Florida voting "hack" shows how voting is susceptible to logic attacks

Share this article:

Though hackers' attempts to rig a Florida election last year failed, researchers believe the case highlights an array of ways online voting systems are vulnerable to cyber intruders.

The incident occurred last August when attackers used software to submit more than 2,500 bogus requests to receive absentee ballots using the Miami-Dade County Department of Elections website.

While the scheme, which occurred during Florida's primary election for state Senate and House leaders, was detected by Miami-Dade's Department of Elections before the race could be impacted, researchers see the incident as an opportunity to take a different approach to security for voting systems.

Barry Shteiman, senior security strategist at Imperva, a Redwood Shores, Calif.-based firm that provides security solutions for databases, systems and web applications, told SCMagazine.com on Tuesday that the cyber ballot-stuffing incident means hackers are making headway.

“I believe that the attackers couldn't get all the way through, but that doesn't mean there isn't another vector,” Shteiman said. “There are so many ways you can get fraudulent data in [voting systems], and some of the ways are yet to be tested by hackers and security researchers. There's also a chance [hackers] have another door and they are waiting for something else, like a bigger election. It might be a timing thing.”

In December, a Miami-Dade County grand jury submitted a 42-page report on the hacking attempt, first reported by NBC News, describing the event as “a scheme where someone created a computer program that automatically, systematically and rapidly submitted…numerous bogus online requests for absentee ballots.”

Software from a third-party vendor caught the suspicious activity, detecting that the influx of requests appeared to come from the same group of computers and were being submitted much faster than a human could physically enter the data, the report said.

The incident was stopped before it compromised the election, but law enforcement was unable to determine the culprit. The attackers covered their tracks by using IP addresses from locations around the world, including India, England, Ireland and the United States. Shteiman said future hacking attempts on voting systems could become more sophisticated – or that an even easier method could prove effective enough. 

“When talking about online voting, you don't always have to hit the system [directly],” he said.

A phishing email scam, for example, that directs absentee voters to bogus sites to request ballots online could substantially impact elections, he said. “Imagine that coming from 50,000 or more people,” Shteiman added.

He said that focusing attention on mitigating threats is not enough.

“[The goal is] not to block and mitigate, but to qualify whether a transaction is fraudulent using business logic rules,” Shteiman said. “You need to make sure you can [compare] the amount of votes versus the [number] you expect to have. Also, knowing your source can only vote once from their computer is another point [to monitor]."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.