Florida voting "hack" shows how voting is susceptible to logic attacks
Though hackers' attempts to rig a Florida election last year failed, researchers believe the case highlights an array of ways online voting systems are vulnerable to cyber intruders.
The incident occurred last August when attackers used software to submit more than 2,500 bogus requests to receive absentee ballots using the Miami-Dade County Department of Elections website.
While the scheme, which occurred during Florida's primary election for state Senate and House leaders, was detected by Miami-Dade's Department of Elections before the race could be impacted, researchers see the incident as an opportunity to take a different approach to security for voting systems.
Barry Shteiman, senior security strategist at Imperva, a Redwood Shores, Calif.-based firm that provides security solutions for databases, systems and web applications, told SCMagazine.com on Tuesday that the cyber ballot-stuffing incident means hackers are making headway.
“I believe that the attackers couldn't get all the way through, but that doesn't mean there isn't another vector,” Shteiman said. “There are so many ways you can get fraudulent data in [voting systems], and some of the ways are yet to be tested by hackers and security researchers. There's also a chance [hackers] have another door and they are waiting for something else, like a bigger election. It might be a timing thing.”
In December, a Miami-Dade County grand jury submitted a 42-page report on the hacking attempt, first reported by NBC News, describing the event as “a scheme where someone created a computer program that automatically, systematically and rapidly submitted…numerous bogus online requests for absentee ballots.”
Software from a third-party vendor caught the suspicious activity, detecting that the influx of requests appeared to come from the same group of computers and were being submitted much faster than a human could physically enter the data, the report said.
The incident was stopped before it compromised the election, but law enforcement was unable to determine the culprit. The attackers covered their tracks by using IP addresses from locations around the world, including India, England, Ireland and the United States. Shteiman said future hacking attempts on voting systems could become more sophisticated – or that an even easier method could prove effective enough.
“When talking about online voting, you don't always have to hit the system [directly],” he said.
A phishing email scam, for example, that directs absentee voters to bogus sites to request ballots online could substantially impact elections, he said. “Imagine that coming from 50,000 or more people,” Shteiman added.
He said that focusing attention on mitigating threats is not enough.
“[The goal is] not to block and mitigate, but to qualify whether a transaction is fraudulent using business logic rules,” Shteiman said. “You need to make sure you can [compare] the amount of votes versus the [number] you expect to have. Also, knowing your source can only vote once from their computer is another point [to monitor]."