Security Experts:

Researchers Demonstrate Voting Machine Hack

Despite several security alerts and research papers published in the past years, some of the voting machines used in the United States presidential election are still vulnerable to hacker attacks.

Security firm Cylance has published a video showing how an attacker with physical access to Sequoia AVC Edge Mk1 voting machines can use a PCMCIA card to reflash the device’s firmware and manipulate the voting tallies in memory. This attack method can also be used to tamper with systems designed to ensure that voting results are valid.

The affected Sequoia voting machine, which has been known to have significant security weaknesses, will be used in several states by millions of voters, Cylance noted. The company has not disclosed any technical details of the hack, but it claims to have notified the vendor and government authorities.

A few weeks ago, Symantec researchers also showed how direct-recording electronic (DRE) voting machines can be hacked by someone with physical access. Polling stations that use these types of machines give voters special chip cards they can use to cast their vote.

However, experts warned that these cards can be hacked with a $15 device, allowing attackers to reset the card and use it to cast more than one vote, or program the card to cast multiple votes at once.

While these types of attacks are not easy to carry out in a real-world scenario, especially on a wide scale, the fact that voting machines can be hacked can cast doubt on the validity of election results.

Cylance said it disclosed the voting machine vulnerabilities to raise awareness and encourage authorities to take the proper physical security measures to prevent incidents. However, others see it as a PR stunt and some even believe this type of disclosure can do more harm than good.

Hacking the elections via remote attacks

While local attacks against voting machines are a possibility, the United States government is more concerned about remote attacks, particularly ones launched by state-sponsored threat actors.

This presidential election has been targeted from several angles. Hackers have attacked voter registration databases and the systems of the Democratic Party, both campaigns being attributed to the Russian government. Moscow has also been accused of trying to interfere with the election through data leaks.

Flashpoint researchers believe WikiLeaks may have wittingly or unwittingly become a pawn of the Russian government, especially since some of the information it published recently on Hillary Clinton and the Democratic Party allegedly comes from Guccifer 2.0, which experts believe is a persona used by Russian state-sponsored hackers.

The United States has officially accused Russia of being behind the attacks with the intent of interfering with the presidential election, and vowed to respond. According to some reports, U.S. military hackers have already broken into Russia’s critical systems and may leverage this access if needed.

Flashpoint also reported on Monday that less sophisticated actors had used Mirai botnets to launch distributed denial-of-service (DDoS) attacks against the websites of presidential candidates Hillary Clinton and Donald Trump. However, none of the targeted sites suffered outages as a result of these attacks.

Despite growing cybersecurity threats, U.S. officials said they have confidence in the integrity of electoral systems.

“The U.S. election landscape is made up of approximately 9,000 different state and local jurisdictions, providing a patchwork of laws, standards, processes, and voting machines. This environment is a formidable challenge to any actor — nation-state or not — who seeks to substantially influence or alter the outcome of an election,” said Ian Gray, cyber intelligence analyst at Flashpoint. “Doing so would require mastering a large number of these disparate cyber environments and finding a multitude of ways to manipulate them. An operation of this size would require vast resources over a multi-year period — an operation that would likely be detected and countered before it could come to fruition.”

“Russia can most likely achieve a more reliable outcome with fewer resources not by attacking the election infrastructure directly, but rather by organizing a disinformation campaign attacking confidence in the election itself,” Gray added.

Related: Electronic Voting - The Greatest Threat to Democracy

Related: Ecuador Says it Cut Assange Internet Over US Election Leaks

Related: Researcher Arrested For Hacking Elections Websites

Related: Russian Hackers Target Cash Before Politics

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.