U.S. election-related software feature countless security flaws
1 October 2018
The United States mid-term elections will kick off on 6th November, but just like how suspected Russian hackers hacked into election-related software prior to the 2016 elections and subsequently carried out a spear-phishing campaign to influence the electoral outcome, hackers could easily hack into such software again and influence the outcome come November.
A “Voting Village” contest run by the DEF CON conference in August laid out a challenge to participants to hack into more than 30 voting machines, the M640 electronic ballot scanner, and other pieces of election-related software to assess the cyber security of such systems and machines prior to the mid-term elections.
Staggering flaws in election-related software
Following the completion of Voting Village, the organisers noted the presence of a “staggering” number of security flaws in election-related software, including flaws in the M640 electronic ballot scanner which is used to scan ballots in 23 U.S. states.
Quoted below are the four major observations that DEF CON arrived at following the completion of Voting Village:
1. A voting tabulator that is currently used in 23 states is vulnerable to be remotely hacked via a network attack. Because the device in question is a high-speed unit designed to process a high volume of ballots for an entire county, hacking just one of these machines could enable an attacker to flip the Electoral College and determine the outcome of a presidential election.
2. A second critical vulnerability in the same machine was disclosed to the vendor a decade ago, yet that machine, which was used into 2016, still contains the flaw.
3. Another machine used in 18 states was able to be hacked in only two minutes, while it takes the average voter six minutes to vote. This indicates one could realistically hack a voting machine in the polling place on Election Day within the time it takes to vote.
4. Hackers had the ability to wirelessly reprogram, via mobile phone, a type of electronic card used by millions of Americans to activate the voting terminal to cast their ballots. This vulnerability could be exploited to take over the voting machine on which they vote and cast as many votes as the voter wanted.
They also noted that a budding eleven-year-old participant at Voting Village was able to hack into and deface a mock-up of Florida’s election results website by using an SQL-injection technique. More skilled and malicious adversaries could exploit underlying vulnerabilities in websites to launch more serious types of attacks.
“The election infrastructure can be expansive, and includes the voting machines themselves, the tabulation processes, the voter registration databases and the associated networks. Each of these requires a detailed focus from many entities to protect against adversaries seeking access to data for influence operations, threatening the availability of the services, or posing threats to the integrity of the information,” said Rob Joyce, Senior Advisor for Cybersecurity Strategy at the NSA.
“A key aspect of securing our election processes is simply focusing on the fundamentals. As we embrace electronic technology, the basic security practices of updating and patching are critical. Having strong adherence to recommended security design practices is vital. Often, paying attention to detail in the things that we already know how to do, removes significant risk,” he added.
Following the publication of serious and critical security flaws in election software in the United States, Ross Rustici, senior director of threat intelligence at Cybereason, said that there are various ways nations can deal with potential election hacking scenarios.
Firstly, route communication between local, state and federal agencies will ensure that when a crisis happens, all sides are coordinating effectively and conveying the same message across all levels of government. Joint task forces between state and federal resources can also detect and stop attempts at election hacking.
Rustici added that local and state governments also need staff to monitor social media and to send out messages to counter fake propaganda peddled by nation-state hackers, thereby nipping such campaigns in the bud.
Hackers can, and will, exploit flaws to influence elections
The activities of Russian hackers prior to the U.S. Presidential elections in 2016 demonstrated that not only are hackers aware of underlying flaws in election-related software and websites, they are also adept at exploiting such flaws to the fullest to disrupt or influence the democratic process.
A leaked NSA investigation report in June last year revealed how Russian hackers were able to conduct a spear-phishing campaign by hacking into election-related software just months prior to the US elections.
According to Technology Review, the hackers targeted Florida-based VR Systems which supplied electronic poll books in states including California, Florida, Illinois, Indiana, New York, North Carolina, Virginia, and West Virginia.
After stealing valuable data on software and hardware solutions, the hackers sent out phishing e-mails to US-based targets, offering election-related products and services. The e-mails were designed to mimic legitimate services and contained trojanised Microsoft Word documents containing Visual Basic scripts with malicious infrastructure.
“This campaign appeared to be designed to obtain the end users’ email credentials. Users were enticed to click on an embedded link with a spoofed Google Alert email. This would redirect the user to the malicious domain,” the NSA report noted.