Could Hackers Change Our Election Results?

Many of the same vulnerabilities exist in electronic voting systems as the last time we elected a president, and new ones abound that could put voter databases at risk and undermine civic confidence
As the rest of the nation's citizens sit on on pins and needles about who will win the presidential election -- Barack Obama or Mitt Romney -- information security pros are even more anxious in their wait to see whether this is the year that hackers find a way to subvert or disrupt the increasingly electronic-voting process. According to security experts, the situation is ripe for the bad guys to strike.

Hacktivist groups like Anonymous and LulzSec have perfected their crowdsourced attack methods, and nation-state hackers have more resources than ever to carry out complicated attacks. Meanwhile, voter databases are increasingly interconnected within complex and often insecure local and state IT infrastructure, while the electronic voting systems many states depend on are plagued with vulnerabilities that the security community has been warning citizens about for the better part of a decade.

"If big, Internet-based companies like Yahoo, LinkedIn, or Sony can fall to hackers, then, yeah, big government databases and local authorities who actually administer the election process can be hacked," says Stephen Cobb, security evangelist for ESET. "I'm somewhat surprised it hasn't happened yet."

First on some security experts' watch list is the potential for hacking online or networked voter databases. Some experts expressed worry that thieves could steal these databases for financial gain, but as Rob Rachwald, director of security strategy for Imperva, put it, "Most voter databases don't contain a whole lot of sensitive data; they typically contain your name and address, which isn't terribly private."

However, if bad actors were able to make changes in the database, that's where the real trouble would start. If attackers can gain access to these databases to switch addresses for the sake of disenfranchising certain select groups of voters who'd find themselves missing from precinct list on election day, or to institute wide-scale mail-in voter fraud, then they could still affect an election's outcome.

Such scenarios are hardly far-fetched or improbable, numerous experts warned. And with states like Washington and Maryland opening up data voter registration online, the potential threat surface only increases.

"Any system that is networked, especially to the Internet, is inherently vulnerable to attacks on its availability, and the confidentiality and integrity of its data," says Steve Santorelli, director of global outreach for the security research group Team Cymru.

[ Oracle's most impactful CPU of the year serves up fixes for flaws with 10.0 and 9.0 CVSS scores. See 3 Must-Fix Vulnerabilities Top Oracle CPU Patches. ]

In Washington's case, the state's co-director of elections, Shane Hamlin, told the New York Times in an investigative piece on the security of its voter database that the government's IT staff would be reviewing transaction logs for unusual activity. But depending on when improprieties were found, particularly after the fact, it could have extreme civic consequences. One of the biggest dangers of voting-related cybercrime is its undermining of voter confidence, says Dr. Hugh Thompson, program committee chairman for RSA Conference and a participant in the 2006 HBO documentary Hacking Democracy.

"Interestingly, the wrong person winning is not the worst thing that can happen," he says. "The real worst case is a hacker proving that the vote was compromised and ultimately undermining the entire voting process."

He warns to just look at the hanging chad controversies of the 2000 election as a barometer of how an e-voting issue could impact the economy and citizen confidence in government engagement.

"It would impact the stock market and erode confidence in the entire system, which is a real motivator for organizations that want to attack critical infrastructure," he says.

A long-time researcher into the vulnerability of electronic voting systems, Thompson is one of many who warn that the potential for hacks extend well beyond voter databases. He warns that many of the same vulnerabilities that existed back in 2006 still stand today, while hacking itself has greatly evolved.

"For the first time, technology is allowing groups of disgruntled people to become empowered. These groups are organized, collected, and collaborative, with a means to get their message and point across through attack tools, like DDoS, that were not possible in 2008," he says.

A check on the OSVDB shows listings for 218 vulnerabilities in various election voting systems, warns Space Rogue, threat intelligence manager for SpiderLabs at Trustwave, who says the flaws involve everything from weak encryption to poor authentication or even voter information leakage. It is critical to remember that these machines aren't that much different than other computer systems that require proper hardening.

"In fact, some even run on the same Windows software as your home PC. Therefore, common vulnerabilities like buffer overflows and SQL Injections can be used against voting machines just like nonvoting machines with the same results," he says.

In spite of these vulnerabilities, some security experts believe they are difficult to take advantage of. Leonid Shtilman is one of them. The CEO and co-founder of privilege management firm Viewfinity, Shtilman also helped develop one of the first touch-screen systems used for primary elections in Israel, and he says that he believes it is very difficult to manipulate the results of elections using these systems.

"For example, on most of these systems, information is stored in a database and is synced in multiple locations so it can be compared for missing, incomplete, or inconsistent data," Shtilman explained. "In my experience, it really requires a complicated large-scale operation to manipulate the data captured by electronic voting systems."

One of the biggest beefs that those critical of these systems' security is the fact that there are very few ways to publicly verify the security claims offered by those like Shtilman and e-voting system manufacturers.

"Proprietary designs are common in this field, and that means it's much harder for researchers to pull a machine and its software apart to check for vulnerabilities," Santorelli says. "Open-source software lends itself to exactly this kind of checking, but that's not the business model that e-voting companies favor."

What's more, security pros believe that local and state authorities are not held accountable for how they deploy the systems or their voter database infrastructure the way that many commercial or federal entities are through regulations such as PCI DSS or FISMA.

"Do we know how many people have access to voter information or which type of security product [the government authorities] have been using to verify that nothing has been done or changed inside the voter database? The simplest answer is we'd have no clue whatsoever," says David Maman, CTO of GreenSQL. "Just think about it. Today if you want to store credit card information, you have to comply with so many requirements, but not with voter information."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.