Can the upcoming US Presidential Election be hacked? According to cybersecurity firm Symantec, it is quite possible. Symantec simulated a cyberattack on the upcoming Clinton versus Trump election by just spending around $500, primary with a $15 Raspberry Pi-like device.
“To get started, we purchased actual direct-recording electronic (DRE) voting machines off an online auction site and other equipment to simulate a real-world voting system,” said Symantec.
The company claims that their research revealed “three easy ways an attacker with the right level of intelligence and motivation could erode the trust that American citizens have in their election process.”
This is how Symantec simulated the election hack.
Voters entering polling stations that use electronic voting machines are handed a chip card what they use to cast their vote. Once someone has voted, they turn the card back into the polling station volunteer and it gets re-used by the next voter.
“Just like credit cards, these cards are essentially a computer with its own RAM, CPU and operating system. Which means they can be exploited like any computing device,” it said.
In examining the election process for vulnerabilities, Symantec discovered that there’s an opportunity for a hacker to modify the code put on a voter’s chip card.
“Anyone who knows how to program a chip card and purchases a simple $15 Raspberry Pi-like device, could secretly reactivate their voter card while inside the privacy of a voting booth. We found a card reader that fits neatly into the palm of our hand and used it to reset our fake voter chip cards two different ways,” Symantec claimed.
In one scenario, Symantec had reset the card to allow someone to vote multiple times using the same chip card. “Our second method programmed the card to allow that card to cast multiple votes. In both approaches, that attacker is stuffing the digital ballot box and casting doubt in the validity of the results from that polling station,” it explained.
Symantec claimed to have discovered that there was no form of encryption on the internal hard drive of the voting machines that it had purchased. Also, they were running an outdated operating system to display the ballots and record votes.
These types of hard drives are similar to those used in digital cameras. The lack of full disk encryption on the internal hard drive (as well as the external cartridges) presents opportunities for hackers to reprogram and alter ballots, according to the company.
“Potential hackers would also be unhindered by the voting machine’s lack of internet connectivity. Some types of malware, such as Stuxnet, can take advantage of air-gapped networks and vector through physical access to a machine. The lack of full-disk encryption on the DRE machine makes it easily exploitable, requiring only a simple device to reprogram the compact hard drive,” the company stressed.
The firm said that a voting machine is only one vehicle for election cyber fraud. The behind-the-scenes data tabulation presents an even greater opportunity for attack.
“Votes are typically collected on the machine in a simple storage cartridge and physically transferred to a central database for tabulation,” it added.
How can voting data be compromised?
Symantec explained the following.
Manipulation of cartridges – The storage cartridge functions like a USB drive, in which it stores data in plain text with no embedded encryption. A hacker could easily rewrite vote information or add false votes onto the cartridge to alter the outcome.
Manipulation of the voting database – Based on their findings, Symantec believed that it’s possible for hackers to compromise storage cartridges by uploading malware to alter the database or wipe it completely, causing recounts in numerous precincts.
This year, 43 states will use electronic voting machines that are at least 10 years old. It’s reasonable to suspect some tabulation computers and software have been left unpatched or unsupported, opening the doors to other means of infiltration. By propagating misinformation, a hacktivist or attacker could cause voter distrust of election results.
In the simulated election, Symantec had broadcasted the results “live” on YouTube. The research found that it’s plausible for hackers to hijack means of communication and spread false results on YouTube, broadcast media, social media and other channels.
If voters were to follow the poll leader, they might not choose to go through the trouble of voting in an election if it looked like they were in for a landslide victory.
Also, voters can be reached via other means of influence. Hacker Andrés Sepúlveda allegedly engineered election results in South America using an army of fake Twitter accounts, spreading false information using email campaigns, altering candidates’ websites and more.