In the final hours of the U.S. presidential election as Americans go to polls, researchers have raised new concerns that election results may be compromised.
Flashpoint observed an attempted distributed denial of service (DDoS) attack against campaign websites belonging to presidential candidates Donald Trump and Hillary Clinton. In a blog post, the firm attributed the attacks to “unsophisticated actors” using the Mirai botnet to target the candidates' websites”, which was previously harnessed to attack “Krebs on Security” website, the Internet service provider OVH, and Dyn DNS. The Internet of Things (IoT) botnet may also have been used in the attack that knocked Liberia offline last week.
The attack, which Flashpoint researchers reported occurred Sunday evening or Monday morning Eastern Time, did not trigger an outage from either of the campaign websites.
The latest developments are a fitting close to an election cycle that has been dominated by cybersecurity concerns.
In a separate discovery, researchers published a video demonstrating the compromise of a touch-screen electronic voting machine. The video displayed an attacker reflashing firmware of the Sequoia AVC Edge Mk1 voting machine.
Cylance's video demonstration showed how vulnerabilities disclosed in a research report nearly a decade ago can be exploited to change polling precincts, vote tallies, or even candidate names. The information could be altered by inserting a PCMCIA card pre-programmed with the hacked voting numbers.
In speaking with SC Media, Cylance Vice President of Research Ryan Smith described the exploit as similar to jailbreaking an iPhone, although previous research has found that voting machines are often less secure than iPhones.
He called the security on the Xbox “light years ahead” of the voting machines. Cylance cited data by verifiedvoting.org and claimed that 22,368 precincts and 18,594,272 voters could be impacted.
In an accompanying blog post, Cylance researchers called on election officials to enact additional supervision and monitoring of physical access to electronic voting machines. The firm also recommended in the long term “phasing out and replacing deprecated, insecure machines”.
Many polling precincts place a tamper-evidence seal over the port, Smith said. The researchers created the video to help educate poll workers of “the implications of ignoring a broken seal.”
While the demonstration has raised security concerns, it is only one of the most recent instances of research raising questions about voting machine exploitation. In August, the FBI's Cyber Division revealed evidence that voter databases in two states were breached by foreign hackers. At the time, the agency called on election officials to strengthen the security of their computer systems.
Those calls went unheeded. Instead, in September, the National Association of Secretaries of State's (NASS) penned a letter that warned Congress to avoid proposing legislation that may damage confidence in the election systems. The letter noted that state officials were “working overtime to help the public understand the components of our election process and some of the built-in safeguards that exist.”
The argument against eroding public confidence has some support from security pros. “The specter of the risk is worse than the risk itself,” NTT Security director of threat and vulnerability analysis Christopher Camejo told SC Media.
Camejo believes it is unlikely that an attacker could successfully hack election results “because of how decentralized the process is and how many different voting machines exist.”
Wandera vice president of product Michael Covington wrote in an email to SC Media that security professionals “have been trying to raise awareness for years, but there has been minimal effort to secure these systems and make them less vulnerable to attack.”
Other pros see ample cause for alarm. The vulnerability in electronic voting machines is “terrifying”, according to Venafi vice president of security strategy and threat intelligence Kevin Bocek.
In an email to SC Media, Bocek wrote that the devices “accept updates, are easily reprogrammed and lack basic levels of encryption.” He called the lack of trust and privacy in electronic voting systems “alarming, bordering on insanity.”
Covington noted that while many attacks “showcase serious flaws in electronic voting machines, “they also require physical access to implement.” He said physical access does not “minimize the importance of fixing the underlying vulnerabilities,” but noted the difficulty for an attacker to physically attack specific machines in the right precincts.
In addition to getting unobserved physical access to a voting computer for enough time to execute an attack, a malicious actor would “need to execute the attack in such a way that any vote manipulation would go unnoticed, noted Tenable Network Security strategist Cris Thomas, in an email to SC Media. “No matter what happens, starting on November 9th we need to work on improving the overall security of our voting process,” he added.