Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/19/2016
06:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Russia, Others Indeed Could Hack The Vote

DHS official 'confident' in electoral system security, but offers security assistance to localities and urges vigilance.

With less than 50 days until Americans cast their votes for a new President on Election Day, once-distant concerns of hackers disrupting the voting process are increasingly becoming a heightened concern.

While security experts say they don't expect a massive breach or large-scale disruption on Election Day, they say the possibility exists that hackers could attack voting systems this year given the recent high-profile activity of Russian government-supported hacker groups, as well as the volatile political climate in this contentious Presidential race. But the underlying problem that could leave Election Day at risk is really nothing new: the well-known security flaws in various electronic voting systems used nationwide.

The US Department of Homeland Security has reached out to state and local election officials and offered assistance in helping them better security voting systems amid the very public breaches of the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC), and voter registration systems in Arizona and Illinois.

DHS administrator Jeh Johnson attempted to balance calm with vigilance in a statement he issued on Friday: "We have confidence in the overall integrity of our electoral systems. It is diverse, subject to local control, and has many checks and balance built in," Johnson said. "Nevertheless, we must face the reality that cyber intrusions and attacks in this country are increasingly sophisticated, from a range of increasingly capable actors that include nation-states, cyber hacktivists, and criminals. In this environment, we must be vigilant."

Johnson said DHS is offering localities vulnerability and risk assessments of their voting systems, including those of Internet-facing ones, as well as a best practices guide for securing voter registration databases as well as protecting election systems from threats such as ransomware. He also urged states and election officials to use the Multi-State Information Sharing and Analysis Center (MS-ISAC) to share and receive threat intel.

Dmitri Alperovitch, co-founder and CTO at CrowdStrike, which identified Russian nation-state groups as the culprits behind the DNC and DCCC breaches, says the nation-state attackers could well target voting systems this election year as well.

"We absolutely see that as a potential threat. This is something we are very concerned about, a disruption to the election," Alperovitch says. The recent breaches of state voter registration systems could just be the beginning, he notes.

"There is certainly significant potential for more damage," he says.

Arizona's registration system reportedly was infected with malware, and Illinois' has some 200,000 voters' data stolen this summer. While no source of the attacks has been named publicly, security experts say it's possible that the Russian state actors were looking to alter voter registration data in an attempt to disrupt voting by preventing citizens from voting or sabotaging their voter identity information. Or they were merely testing the security of those systems for further attacks.

Researchers at ThreatConnect recently found a new clue pointing to Russia as the possible source of the attacks that circumstantially indicates possible nation-state actors.

E-voting system security has been in the spotlight for some time now. Security expert Bruce Schneier says some states and precincts are more vulnerable than others. The distributed and diverse nature of the nation's voting systems indeed provide some general security cover since there's not just one brand of machine to target, but at the same time are vulnerable, according to Schneier. "A localized hack can have huge implications," he says.

The key is a paper trail for votes, he says. Optical-scanning of paper votes is the "gold standard of voting, but most [precincts] don't have it," Schneier says.

According to a new Institute for Critical Infrastructure Technology (ICIT) report, just 60% of states require paper trails of their voting systems, and 70% of all 9,000 US voting precincts use e-voting.

"We don't have a [national] bureaucracy for voting," Schneier notes. Voting systems and machines are administered by volunteers or non-technical people, he says, every couple of years. "That makes it harder to make usability and security correct."

Not Just Russia

It's not just Russian state hackers who could wreak some havoc on the election, either. "I don't think we should limit the conversation to Russia," says James Scott, senior fellow with ICIT. China also has a stake in the outcome of the US election, he says, as do hacktivists unhappy that Bernie Sanders isn't the Democratic nominee or even radicalized extremists, for example.

Scott argues it's also easy for one nation-state group to mimic another's behavior as cover. "Most of APT 28 and APT 29's exploit kits and malware are readily available on the deep Web. Reproducing" their MO is easy, he says, of the infamous nation-state Russian attack teams.

The bottom line, he says, is there are plenty of attack groups who would want to mess with the US election. "I think we have to" expect it, he says.

Scott co-authored ICIT's new report published today called "Hacking Elections is Easy! Part 2: Psst! Wanna Buy a National Voter Database? Hacking E-Voting Systems Was Just the Beginning," which outlines the weak spots in various electronic voting systems and processes and also includes screenshots of voter registration found for sale in the Deep Web.

He contends that even paper-based trails are no protection from hacks. "At the end of the day, paper is being scanned onto a machine" that has some network connectivity, he says. Many systems also rely on insertable media, which also could be compromised, he says.

Voting system manufacturers could be targeted in an attack, or a malicious insider there could poison a software update, for example, he says. "All of these machines operate off black-box technology, with proprietary programs nobody gets access to so you can't audit or pen-test it," he says.

A compromised update could be malicious code that calculates vote values higher for one candidate over another, for instance, he says.

Other security experts echo Scott's warnings of supply chain compromise.

"A lot of components go in these DREs [direct recording electronic systems], without a remote connection," says Levi Gundert, vice president of intelligence & strategy at Recorded Future. That would mean possible tampering or compromise of voting systems at the hardware level, for example, he notes.

Silent Breach?

Meantime, experts warn we don't really know if voting systems have previously been hacked. "We were just as exploitable before" as we are now, ICIT's Scott says. "Someone hacked this key region in this state [for example] … are we going to know?"

It takes an average of six months for most companies to detect a data breach, and 90 days for organizations who are closely watching their network infrastructure. "The voting window is shorter than that, so we wouldn't pick it up until the President is already elected," says James Carder, CISO of LogRhythm."That's unnerving to me."

And even if it turns out there is no hack of voting systems, the threat of one could hang over this year's election, Schneier says.

"It's not just hacking; it's the appearance of hacking," Schneier says. "If the loser is not convinced [he or she] lost fairly, you're going to have a problem with the election." 

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...