Can you hack the vote? Yes, but not how you might think

It’s public confidence, not the actual vote count, that’s in danger, Symantec says

With Donald Trump already talking about the presidential election being rigged, Symantec has set up a simulated voting station that shows how electronic systems might be hacked to alter actual vote tallies for just a few hundred dollars.

+More on Network World: Was Trump bitten by Twitter time-stamp bug that stung Alec Baldwin’s wife?+

They found that while it’s possible to change the number of votes cast for each candidate, it would be very difficult to do so on a large enough scale to swing the election one way or the other.

However, enough machines in random precincts could be provably compromised so that general public confidence in the official outcome would be undermined, says Samir Kapuria, Symantec’s senior vice president for cyber security.

Using a voting-machine simulator that contains an aggregate of known vulnerabilities from real-world voting machines and some that Symantec found itself, Kapuria demonstrated several ways attackers could taint voting results.

Symantec researcher Brian Varner says U.S. representatives and senators have contacted him to learn about the vulnerabilities and exploits with the goal of figuring out how to better secure the voting.

+More on Network World: Hack the vote: How attackers could meddle in November’s elections+

Varner says standards are needed for computerized voting systems sold in the U.S. in order to beef up security. ATMs, which are analogous to voting machines, have such standards because they serve a single industry that built consensus around them.

A range of exploits could leave electronic voting open to a range of exploits from a lack of encryption to Wi-Fi connectivity and the physical integrity of the devices, he says.

It’s a difficult problem, though, because elections are set up by individual states that don’t necessarily want to give up authority over what systems they use. This summer, the secretary of state in Georgia turned down a Department of Homeland Security offer to help secure its voting system saying it was a federal power grab.

Other security experts are concerned as well. Bruce Schneier, for one, has written urgently for action before this fall’s election.

“But while computer security experts like me have sounded the alarm for many years, states have largely ignored the threat, and the machine manufacturers have thrown up enough obfuscating babble that election officials are largely mollified,” he writes.

“We no longer have time for that. We must ignore the machine manufacturers’ spurious claims of security, create tiger teams to test the machines’ and systems’ resistance to attack, drastically increase their cyber-defenses and take them offline if we can’t guarantee their security online.”

Symantec’s research supports his worries. In addition to being a relatively inexpensive undertaking – just several hundred dollars, Kapuria says – hacking the voting system isn’t that difficult. Varner says it would take someone with a lot of focus and a skill set of seven out of 10, with one being a person who carries out compromises by Googling instructions and blindly following them.

Kapuria says attacks can accomplish three things. First, the actual vote count could be altered, but probably not on a scale to alter the outcome. Second, compromising a smattering of machines could create chaos among the electorate by casting doubt on results. And third, contaminated East Coast election results reported to news outlets could alter on a large scale whether and for whom West Coast voters cast ballots.

Varner bought an actual voting machine on an online auction site for less than $200, including shipping, using his own name and having it mailed to his home without identifying himself as a Symantec employee. That was to show that an average person with not tech security connections could buy one.

He bought commercially available reprogramming devices for $15 that let him reset the chips embedded in voter ID cards so one person could vote more than once. It could also permanently alter the chips so that when voting officials reprogrammed them to be used by other voters, they would register with the voting machine as if the same person voted over and over again.

A chip card manufacturer told him it could print them with whatever design he wanted on them, including official state seals, so it would be possible to substitute real ones with ones made by attackers but that looked similar.

Varner says voting machines use storage devices – essentially USB sticks – that perform two legitimate functions: uploading the ballots voters see on the screens and downloading the actual votes cast in the machines. These devices are plugged into each machine then manually connected to tallying devices to tote up the votes cast at all the polling places in a county, for example.

He was able to buy one and compromise it, which means an attacker could alter the ballot or have the machine count a vote for Candidate A when the voter actually pressed the button for Candidate B. The data on the storage devices was not encrypted.

Also, since the device is handled by a person between the voting machine and the tally device, it could be compromised or altered in any number of ways en route between the devices, he says. Voting machines in some states don’t print out paper tallies, so there is no way to check whether the tally recorded by individual voting machines matches the number of votes reported to the tallying device. “There’s no way to do a recount,” he says.

Some say that voting machines are not connected to the internet, but he found that some voting machines are Wi-Fi enabled so that they could be connected to the internet by an attacker. Even if they don’t have Wi-Fi, the votes could be compromised by an ambitious hacker if an upstream device, such as the tallying server, can be connected to the internet, Varner says.

He says tallying computers ran Windows operating systems earlier than Windows 7 and their user manuals included instructions for networking them. That presents the possibility of hacking them remotely if the network they are attached to connect to the internet, he says.

Physical security for the machine he bought was weak. A proprietary screw head was used on screws that secured the casing so it could not be opened except by an official with a proprietary screw driver. He found one at Lowe’s that worked. That means a poll volunteer with access to machines could open them up to access their memory without leaving a trace, he says.

He did that with the machine he bought online and found it still held results from one of the last two presidential elections, including write-ins that he was able to read on his Mac as if the machine’s memory were just another drive.

Join the CSO newsletter!

Error: Please check your email address.

More about SymantecTwitterWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts