Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Hacking the Election: Security Flaws Need Fixing, Researchers Say

Hackers could have easily infiltrated US voting machines in 2016 and are likely to try again in light of vulnerabilities in electronic polling systems, a group of researchers said Tuesday.

Hackers could have easily infiltrated US voting machines in 2016 and are likely to try again in light of vulnerabilities in electronic polling systems, a group of researchers said Tuesday.

A report with detailed findings from a July hacker conference which demonstrated how voting machines could be manipulated concluded that numerous vulnerabilities exist, posing a national security threat.

The researchers analyzed the results of the “voting village” hacking contest at the DefCon gathering of hackers in Las Vegas this year, which showed how ballot machines could be compromised within minutes.

“These machines were pretty easy to hack,” said Jeff Moss, the DefCon founder who presented the report at the Atlantic Council in Washington. “The problem is not going away. It’s only going to accelerate.”

The report said the DefCon hack was just the tip of the iceberg — with potential weaknesses in voter databases, tabulating software and other parts of the system.

The researchers said most voting machines examined included at least some foreign-manufactured parts, raising the possibility that malware could be introduced even before the devices are delivered.

“This discovery means that a hacker’s point-of-entry into an entire make or model of voting machine could happen well before that voting machine rolls off the production line,” the report said.

“With an ability to infiltrate voting infrastructure at any point in the supply chain process, then the ability to synchronize and inflict large-scale damage becomes a real possibility.”

– No certainty on 2016 –

Harri Hursti, a researcher with Nordic Innovation Labs and a co-author of the report, said it’s impossible to say with certainty if votes were tampered with in 2016 because many systems “don’t have the capacity” to be audited.

The report said five US states operate entirely on paperless systems which have no paper trail to be reviewed and another nine states are partially paperless.

“The only way to know is if the hacker tells you,” he said, adding that “it can be done without leaving tracks.”

Douglas Lute, former US ambassador to NATO who presented the report, said in a forward to the report that the findings highlight “a serious national security issue that strikes at the core of our democracy.”

Although some researchers in the past have shown individual machines could be breached, this report suggests a range of vulnerabilities across a range of hardware, software and databases.

“What the report shows is that if relative rookies can hack a voting system so quickly, it is difficult to deny that a nefarious actor — like Russia — with unlimited time and resources, could not do much greater damage,” said University of Chicago cybersecurity instructor Jake Braun, another co-author.

The threat becomes all the more grave “when you consider they could hack an entire line of voting machines, remotely and all at once via the supply chain,” he added.

In presenting the findings, the researchers said members of the DefCon hacker community would work with academics and security researchers in a new coalition aimed at improving election security.

Related: Democracy at Risk from Poor Cybersecurity, Foreign Interference: Survey

Written By

AFP 2023

Click to comment

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.