As various cyber-security researchers unveil claims of how electronic voting machines could be hacked, we asked, where is the election system vulnerable and what are the likely scenarios for an attack?
Hacking of voting machines has become a major concern in the US election, as supporters for both major candidates worry that the results could be skewed in vital “swing” states. Hacking, or even allegations of widespread hacking, could skew the results or undermine faith in the democratic process.
One company, Cylance, has come under fire for its claims that a particular brand of voting machine, which depends on an unencrypted internal flash card, could be hacked in mere minutes, provided the attacker had physical access to the machine.
In its video, it shows that two counters – the Public Counter and the Protective Counter – can both be manipulated to change the names of the candidates and their total vote tally.
Cylance is not the only one to express concerns about security: Symantec, the MacKeeper blog and Contrast Security among others have published research on security issues in voting machines. In total, some 278 vulnerabilities in voting machines have been uncovered.
It's not the fact that the company revealed the weaknesses in the Sequoia AVC Edge Mk1 voting machine that rankles Cylance's critics – there are hundreds of well-known vulnerabilities in many different models of voting machine – but that Cylance produced a video to publicise its claim and that it made the claim so close to the election.
Katie Moussouris, a bug-bounty expert, is quoted on The Verge, saying: “Releasing this publicly, after DHS and states have been aware of these types of attacks for years, only serves to fuel the fires of doubting the election results. This is a case of not helping security while simultaneously undermining the democratic process.”
Cylance defended the bug report, pointing out that there are old systems being used in multiple states which are “unfit for use based on simple security issues”. Meanwhile, flaws discovered by other security researchers ten years ago have still not been fixed. Cylance has withheld details of exactly how the hack works (though presumably a competent programmer could work out the details) and provided the details to both the manufacturer and election officials.
The company said, “The units in question are known to be in use in numerous polling locations across the country. According to the VerifiedVoting.org website, the DRE-Touchscreen system manufactured by Sequoia will be used by 8,170,477 registered voters in 22,368 precincts. The discovery of the exploitation this week combined with the simplicity in which it was discovered (3-4 days) and the real potential for an adversary to compromise the voting machine's integrity, compelled us to announce the research findings in advance of the 2016 elections.”
Regardless of Cylance's motivations – whether altruistic or commercial – such is the febrile atmosphere around the election that all news is weighed not on the balance of fact and fiction but how it might impact the election.
Against this backdrop and amidst claims that the Russian government is attempting to influence public opinion and perhaps even the outcome of the election, US authorities have put the world on notice that they are standing by with cyber-offensive capabilities to strike back against would-be attackers.
In September, a US congressional committee on information technology heard from experts who said that the election system was fundamentally sound despite 43 out of the 50 states using voting machines that are more than 10 years old and run on Windows CE, Windows XP, Windows 2000 (all of which Microsoft had stopped supporting by 2014), Linux and others, all of which can't be updated with anti-virus patches.
This led Bev Harris, founder of election watchdog Black Box Voting to tell SCMagazine.com, “[The federal government] seems to believe their job is to instill confidence. That's dangerous.”
There's a belief among US election officials that hacking voting machines is a non-issue because they aren't connected to the internet. The focus of their public statements on the subject appear to be aimed at reassuring the public that the integrity of the election results is not in question.
However, James Scott, senior fellow at the Institute for Critical Infrastructure Technology (ICIT) in Washington, DC, warned that any lapse in the “chain of custody” of the machines themselves would leave them open to compromise.
“They think just because the voting machines are not connected to the Internet, they're not hackable,” said Scott, who wrote a 77-page report for the ICIT provocatively titled “Hacking is Easy”.
“No one is telling them that all you have to do is poison an update,” said Scott. “Even if one machine is not directly connected to the Internet, [say] it's networked to another machine, even a printer, that attack surface is exploitable and completely vulnerable.”
There are other points of vulnerability in the voting system, too, and attacks against these systems could either skew the results or cast doubt on the outcome.
For instance there are three major voting machine manufacturers and one of them, Election Systems and Software, will be responsible for tabulating 60 percent of the votes cast. Many of the tabulation centres are equipped with older computers, according to Harris. As a consequence, she said she is “100 percent certain the election will be tampered with”.
Another point of vulnerability is the Associated Press (AP), the pre-eminent news agency in America which will gather election results from thousands of constituencies across America and tabulate the results. With almost all the major news outlets including TV, print and web using the AP, any discrepancy in the results would not only be widespread, it would also go unchallenged until the official results had worked their way through the official state channels.
Sean Sullivan, security advisor at F-Secure Labs, outlined two avenues of attack against the AP: “A DDoS attack on the AP's election night system could result in a delayed tally. And in the current political environment, delayed results will spread suspicions of voter fraud. If the system is vulnerable to hacking, illegitimate input might be possible, confusing the reporting, with the same potential results.”
Meanwhile, according to some, a more subtle form of election hacking is being enabled by internet technology, namely the deployment of massive social media bots to disseminate propaganda.
According to Simon Crosby, CTO at Bromium, the threat to voting machines is less of a worry than the massive social media bot armies that follow both of the candidates.
Crosby told SCMagazineUK.com that the biggest obstacle to a coordinated attack on the US election is the sheer chaos of the system. With hundreds of different models deployed in thousands of voting precincts, attackers would have to know how to hack each model and, in many cases, have to gain physical access to the machines to do so.
In addition, he claims, you would have to know exactly how many extra votes were required in each precinct to skew the results in a way that didn't instantly raise alarm bells.
The real goal of any cyber-attack will be to undermine the results, by casting doubt on the integrity of the machines and the systems for collecting and reporting the results.
Helping that along will be the millions of social media bots who follow both candidates on social media. According to one estimate, 39 percent of Trump's 11 million Twitter followers are fake and 37 percent of Clinton's 8.4 million followers are also bots.
Crosby points out that nation states are getting in on the act and it's not limited just to Russia: Turkey and Venezuela are also known to use Twitter bots to manipulate the news, he said.
This election has been described as the post-factual campaign, but it's also the campaign in which everything has been touched by cyber-security, revealing weaknesses in everything from email and social media to election systems and the media itself.
Whoever is elected today will have to take a long, hard look at how to harden these systems, to ensure that cyber doesn't become a permanently destabilising force in democracy.