Hacking Elections Is Easy

In most cases,US electronic voting systems are  bare-bone, decade old computer systems that lack even rudimentary endpoint security.

     Barck Obama votes in Chicago: 2012 Election

Recent revelation that foreign actors attempted to break into the Arizona and Illinois board of elections prompted alarm and consternation. Recently cybersecurity company ThreatConnect noticed that one of the IP addresses that the FBI mentions in their report about the incidents was also linked to a previous spear-phishing attempt against Ukrainian and Turkish governments.

ThreatConnect looked at that IP address, 5.149.249.172, and found a website very similar to one for Turkey’s ruling AK Party. The practice of registering domains that look like those of real organizations, but with just a letter or character off, is sometimes called typosquatting. Marketers use typosquatted domains all the time. If you’re a customer looking for lampshades.com and mistype lampshads.com, whoever owns that not-quite-right domain can steer you toward their own site.

It works the same in a socially-engineered information attack. People often don’t notice subtle errors in the domains or URLs from institutions that they trust. It was one means by which hackers affiliated with the group COZY BEAR, believed to be Kremlin-backed, tried to lure staff at Washington, DC, think tanks into opening emails.

That target pattern suggests, but does not prove, Russian-state backed actors since they would have the biggest interest in spear-phishing Turkish and Ukrainian political figures. It’s hard to know for sure until the next crime is revealed.

Looking Back

Democracy relies on the reliability of the democratic process. The “Help America Vote Act”, passed in 2002, ushered in an era of uncertainty by proliferating the use of electronic voting systems vulnerable to cyber, technical and physical attack. More often than not, electronic voting systems are nothing but bare-bone, decade old computer systems that lack even rudimentary endpoint security. 

Despite the recurring discussion on electronic voting vulnerabilities that occurs every four years, only limited attention is given to the systemic problem undermining American democracy. It’s time for a complete overhaul in the electoral process’ cyber, technical and physical security.

To hack an election, the adversary does not need to exploit a national network of election technology. By focusing on the machines in swing regions of swing states, an election can be hacked without drawing considerable notice. Voter machines, technically, are so riddled with vulnerabilities that even an upstart script kiddie could wreak havoc on a regional election, a hacktivist group could easily exploit a state election, an APT could effortlessly exploit a national election and any corrupt element with nothing more than the ability to describe the desired outcome could order layers of exploits on any of the multitude of deep web forums and marketplaces. Yes, hacking elections is easy. 

Breached Trust 

The electronic voting systems popularized in the United States in the early 2000s have been repeatedly proven vulnerable and susceptible to attacks that are so unsophisticated, an eighteen- year-old high school student could compromise a crucial county election in a pivotal swing state with equipment purchased for less than $100, potentially altering the distribution of the state’s electoral votes and thereby influencing the results of the Presidential election. 

In the security community, the conventional opinion of attacks against electronic voting machines is that the impact of the successful attack and the likelihood of a successful attack achieving the desired impact are inversely proportional. 

Therefore, a successful attack against the Presidential election is extremely high impact, extremely low likelihood of desired impact, while a successful attack against a local election is low impact, high likelihood. This opinion is mostly valid; however, it naively dismisses realistic scenarios where an entire election is decided on the results of a swing state or a single county, which could be as little as 400 votes. 

The need for cybersecurity in electronic voting systems should not be dismissed under the assumption that attackers cannot have a meaningful impact. It may be equally naïve to believe that attackers are not motivated to compromise these systems. Motivated attackers will achieve some impact. White hat hackers and black hat hackers share some, though definitely not all, of the same opinions, interests, and mentalities. 

If security researchers have been interested in whether electronic voting machines were hackable since their widespread adoption, chances are reasonable that malicious adversaries have considered the same question. The security and cyber hygiene surrounding electronic voting machines has not drastically changed in over a decade. Consequently, security researchers and attackers alike have had plenty of time to discover, and potentially exploit, vulnerabilities in the systems and processes that support United States democracy. 

External parties have a vested interest in the American political system. For example, China may want to influence elections to dissuade voters from electing a Presidential candidate who might pass economic sanctions, from electing a Congressional candidate who promotes anti-China legislation, or from electing a local candidate who opposes regional tongs or espionage associations. 

China has a history of undermining the democratic processes of nations that it views as malleable. Similarly, Russia may attempt to influence elections to increase public distrust in democracy over time or to oppose a candidate who poses a significant threat to Russian attempts to amass regional dominance. Russia already interferes in the elections of nations that it deems weak. A June 2014 report detailed how Russian hackers attempted to alter the election outcomes in Ukraine by targeting vote aggregation software.

History of Attacks

The United States e-voting system is so vulnerable that a small group of one or a few dedicated individuals could target a lynchpin district of a swing state, and sway the entire Presidential election. 

Those who doubt the potential impact should consider that in 1960, John F. Kennedy only had 112,727 more votes than Richard Nixon. The 2000 election between George W. Bush and Al Gore was similarly contentious and it may have depended on as few as 400 votes. A single unsophisticated attacker who spoofs a few hundred votes or who disrupts voting operations at a few key locations could have a similar impact on a future election, if they have not done so already. Imagine what a dedicated advanced persistent threat could accomplish. 

Adversaries could launch or pay to launch denial-of-service attacks against a candidate or party’s networks and websites. Free tools on Deep-Web can be used to launch such attacks or the adversary could contact a DDoS-as-a-service site on Deep-Web to disrupt a candidate’s operations for a few dollars per day. 

Similarly, disrupting election agencies and regulatory officials’ operations can interrupt reporting, interrupt record management, or prevent coordination between agencies. Public defacement of election agency sites or the public disruption of services reduces citizens’ trust in the electoral process. The attacker could begin by targeting campaign workers and donors to dissuade them from participating in the election process. Phishing, DDoS, and other attacks that target donors using social engineering and public information, such as donor lists, may decrease political participation. 

If an attacker gains access to an administrative smart card or other token or if the attacker infects the card or PBE writer/ encoder with malware, then they can infect systems without ever making physical contact. If the attacker has access to the administrative card or if they can infect a machine with malware that will spread onto the administrative card, then they can spread malware onto multiple machines and increase their sway over an election. Votes and results that are transferred via an internal or external network are subject to man-in-the-middle attacks during transmission 

Conclusion

More often than not, electronic voting systems are nothing but bare-bone, decade old computer systems that lack even rudimentary endpoint security. As an exponential “security free” attack surface, compounded by the absence of cyber hygiene, black box technologies, and an expansive threat landscape, an adversary needs only to pick a target and exploit at will. Fundamental cybersecurity hygiene dictates that organizations assume their technology is vulnerable until proven otherwise. 

A lack of penetration testing, security-by-design, and comprehensive physical access controls result in lackadaisical security, which enables, rather than hinders, an attack. The antiquated black-box systems become easier to compromise as vulnerabilities are discovered and left unpatched, and as the ubiquity of technology and the internet introduces new attack vectors to the stagnant security posture of the expanding e-voting threat landscape. Nation states, hacktivists, cyber jihadists, insider threats or anyone with an interest in swinging a local, state, or federal election currently have carte blanch access for the manipulation of America’s democratic process. 

In this analysis, entitled, Hacking Elections is Easy! Part One: Tactics, Techniques, and Procedures, the Institute for Critical Infrastructure Technology provides a detailed analysis of the risks that voting machines and the digital age have introduced into our democratic process which have the potential to impact the integrity of election results.

ICITech:          DefenseOne

 

« Australia Hardest Hit By Cybersecurity Skills Shortage
Country Eye App For The Rural Community »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

InformationWeek

InformationWeek

InformationWeek is the world's most trusted online community for business technology professionals like you.

National Agency for Information & Communication Technologies (ANTIC) - Cameroon

National Agency for Information & Communication Technologies (ANTIC) - Cameroon

ANTIC is responsible for regulating the activities of electronic security and regulation of the Internet in Cameroon.

NuData Security

NuData Security

NuData Security, A Mastercard Company, is an award winning behavioral biometrics company.

Cyber Execs

Cyber Execs

Cyber Execs is a Cyber Security Consultancy & Executive Recruitment firm.

VivoSecurity

VivoSecurity

VivoSecurity is a pioneer in cyber risk quantification based on data science. Our products and services help organizations achieve optimal information security and GRC programs.

Cyber Intelligence (CI)

Cyber Intelligence (CI)

Cyber Intelligence is an award winning 'MSC status' cyber security education and training company.

Telecommunications & Digital Government Regulatory Authority (TDRA) - UAE

Telecommunications & Digital Government Regulatory Authority (TDRA) - UAE

TDRA focuses on regulating the telecommunications sector and enabling government entities in the field of smart transformation. It is responsible for the overall digital infrastructure in the UAE.

Cyber Command - Estonian Defence Forces

Cyber Command - Estonian Defence Forces

The main mission of the Cyber Command is to carry out operations in cyberspace in order to provide command support for Ministry of Defence’s area of responsibility.

Raonsecure

Raonsecure

Raonsecure is one of Korea’s leading ICT security software companies – providing a variety of PC and mobile security solutions to financial institutions, government, and enterprise.

Swedish Incubators & Science Parks (SISP)

Swedish Incubators & Science Parks (SISP)

Swedish Incubators & Science Parks (SISP) is the Swedish industry association for Swedish incubators and science parks.

Cyber Law Consulting

Cyber Law Consulting

Cyber Law Consulting is a Dynamic full service legal firm which offers complete services for Cyber Law, cyberlaw, Internet Law, Data Protection Act, Cyber Security, IPR, Drafting.

SentryMark

SentryMark

Stay a Step Ahead of Emerging Threats. Deviate from the traditional siloed defenses and get the proactive and responsive cybersecurity solutions and services you deserve with SentryMark today.

Sinergi Digital

Sinergi Digital

Sinergi Digital is a business unit of the Metrodata Group with a focus on providing ICT solution to help accelerating digital transformation.

Dialog Enterprise

Dialog Enterprise

Dialog Enterprise is the corporate ICT solutions arm of Dialog Axiata, Sri Lanka’s leading connectivity provider.

Sola Security

Sola Security

Sola Security is a cyber security startup company currently in Stealth mode.

VCI Global

VCI Global

VCI Global is a diversified holding company. Through its subsidiaries, it focuses on consulting, fintech, AI, robotics, and cybersecurity.