Cyber Security Club Members Take a Crack at a Voting Machine at Hacking Conference

From left: Raphael Baltazar (Computer Information Systems Senior), Luke Nguyen (CIS Graduate), Ayushman Dutta (Information System Security Graduate), John Fisher (CIS Senior), Keith Yuen (CIS Senior)

The University of Houston Cyber Security Club is comprised of students and alumni who are interested in promoting the education and expansion of the knowledge and skills in information systems security. Their goal is to encourage the free exchange of information systems security techniques, approaches and problem solving by its members. Five members of the club attended, including Computer information systems (CIS) major John Fisher (’18), Raphael Baltazar (’18), and Luke Nguyen (’17), Keith Yuen (’18), Ayushman Dutta, (‘17) attended the DefCon 25 conference at Caesars Palace Las Vegas, July 25 - 29. One of the most anticipated challenges at this year’s conference was the Voting Village, where hackers broke into various voting machines to test election security.

Reflecting on the intrigue of the challenge, John Fisher said, “It has been a great way to connect with other people with a common interest. Curiosity is definitely our number one vice and that’s why cracking a voting machine was such an awesome learning experience.” An U.S. Army veteran, who returned to school recently, Fisher, is working currently as an information systems security analyst while taking classes at UH.

COT: What is Def Con and how is it beneficial to other cyber security experts?

Fisher: Def Con was started 25 years ago as group of bulletin board server administrators who wanted to get together in Vegas. Since then, it has grown into the largest hacker convention in the world, with over 25 thousand attendees this year. During the conference, security researchers give talks on their latest finds, and “villages” are setup for attendees to learn and test their skills in competitions.

COT: Tell us about your involvement with the Cyber Security Club.

Fisher: I have been a member of the Cyber Security Club at UH since 2015, which has been a great way to connect with other people who, essentially, like to break things. Curiosity is our number one vice. We discuss current security events such as breaches or new vulnerabilities. We also conduct demonstrations in the lab on cyber-attack and defense. Many of our members participate in Cyber Security Capture the Flag (CTF) and National Collegiate Cyber Defense competitions. Professors Chris Bronk and William Conklin manage the club.

COT: You participated in the Voting Machine Village where you managed to disassemble a voting poll machine and demonstrate system vulnerabilities. How long did it take and what was involved?

Fisher: It took less than 90 minutes for many of the hackers. Our team could not fly with all of our tools due to TSA regulations, so we disassembled the machine with whatever we could find there, which took some time. However, with proper tools and prior knowledge, I think that it could take less than 5 minutes. We found that the hardware was quite old and mostly proprietary. Instead of a hard drive, it ran on a single 16 MB compact flash card. We used an ordinary USB adapter and dumped the software onto it. Upon initial inspection, we found plain text configuration and balloting information files that were easy to read. The machines were supposed to have been wiped before being sold, but the data from the last usage was still there!

COT: What is the significance of that and what are some implications for the future?

Fisher: Many things. For instance, we figured out that nothing was erased entirely. One group at DEF CON found 650,000 registered voter records on their machine from 2014. Nothing appeared to be protected or encrypted. Everything works with plain text that anyone can read. Most of these systems run on outdated or easily exploitable reverse-engineered operating systems. Although the majority of these machines cannot be accessed remotely, it only takes one apple to spoil the bunch. An undetected “voter” could upload a simple virus or malware to the voting machine; and, when the tallies are pulled from the machine, the virus goes with it. After the data are uploaded to the repository, votes could be changed, or just destroyed, causing chaos in our voting system.

COT: As an alum, how do you think that your experience ultimately helped your career?

Fisher: Absolutely. As a computer information systems major, I have been equipped with a well-rounded arsenal of IT skills, from databases and development to project management and leadership. The biggest advantage has been the inclusion of Information system security courses such as intrusion detection and forensics.

Cyber Security Club:

Def Con Voting Village: View members of the UH club from 2:11 to 3:06.