The latest cyberattack on Hillary Clinton’s election campaign and other attempted data breaches of state voter databases have raised legitimate concerns about the integrity of the upcoming US election. As the date looms closer, any indication of malicious activity which could compromise the voting process and potentially cause an unexpected upset, will be closely monitored and evaluated. This article will uncover potential attack vectors that could be used to manipulate elections, and detail potential processes to defend against such attacks.
The Clinton Hack
Clinton’s campaign was hacked by a typical social engineering trick: a phishing scam. Attackers mocked up a fake Google authentication page identical to the one her campaign staff would typically see when accessing their email accounts. A phishing email appearing to come from Google contained a link which directed recipients to a fake login page, which allowed attackers to capture login credentials, providing access to data which was used to embarrass the campaign and potentially for other political reasons.
Defending against this type of attack has its challenges. End-user education plays an important role, as they need to know what to be on the look-out for. SecureWorks, which did an analysis of the attack, recommended educating users about:
- The dangers of spear phishing emails in general.
- How to expand shortened URLs to reveal their true destinations. For Bitly (the shortening service used in this attack to obfuscate the malicious links), pasting the URL in a browser’s address bar with a plus sign at the end will reveal the actual destination.
- Being vigilant about login pages and ensuring they are legitimate before entering credentials. In this example, ensuring the resulting URL was actually going to google.com should have been enough to raise user suspicion.
An additional defensive measure that should be used in cases like this is the Google 2-factor authentication solution (2FA). Google 2FA would have prompted users to input a one-time passcode generated by the free Google Authenticator app in addition to the normal password credentials required. This extra step would have made it harder for attackers but even this additional step isn’t a silver bullet. Even though attackers have figured out ways to use social engineering to get around even this protection, it does add a significant hurdle for them to overcome. Enabling this feature is definitely worth the extra effort, but educating end users about these types of attacks is still the most important step.
Hacking the Vote
The Clinton campaign hack isn’t the only election-related compromise to make the news of late. The news that voter registration systems in US States Arizona and Illinois may have also been hacked has raised concerns about the security of US elections in general. This is a valid concern.
Given that our elections are now mostly tabulated via electronic voting machines and voter information is stored in electronic databases, could hackers really manipulate elections? The answer to this is more complicated than it may appear. Hacking Clinton’s campaign emails was pretty straightforward for attackers. Hacking an election would take a lot more coordination, but isn’t an impossibility. Hacking a national election adds considerably to this complexity and would require even more coordination.
The first thing to understand is that simply changing votes en masse from one candidate to another would set off red flags with election authorities and the political parties that watch these things very closely. For example, if a particular voting precinct normally votes 70 percent for candidates in one political party but suddenly votes 100 percent for a candidate in an opposite party, election authorities and more particularly, the political party who lost those votes, would raise red flags. Depending on local election rules, an audit could be triggered to manually review the votes in that precinct to determine the cause of the irregularity.
Challenges to compromising elections go beyond even that inconvenience. In the US, it is the states that have authority to determine how elections are handled and impose state-specific rules around elections. This means differing types of voting machines, differing procedures on how voting takes place, and differing processes around voter registration. National voting laws still need to be upheld in all the states but specific nuances can be different between each. Attackers that truly want to impact a national election’s outcome would need to compromise multiple voter databases, consider different rules from state to state, and understand how different types of voting machines operate, all along with specific considerations around which precincts to compromise and how.
Despite the complications, a compromise of a US national election might be possible. Consider the following, using a presidential election as an example:
- Certain states are a given for certain parties. If hackers avoid these states, they are less likely to raise suspicion.
- Targeting specifically states that, in theory, could go to either candidate would be their best bet. Selecting the fewest number of these states to still ensure victory for the chosen candidate reduces the amount of effort required.
- Attackers wouldn’t have to change all the votes in these states – only some of them. Careful analysis of voting preferences in specific areas would allow attackers to manipulate votes in only particular precincts and only by a certain percentage to swing the entire state to their candidate of choice. This could reduce or even eliminate any suspicion of wrongdoing.
- Even by reducing the scope to specific precincts in specific states, this could still require compromising thousands of voting locations in differing voting jurisdictions/
Getting fraudulent votes recorded in these specific areas could be done in a couple of ways. The most straightforward but also most challenging would be to compromise the programming on the voting machines themselves. This would require knowing the specific machines used in the areas targeted, writing malicious code for those machines, and figuring out how to get the code installed on enough machines to obtain the desired results. Given that procedures for updating the machines prior to elections varies from area to area and often involves many security precautions, this is no small task. Also, to do this stealthily, the machines would have to display the votes that voters have chosen but record something different. This would be akin to how Stuxnet manipulated workstations to show that everything was fine while it was destroying centrifuges behind the scenes.
Even doing this would not go undetected. Machines are often tested by having officials perform hundreds of votes and then verifying the results from the machines matched what was entered. This is a hard hurdle to get around for attackers. Additionally, machines are locked-up and sealed until elections begin to prevent tampering.
The second way to potentially alter an election would be to compromise voter rolls to add fraudulent voter information, or take advantage of voters who are registered but don’t vote (dead voters for instance). Submitting mail ballots as these fraudulent voters specifically in the areas targeted could help ensure victory for the hackers’ candidate of choice. This is precisely how election fraud works today without the need for “hacking.” Compromising voter databases is just a different means to the same end.
Hacking an election may be possible in theory, but there are actions election authorities can take to help prevent these kinds of attacks. Many of these suggestions may already (and should already) be in place.
- Place careful protections around voting machine update procedures.
- Perform vote testing after updates to validate proper voting machine function.
- Vote auditing should be possible completely separate of voting machines. This means having some kind of paper ballots (or equivalent) to be counted should voting machines be compromised.
- Protect accounts that access voting databases and voting machines with 2 factor authentication.
- Access logs, system logs, and web logs should be captured and compared with threat intelligence to detect breaches.
- Administrative access should be only allowed where completely necessary.
- Software should be kept up-to-date.
- Third party testing of all election-related systems to ensure security holes are made known and addressed.
Maintaining the integrity of elections is a key step in protecting our democracy and something election authorities take very seriously. Understanding the threats against our election system helps us better understand how to protect election integrity. A few prudent measures can help ensure every vote counts and is processed accurately.