Advertise

Attacks/Breaches

10/13/2016
01:00 PM

Jai Vijayan
Slideshows

Connect Directly

1 Comment
Comment Now

7 Ways Electronic Voting Systems Can Be Attacked

Pre-election integrity tests and post-election audits and checks should help spot discrepancies and errors, but risks remain.

3 of 8

Malware Uploads On Air-Gapped Systems

Even though voting machines are almost never directly connected to the internet they still need to be able to receive electronic files that tell it which candidates are on the ballot. Typically, election officials do this by preparing the so-called ballot definition files on a separate election management system and then transferring it to the voting system via a memory card or cartridge.

Many voting machines designed in the 1990s and 2000s, and which are scheduled for use in the upcoming election, use flash memory to store and update the ballot definition file. A lot of these systems are enabled to receive software updates in the same way they receive the ballot files — via cartridge or a memory card. This opens an opportunity for an attacker to slip a malicious program into a voting machine that causes it to miscount votes, according to Andrew Appel, professor of computer science at Princeton University’s Center for Information Technology Policy.

An attacker could do this over the internet by breaking into the computer that is used to create the ballot definition files or someone with access to the computer could slip in malicious code while creating the ballot file, he said.

Such malicious code updates can be undetectable on direct record electronic voting machines that accept unsigned software updates via cartridge or memory card — and that don't have a verifiable paper audit trail as a backup, he said. New Jersey, Delaware, South Carolina, Georgia and Louisiana are scheduled to use DRE machines without any paper backup.

The threat is substantially mitigated in systems that do have a paper audit trail, however.

Image Source: Wikimedia Commons

3 of 8

Comment |

Email This |

Print |

RSS

Comments

Oldest First | Newest First | Threaded View

[close this box]

50%

Joe Stanganelli,
User Rank: Ninja
10/15/2016 | 1:43:46 PM

One place where we need open source

Contributing to all of these factors (especially #3) is that electronic voting systems are proprietary and not open source. Accordingly, there is no real auditing that can be done -- and whenever an update gets pushed out, it has to go through an onerous, lengthy vetting process (where very little genuinely useful information actually gets discovered) -- sometimes up to two years...meaning that systems stay un-updated for two years or more, that the updates may be ineffective if not outright bad, and that local governments don't have the time or money to train their volunteers on the systems.

Reply | Post Message | Messages List | Start a Board

Hot Topics

Editors' Choice

Attackers Leave Stolen Credentials Searchable on Google

Kelly Sheridan, Staff Editor, Dark Reading, 1/21/2021

How to Better Secure Your Microsoft 365 Environment

Kelly Sheridan, Staff Editor, Dark Reading, 1/25/2021

Webinars

What We Can Learn from Sports Analytics

The Failures of Static DLP and How to Protect Against Tomorrow's Email Breaches

Strategies for Success with Digital Transformation

Webinar Archives

White Papers

A Technical Deep Dive on Software Exploits

2020 Threat Hunting Report

What To Consider Before Renewing Your SD-WAN

IDC Workbook: Best Practices for Cloud Security

Full Body Exposure: CybelAngel Analysis of Medical Data Leaks

More White Papers

Cartoon Contest

Write a Caption, Win an Amazon Gift Card! Click Here

Latest Comment: We need more votes, check the obituaries.

Cartoon Archive

Current Issue

2020: The Year in Security

Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.

Download This Issue!

Back Issues | Must Reads

Flash Poll

All Polls

Reports

Assessing Cybersecurity Risk in Today's Enterprises

COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.

Download Now!

The Malware Threat Landscape

0 comments

How Data Breaches Affect the Enterprise (2020)

0 comments

Building an Effective Cybersecurity Incident Response Team

0 comments

More Reports

Twitter Feed

Tweets about "from:DarkReading OR @DarkReading"

Bug Report

Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database

CVE-2021-3278
PUBLISHED: 2021-01-26

Local Service Search Engine Management System 1.0 has a vulnerability through authentication bypass using SQL injection . Using this vulnerability, an attacker can bypass the login page.

CVE-2021-3285
PUBLISHED: 2021-01-26

jxbrowser in TI Code Composer Studio IDE 8.x through 10.x before 10.1.1 does not verify X.509 certificates for HTTPS.

CVE-2021-3286
PUBLISHED: 2021-01-26

SQL injection exists in Spotweb 1.4.9 because the notAllowedCommands protection mechanism is inadequate, e.g., a variation of the payload may be used. NOTE: this issue exists because of an incomplete fix for CVE-2020-35545.

CVE-2021-3291
PUBLISHED: 2021-01-26

Zen Cart 1.5.7b allows admins to execute arbitrary OS commands by inspecting an HTML radio input element (within the modules edit page) and inserting a command.

CVE-2021-3297
PUBLISHED: 2021-01-26

On Zyxel NBG2105 V1.00(AAGU.2)C0 devices, setting the login cookie to 1 provides administrator access.

To save this item to your list of favorite Dark Reading content so you can find it later in your Profile page, click the "Save It" button next to the item.

If you found this interesting or useful, please use the links to the services below to share it with other readers. You will need a free account with each service to share an item via that service.
Tweet This
[close this box]