US Voting Machine Security: The Frightening Truth

Author: R. Paul Wilson

Every August, a curious mix of characters descends on Las Vegas for DEFCON, the hacker conference that may soon become one of the most important gatherings in modern democracy. Among the myriad villages, workshops, and talks, one stands out not for spectacle or flash, but for its insistence on confronting uncomfortable truths.

Inside the DEFCON Voting Machine Village

Lessons learned from these DEFCON “villages” may seem hyper-specific or detached from our daily lives, but consider how many systems we interact with, from banking apps to US online casinos and gambling sites where money, details and digital identities are supposedly protected by unbeatable layers of protection and procedure. One of the most compelling aspects of DEFCON and other hacking events is that official or corporate claims of security and invulnerability are not accepted at face value. Instead, they are rigorously tested under the cold fluorescent lights of the convention center with relentless scrutiny by hundreds of researchers, enthusiasts, and students of all ages and one of the most fascinating events is the Voting Machine Hacking Village.

Participants are presented with real voting machines, ranging from models still in use in local jurisdictions to retired systems that now serve purely educational purposes. Over several days, machines that officials have consistently assured the public are “secure” are challenged in every conceivable way: from tampering with memory cards to simulating network intrusions, from exploiting outdated software to probing physical locks. The ethics of the Village are explicit: failure is not failure but a step towards understanding. Each exploit, each discovery, is documented and added to a growing list of potential weaknesses where every flaw found becomes a learning opportunity, a demonstration of why invulnerability must always be questioned.

Voting Machines Altered by Teens and Experts: Hacking in Action

Teenagers and college students are invited to participate, receiving hands-on instruction in cybersecurity while also (hopefully) learning the ethical boundaries that accompany such skills. In recent years, these young participants have achieved breakthroughs that even seasoned professionals have overlooked, discovering vulnerabilities ranging from easily exploitable default passwords to software bugs that could allow vote totals to be altered undetectably.

The organizers of this event-within-an-event are not random hacking enthusiasts but experts in the field assisted by a cadre of friends, advisors and assistants who bring their own distinct and diverse skills to the table (including some extremely knowledgeable people from the world of cheating and conjuring) and steering this ship is Professor Matt Blaze who is considered to be the world’s leading authority on election security. Rather than an anarchistic urge to “hack the planet”, the voting machine village is a curiosity-fueled passion project to illustrate that anything can be puzzled down until a gap in the virtual fence is detected.

Anyone with a hacker (or cheater) mentality will immediately sit up and pay attention when some grey-suited maroon claims their product or service or system is completely safe, and without doubt, many (or most/all) U.S. voting machines are vulnerable to some form of unauthorized access, whether through software manipulation, physical tampering, or configuration errors.

Exposing Flaws and Vulnerabilities

In the 2024 DEFCON Village, attendees identified dozens of unique vulnerabilities across a variety of machines. Some flaws were purely mechanical, like weak locks and exposed ports; others were digital, including unpatched operating systems, poorly designed firmware, and insecure communication protocols. The combination of physical and cyber weaknesses highlights the fragility of systems that millions rely upon for the most fundamental act of civic participation: voting. Official claims with regard to security and safety are often influenced by outside factors, from financial benefits to practical concerns or, if conspiracy theories are your thing, the ability to better control or influence outcomes.

By simulating attacks in a controlled environment, DEFCON voting machine village participants stress-test systems in ways that election officials often refuse to, and when these “invulnerable” machines fail under the scrutiny of skilled testers, the implications are profound: democracy is only as strong as the systems that support it. What emerges from their exercise in creative belligerence is that security is not binary; it cannot be absolute. To ignore or dismiss these vulnerabilities is not merely negligent; it is reckless, and there’s a growing suspicion it may partly be deliberate.

Exercises like the Voting Machine hacking village serve as a critical educational forum for the public and for policymakers, with workshops, demonstrations, and talks designed to demystify the process of hacking, showing how vulnerabilities are not necessarily the result of malice alone but of outdated hardware, rushed software development, or overlooked potential weaknesses in procedure. Approached with honesty and a sincere desire to better secure the voting process, lessons learned in these faceless Las Vegas ballrooms might have positive implications for counties and states across the nation, perhaps encouraging authorities to apply “risk-limiting” audits that ensure results are accurate even in elections that are not close.

A Wake-Up Call Ignored?

Sadly, the reaction is not always so productive with agencies critical and suspicious of DEFCON events and their colorful attendees. There’s a powerful point to be made by proving the junior registrants – some younger than ten – can beat machines that help decide the democratic process, but that point is often lost on politicians and their ilk who seem keen to brush such issues under the carpet.

Across the nation, there are frequent assertions that election systems are secure and there is no way voting machines were altered, fortified against attack by layers of encryption, proprietary software, and procedural safeguards but the Village challenges this narrative every year by demonstrating real, reproducible exploits under controlled conditions, making for an undeniable argument: assuming security without proof is dangerous, and testing systems that are claimed to be invulnerable is not optional – it is essential.

When the very mechanism through which power is supposedly legitimized is at stake, complacency is a luxury that democracy cannot afford and there seems to be a growing realization that the results of these hacking events should not be ignored. Some jurisdictions, prompted by DEFCON findings, have updated software, strengthened physical security, or adopted paper audit trails to complement electronic systems. Others have reconsidered procurement standards, rejecting machines that could not withstand rigorous scrutiny.

Safeguarding Democracy in a Digital Age

As technology accelerates and the threat landscape evolves, the need for stress-testing systems becomes even more urgent. The DEFCON Voting Machine Hacking Village is not a theater for alarmism but a laboratory for hard truths. It shows us where assumptions fail and where human ingenuity can both expose and correct vulnerabilities.

In my opinion, it performs a vital service to cybersecurity professionals, election officials and every citizen who relies on the integrity of democratic institutions. In a society increasingly dependent on complex, interconnected systems, attacking those systems creatively serves as a reminder that vigilance, transparency, and accountability are essential for all services in an ever-evolving intellectual battlefield.