As one of the world’s leading cyber security companies, Symantec spends a lot of time focusing on where the most damaging cyber attacks will be in the future. Since it’s an election year, we decided to analyze the ecosystem of an election, from electronic voting machines to data transfers, vote tabulation and finally, broadcasting the results.
To get started, we purchased actual direct-recording electronic (DRE) voting machines off an online auction site and other equipment to simulate a real-world voting system. Altogether, our research and development cost less than $500 and revealed three easy ways an attacker with the right level of intelligence and motivation could erode the trust that American citizens have in their election process.
Symantec’s “Hack the Vote” election simulation at an eagle’s eye view
Stuffing the Digital Ballot Box
Voters entering polling stations that use electronic voting machines are handed a chip card what they use to cast their vote. Once someone has voted, they turn the card back into the polling station volunteer and it gets re-used by the next voter. Just like credit cards, these cards are essentially a computer with its own RAM, CPU and operating system. Which means they can be exploited like any computing device.
In examining the election process for vulnerabilities, we discovered that there’s an opportunity for a hacker to modify the code put on a voter’s chip card. Anyone who knows how to program a chip card and purchases a simple $15 Raspberry Pi-like device, could secretly reactivate their voter card while inside the privacy of a voting booth. We found a card reader that fits neatly into the palm of our hand and used it to reset our fake voter chip cards two different ways. In one scenario, we reset the card to allow someone to vote multiple times using the same chip card. Our second method programmed the card to allow that card to cast multiple votes. In both approaches, that attacker is stuffing the digital ballot box and casting doubt in the validity of the results from that polling station.
Encryption Absent on the Voting Machine Hard Drive
We also discovered that there was no form of encryption on the internal hard drive of the voting machines we purchased, which were running an outdated operating system to display the ballots and record votes. These types of hard drives are similar to those used in digital cameras. The lack of full disk encryption on the internal hard drive (as well as the external cartridges) presents opportunities for hackers to reprogram and alter ballots.
Potential hackers would also be unhindered by the voting machine’s lack of internet connectivity. Some types of malware, such as Stuxnet, can take advantage of air-gapped networks and vector through physical access to a machine. The lack of full-disk encryption on the DRE machine makes it easily exploitable, requiring only a simple device to reprogram the compact hard drive.
Tampering with Tabulation
A voting machine is only one vehicle for election cyber fraud. The behind-the-scenes data tabulation presents an even greater opportunity for attack. Votes are typically collected on the machine in a simple storage cartridge and physically transferred to a central database for tabulation. Ways in which the integrity of the voting data can be compromised include:
* Manipulation of cartridges – The storage cartridge functions like a USB drive, in which it stores data in plain text with no embedded encryption. A hacker could easily rewrite vote information or add false votes onto the cartridge to alter the outcome.
* Manipulation of the voting database – While we didn’t analyze a vote tabulation computer, our research indicated the type of database on which the votes would later be tabulated. Based on our findings, we believe it’s possible for hackers to compromise storage cartridges by uploading malware to alter the database or wipe it completely, causing recounts in numerous precincts. This year, 43 states will use electronic voting machines that are at least 10 years old. It’s reasonable to suspect some tabulation computers and software have been left unpatched or unsupported, opening the doors to other means of infiltration.
Spreading Misinformation to change voter behavior
We live in a world that allows people to connect to millions of others with the click of a button. Information spreads quickly – from across social networks to media coverage. By propagating misinformation, a hacktivist or attacker could cause voter distrust of election results.
In our simulated election, we broadcast our results “live” on YouTube. We found that it’s plausible for hackers to hijack means of communication and spread false results on YouTube, broadcast media, social media and other channels. If voters were to follow the poll leader, they might not choose to go through the trouble of voting in an election if it looked like they were in for a landslide victory.
Additionally, voters can be reached via other means of influence. Hacker Andrés Sepúlveda allegedly engineered election results in South America using an army of fake Twitter accounts, spreading false information using email campaigns, altering candidates’ websites and more.
Protect the Vote
Americans have the right to a free and democratic election. Yet there’s very little the average voter can do to secure, patch and modernize voting technology. If your district allows you to vote by paper, we recommend choosing that method over electronic voting for the time being. And if you see something that doesn’t look right when voting electronically, be sure to notify a poll worker immediately.
Ultimately, it’s up to state governments, federal organizations and voting machine manufacturers to define security standards for election equipment and employ stronger security measures. Right now, there’s too much variance in the voting systems amongst different districts.
The vulnerabilities we found can easily be fixed with existing security technology. Securing ballots throughout the voting process requires security software at all points of the process. For instance, the use of “write once, read many” storage cartridges is an easy first step. Chip cards should have asymmetric encryption. The voting machines’ hard drives should also have security measures in place – such as advanced endpoint protection, anomalous behavioral detection and full-disk encryption that is kept fully up to date. Voting machines should also have SSL certifications and public and private key encryption to protect the transmission of ballot results, as well as network protection and proxy servers to defend tabulation databases.
The recent Arizona and Illinois database attacks prove malicious actors are seeking opportunities to access the election system. Yet, few incentives exist to modernize voting security. States can take advantage of Department of Homeland Security guidance and services to inspect voting systems for bugs and vulnerabilities, on top of the security measures voting machine manufacturers should be implementing.
Voting machines are no different than other vulnerable devices – computers, mobile phones, connected cars, ATMs and more. A lack of basic security measures defines voting technology in many states, putting democracy at stake.