A highly polarised contest and obsolete IT make cyber-attack on the presidential election almost a certainty
In a few hours’ time, western democracy - perhaps even world peace - will be at the mercy of vulnerable code in black boxes on dilapidated bare bones PCs with virtually zero endpoint security, otherwise known as e-voting machines. Security experts are warning that the combination of a highly polarised contest and obsolete information technology make domestic or foreign cyber attacks on tomorrow's US presidential and other elections a near certainty.
The warning comes from the US Institute for Critical Infrastructure Technology, which in the second part of its devastating investigation "Hacking elections is easy" details specific weaknesses in the electronic voting systems widely installed with federal funding after 2002. “Electronic voting manufacturers operate without sufficient accountability, oversight, and governance. Rather than produce robust, secure systems, they distribute bare bones proprietary systems with less native security than a cheap cell phone.”
Compromised at least twice
According to the report, state voter registration systems have already been compromised at least twice.
On 28 June this year, the FBI notified the cyber response team at the Arizona Department of Administration that credentials related to the voter registration system had been compromised. Upon investigation, malware was discovered on a vounty computer. The compromised database contains the name, address, date of birth, phone number, email and party affiliation of the more than 3 million registered voters in Arizona.
On 12 July, cyber-attackers launched a campaign against the Illinois state online voter registration system and caused officials to shut down the site for 10 days. Cyber-attackers breached systems and "exfiltrated personal data of up to 200,000 voters".
The institute suggests that these reports may be the tip of the iceberg. "The majority of state voter registration database breaches have not been publicized because election boards are not technically savvy enough to know what to look for or even what questions to ask technologists," the report says.
Meanwhile, and perhaps even more worrying, "white hat" attacks on many of the most widely installed vote-counting machines show elementary weaknesses.
In one Windows XP-based system, the attack “succeeded without any level of sophistication, though many of the individual exploits failed because the target system was too old for them to run... researchers targeted the unencrypted Microsoft Access database that stores ballot information and the results. The password 'shoup', used for all database files, was discovered in approximately ten seconds.”
In another, "passwords were weak and standardized across machines. Wireless traffic was intercepted in less than two minutes, and the weak WEP communications key was rapidly compromised using open source tools.”
A system used in almost 900 jurisdications has "almost no security" and is "susceptible to internal software bugs and external attacks".
The report dismisses claims that the very multiplicity of voting systems, including paper ballots, is itself a safeguard, pointing out that only 1 per cent of votes in battleground states could be enough to sway an election.
"Imagine the havoc that an attacker could wreak upon the United States by compromising a state voter registration site and using malware or a logic bomb to delete the voter registration of a portion of the population. How much greater would the impact of that simple attack be if the malware only affected the registration of a select demographic of people?"
When it first published its findings, the institute warned that it was already far too late for electoral authorities to change their systems. The main hope now is that whatever action is taken in response to any compromising of the 2016 contest will be taken in a way that does not introduce further vulnerabilties in the future.
Editor's note: This story was published before the election took place on 8 November. At time of writing this (10 November) there have been no allegations of cyber attack, but the points made in the investigation stand as the view of the institute.
Photo: Michael Cross