Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/13/2016
01:00 PM
Jai Vijayan
Jai Vijayan
Slideshows
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

7 Ways Electronic Voting Systems Can Be Attacked

Pre-election integrity tests and post-election audits and checks should help spot discrepancies and errors, but risks remain.
Previous
1 of 8
Next

Image Source: Fredex via Shutterstock

Image Source: Fredex via Shutterstock

Concerns about the fragility of US electronic voting systems to cyberattacks go back to 2002 when the Help America Vote Act was passed mandating the replacement of lever-based machines and punchcards with more modern voting equipment.

Those concerns have been greatly amplified this election season with reports of attacks on voter registration systems in some 20 states and intrusions into the Democratic National Committee’s computers by hackers believed to be out of Russia.

The attacks have stirred considerable fears about foreign adversaries and nation-state actors somehow disrupting the elections and even manipulating the outcome of the voting to favor one of the two major party candidates.

The reality is less alarmist than might first appear.

Recent attacks involving the theft of data from voter registration systems in Illinois and Arizona certainly serve as a warning about the potential for foreign actors to cause problems. But the fact is that the attacks have been on systems used to manage the elections and handle tasks like voter registration, not the voting systems that people will use to cast ballots.

The actual machines that people will use to vote are not Internet-connected and are therefore protected against a vast number of cyberattacks that people assume the systems are exposed to, the National Association of Secretaries of State said in an open letter to Congress recently.

In all states but five, a vast majority of the electronic voting equipment that voters use will have paper backups. Some voters will use what are known as Direct-Recording Electronic (DRE) voting systems to cast their votes electronically. Others will mark their choices on a paper ballot and feed it into an optical scanner that will do the ballot counting. In both cases, voters and election officials will have a so-called Voter Verifiable Paper Audit trail that will provide a reliable backup even if the machines fail or are somehow compromised.

Pre-election integrity tests and post-election audits and checks should help spot discrepancies and errors as well, the NASS has noted while cautioning against a loss of public confidence in the US voting system.

Despite such reassurances, security analysts point to several weaknesses in electronic voting systems that attackers could take advantage of to cause varying degrees of problems.

Here are seven of those security weaknesses in e-voting systems.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Previous
1 of 8
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/15/2016 | 1:43:46 PM
One place where we need open source
Contributing to all of these factors (especially #3) is that electronic voting systems are proprietary and not open source.  Accordingly, there is no real auditing that can be done -- and whenever an update gets pushed out, it has to go through an onerous, lengthy vetting process (where very little genuinely useful information actually gets discovered) -- sometimes up to two years...meaning that systems stay un-updated for two years or more, that the updates may be ineffective if not outright bad, and that local governments don't have the time or money to train their volunteers on the systems.
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12162
PUBLISHED: 2019-07-23
Upwork Time Tracker 5.2.2.716 doesn't verify the SHA256 hash of the downloaded program update before running it, which could lead to code execution or local privilege escalation by replacing the original update.exe.
CVE-2018-18669
PUBLISHED: 2019-07-23
GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbitrary web script or HTML via the "board title contents" parameter, aka the adm/board_form_update.php bo_subject parameter.
CVE-2019-10101
PUBLISHED: 2019-07-23
Jsish 2.4.84 2.0484 is affected by: Reachable Assertion. The impact is: denial of service. The component is: function Jsi_ValueArrayIndex (jsiValue.c:366). The attack vector is: executing crafted javascript code. The fixed version is: after commit 738ead193aff380a7e3d7ffb8e11e446f76867f3.
CVE-2019-9815
PUBLISHED: 2019-07-23
If hyperthreading is not disabled, a timing attack vulnerability exists, similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an option to disable hyperthreading in applications running untrusted code in a thread through a new sysctl. Firefox now makes use of it on the main thre...
CVE-2019-9816
PUBLISHED: 2019-07-23
A possible vulnerability exists where type confusion can occur when manipulating JavaScript objects in object groups, allowing for the bypassing of security checks within these groups. *Note: this vulnerability has only been demonstrated with UnboxedObjects, which are disabled by default on all supp...