Story image

Want to cause chaos? ICIT says hacking elections is easy

07 Aug 2017

​Following the news that hackers at the DEFCON “Voter Village” were able to exploit vulnerabilities in voting machines in a matter of minutes, ICIT has drawn attention to its alarming report that details just how easy it really is to exploit vulnerabilities in voting machines and hack elections.

‘Hacking Elections is Easy! Part One: Tactics, Techniques, and Procedures’ delves into the problems we’re currently facing at almost every modern election.

To hack an election, the report states, a criminal doesn’t need to go through the effort of exploiting a national network of election technology, but instead can simply focus on the machines in swing regions of swing states to hack the election without drawing considerable notice.

According to ICIT, voter machines are so riddled with vulnerabilities that ‘even an upstart script kiddie could wreak havoc on a regional election, a hacktivist group could easily exploit a state election, an APT could effortlessly exploit a national election and any corrupt element with nothing more than the ability to describe the desired outcome could order layers of exploits on any of the multitude of deep web forums and marketplaces.’

Despite maintaining an illusion of security based on the semblance of complexity, the report asserts voting machines are neither secure or complex as in reality these stripped down computers utilise outdated operating systems and possess virtually every conceivable vulnerability that a device can have.

ICIT affirms the fundamental cybersecurity rule dictates that organisations assume their technology is vulnerable until proven otherwise, but despite proven vulnerabilities and a demonstrative lack of security, manufactures and officials have not improved e-voting systems.

‘Easily exploitable voting machines will continue to plague the democratic process so long as manufacturers are able to profit from and covertly obfuscate the vulnerabilities inherent within electronic voting systems.’

However, ICIT says attackers of the democratic process aren’t just limited to election machines.

‘Catastrophically disrupting the campaign of just about any political candidate can be done with little more than a DDoS attack on fundraising links and web properties, spam widgets on social media platforms, an insider threat who delivers a malicious payload on a USB drive or unsuspectingly by clicking a link in a spear phishing email, and a ransomware variant to encrypt important donor lists to further cripple fundraising.’

A skilled cybercriminal could essentially create a network of spoofed sites to confuse voters, and this is just the beginning according to ICIT.

‘By combining attack vectors and layering attacks, an adversary can manipulate the democratic process by inciting chaos, imbuing suspicion, or altering results.’

Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.
Forrester names Trend Micro Leader in email security
TrendMicro earned the highest score for technology leadership, deployment options and cloud integration.
LogRhythm releases cloud-based SIEM solution
LogRhythm Cloud provides the same feature set and user experience as its on-prem experience.
One Identity named Leader in PAM and IAM by KuppingerCole
KuppingerCole lead analyst Anmol Singh evaluated the strengths and weaknesses of 20 solution providers in the PAM market for the report.
Healthcare environments difficult to secure - Forescout
The convergence of IT, Internet of Things (IoT) and operational technology (OT) makes it more difficult for the healthcare industry to manage a wide array of hard-to-control network security risks.