Voting machines are critically vulnerable
- By Mark Rockwell
- Aug 29, 2016
What: "Hacking Elections is Easy! Part 1: Tactics, Techniques and Procedures," a report by the Institute for Critical Infrastructure Technology
Why: Voting technology is a hot topic this election year. Recent news reports revealed that the FBI was investigating the targeting by foreign hackers of voter registration databases in Arizona and Illinois. Threats to election technology have prompted the Department of Homeland Security to consider putting the systems under protections similar to those that safeguard the nation's energy grid and financial systems.
According to a new report from the Institute for Critical Infrastructure Technology, that might be a good idea. The U.S. election system relies on disparate technologies run by states and municipalities that are potentially easy prey to a wide range of bad actors.
Voting machines are nothing more than "stripped-down computers using outdated operating systems possessing every conceivable vulnerability that a device can have," the report states.
According to the authors, a hack would not have to affect a wide range of systems. Targeting only a few systems in a swing state could be enough to alter the outcome of a national election.
In addition, the candidates present a tempting electronic target via social media, websites, and other online and electronic assets. A hacktivist or someone with a bad attitude and a little know-how could cause a major disruption during an election with a well-placed denial-of-service or man-in-the-middle attack, according to the report.
Phishing email messages could open the door to all of that, as could supply-chain insiders. An employee at election machine and technology makers could illegally access the machines at storage sites. The authors noted that at the time of the report's publication, Premier Election Solutions (which was formerly Diebold Election Systems) had open positions for interns and contractors.
Voting machines have been vulnerable for some time, according to the report. In 2007, California officials asked 42 researchers to do "red team" penetration testing of machines made by Diebold, Hart InterCivic and Sequoia Voting Systems. The researchers said they were struck by the banality of the many critical flaws and vulnerabilities they found, which showed a pervasive lack of consideration for even basic security measures.
The institute released the first part of its study ahead of Hewlett Packard Enterprise's Protect 2016 conference, which will be held Sept. 13-16 in Maryland. It plans to release "Hacking Elections is Easy! Part 2" on Sept. 5.
Verbatim: "Voter machines, technically, are so riddled with vulnerabilities that even an upstart script kiddie could wreak havoc on a regional election, a hacktivist group could easily exploit a state election, an [advanced persistent threat] could effortlessly exploit a national election, and any corrupt element with nothing more than the ability to describe the desired outcome could order layers of exploits on any of the multitude of deep web forums and marketplaces."
Click here to read the full report.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at [email protected] or follow him on Twitter at @MRockwell4.