demonstrates to you that there’s a bullet in the revolver chamber and you choose to play Russian roulette with that gun, who’s at fault?”
Under these real-world conditions, are the feats at DEFCON realistic? Hursti is evasive on this point. “When you do vulnerability research, you do whatever is needed to find a vulnerability,” he said. “How it’s weaponized is not part of ethical hacking.”
Instead, Hursti tends to focus on how those security protocols aren’t properly followed, and in a country where elections are administered locally, with over 10,000 jurisdictions total, there’s always someone messing up.
“It’s a common practice in the United States that poll workers go the day before or the week before the election, pick up the voting machines, and carry them to their home,” he claimed. “So, voting machines are casually stored in poll workers’ garages and whatnot.”
VICE News spoke with election officials who strongly disagreed. But a cybersecurity expert said he’d heard examples of this in Texas, and those two election officials in Colorado and Michigan suggest that bad actors are always a legitimate risk.
But getting access to the machines and manipulating votes is barely half the battle; even that proves harder than some of the hackers expect.
By day two, the DEFCON village was already in ruins, with tables covered in wires, adapters, USB sticks, SD cards, tiny screws, and discarded keyboards. Two electronic poll books had been so mangled that they no longer turned on, and a DRE was missing an admin access card, leaving a group of hackers to troubleshoot.
“From the admin access, you can probably do things like delete votes,” one said.
“One year, some 12-year-old kid was able to hack into one of these in like 30 seconds,” added another.
Nearby, though, the screen of a ballot scanner had the DEFCON logo at the top and an error message in the middle: “Alert! A problem has occurred. Please notify an election official.”
It was a good reminder that the goal for saboteurs isn’t just to change votes—it’s to do it all undetected. Is that possible?
As Halderman also pointed out in his 2018 presentation, if your machine produces a physical ballot that you can check against the electronic record, “it’s going to be really, really difficult to tamper with both of those sets of records in a way that wouldn’t raise red flags.”
Since then, the number of jurisdictions with auditable paper ballots has risen from 72 percent to 88.6 percent.
“The activists who have pushed for paper ballots,” said Becker, “they’ve won. They’ve won beyond their wildest dreams. They should declare victory and take credit for it.”
Fundamentally, though, no system can be fully secure. But that doesn’t necessarily mean it’s been compromised either.
However, very few states require that all ballots be potentially subjected to an audit, though the situation is improving. Last year, during the height of the pandemic, Michigan remotely trained election administrators in 277 jurisdictions how to conduct a risk-limiting audit. To do that for every federal race in the country, Halderman estimates it would cost just $25 million—though even that small amount of funding (and time and organization) is in limited supply.
At the end of the day, most experts are actually arguing over a seemingly small point. After someone votes on the BMD, it prints out a summary of their choices, but is anyone actually confirming that what the paper says matches who they voted for? If they trust what the machine printed and don’t verify the ballot, then it doesn’t matter how much paper we audit. The record is meaningless.
Fundamentally, though, no system can be fully secure. But that doesn’t necessarily mean it’s been compromised either.
“If we wanted the most secure system ever, we could require every single voter to go into a single location at a single point in time, give a DNA blood sample, and record their vote on an engraved stone table that would last for 100 years,” said Becker.
After the convention, Hursti flew to South Dakota to serve as a media expert for Mike Lindell’s Cyber Symposium. “This is a big fat nothing and a distraction,” he told the Washington Post after Lindell failed to produce the bombshell evidence he had promised for the symposium. Hursti also said that he didn’t consent to having his work included in the “Kraken” briefs, which several lawyers working to overturn the 2020 results confirmed.
In person, he also emphasizes the difference between what’s possible and what’s probable. “Being vulnerable isn’t evidence of being actually hacked,” he said. “If you have a bad lock in your house, it doesn’t mean that burglars have entered. It means get a better lock.”
DEFCON is perfectly suited to encouraging the kind of paranoia that now threatens even routine election administration.
However, many security researchers have a borderline religious belief in the power of transparency. “Only really irresponsible people take vulnerabilities as proof that something’s actually happened,” said election security advocate Jennifer Cohn.
Unfortunately, irresponsible people currently have the power to force fraudits, deny funding for voting systems, and leak administrator passwords. And with its dramatic displays of hacking, DEFCON is perfectly suited to encouraging the kind of paranoia that now threatens even routine election administration.
As the Voting Village at DEFCON closed for the weekend, a few stragglers poked around at the machines. One smoked a cigarette inside, periodically tapping it on the ashtray he’d brought along. The table was covered in machinery, food wrappers, and a 2-foot-tall margarita cup.
As everyone got ready to leave, one of the organizers said she’d asked a group of hackers if they’d found any new vulnerabilities. They stared at her. Even if they had, they wouldn’t tell her.