The Event
In preparation for the election season, HackerOne planned and executed a unique live hacking event in coordination with the election security group within the Information Technology - Information Sharing and Analysis Center (IT-ISAC). Modeled after HackerOne’s existing live hacking events where technology owners and researchers work together to test targeted assets, IT-ISAC leveraged the collective experience of its advisory board for this first-of-its-kind event.
HackerOne gladly provided its significant expertise and resources necessary to plan the live hacking event to help secure our elections. Three election technology manufacturers and 15 independent, vetted U.S. security researchers with hardware hacking expertise took part. Over a two-day period, these ethical hackers and election technology providers collaborated to explore potential security issues within election devices, which included controlled access to modern election technology with newly developed and not yet fielded configurations of the on-board software. The devices tested included digital scanners, ballot marking devices, and electronic pollbooks, emphasizing the technology that voters may encounter at a polling site. In addition to the testing, the various expert stakeholders like HackerOne further enhanced collaboration and disseminated lessons learned across providers through panels and follow-up discussions.
The Results
In a 48-hour testing window, the ethical hackers submitted 21 reports across the three election technology manufacturers. The attack vectors tested represented a range of election security threats, including ballot box stuffing, scanner denial of service, website URL squatting, and front panel workstation access. The result was more secure products and thus more secure elections, and a strengthened trust between the stakeholders.
This event built on previous efforts to support the adoption of Vulnerability Disclosure Programs (VDPs) by election technology manufacturers. A VDP is a “see something say something” policy that provides a secure channel for third parties to report potential vulnerabilities and security gaps directly to the affected organizations. With the assistance of former election officials, industry, and the security research community, including HackerOne, election technology manufacturers have increasingly implemented this security best practice. While most election technology companies now have VDPs in place, last year’s event brought more access to the various systems and reinforced the security-enhancing value of this collaboration.
The Future
Following the success of the event, IT-ISAC has focused on updating and modernizing standards to better accommodate VDP and responsible disclosure within the industry and developing a framework for future iterations of this event. Stakeholders are exploring possible future events that aim to include a broader set of researchers, additional companies, and others involved in the election security process, including state and local election officials. This would not only expand the attack surface ethical hackers can test, but also empower them to focus on additional attack vectors. Protecting the integrity of our votes is vital and requires proactive approaches—like getting a bunch of experts in a room together to try to hack hardware—to identify and address vulnerabilities before they can be exploited.