Sean Sullivan, security advisor at F-Secure Labs, has warned that hackers could severely disrupt the reporting of the US general election on 8 November by hacking AP servers.
He said that in this scenario, an attacker doesn't have to hack every voting machine in America to cause widespread chaos.
The AP – or Associated Press – is the leading news agency in America. It supplies stories to thousands of media outlets including the largest newspapers, TV news channels and websites. Critically, it performs a key role on election night, deploying 4000 “stringers” or local journalists to report the results from the election at county level.
Sullivan theorised that this represented a potential pinchpoint that an attacker could target on election day, either disrupting and delaying the reporting of results or hacking into the network and injecting fake data.
In his analysis, he used F-Secure's Riddler tool to identify two servers which appear to be part of the AP Vote Count system.
One of the servers appears to be a legacy system which has been left online and publicly accessible – something which Sullivan says is “a bad idea”.
The second server appears to be the live one but critically, he says, the login page doesn't appear to be encrypted, doesn't use HTTPS and it is not protected by a DDoS mitigation service.
As evidence of how influential the AP is, in April 2013 an attacker briefly took over the AP Twitter account and tweeted that there had been two explosions at the White House and that President Obama had been injured. The Dow Jones Industrial Average, a stock market index, plunged 140 points in less than a minute before bouncing back.
Sullivan wrote in his blog: “AP's system could be a critical point of failure on election night. A threat actor couldn't actually change the vote, but the results could definitely be undermined. A DDoS attack on the AP's election night system could result in a delayed tally. And in the current political environment, delayed results will spread suspicions of voter fraud. If the system is vulnerable to hacking, illegitimate input might be possible, confusing the reporting, with the same potential results.”