Story image

Want to cause chaos? ICIT says hacking elections is easy

07 Aug 17

​Following the news that hackers at the DEFCON “Voter Village” were able to exploit vulnerabilities in voting machines in a matter of minutes, ICIT has drawn attention to its alarming report that details just how easy it really is to exploit vulnerabilities in voting machines and hack elections.

‘Hacking Elections is Easy! Part One: Tactics, Techniques, and Procedures’ delves into the problems we’re currently facing at almost every modern election.

To hack an election, the report states, a criminal doesn’t need to go through the effort of exploiting a national network of election technology, but instead can simply focus on the machines in swing regions of swing states to hack the election without drawing considerable notice.

According to ICIT, voter machines are so riddled with vulnerabilities that ‘even an upstart script kiddie could wreak havoc on a regional election, a hacktivist group could easily exploit a state election, an APT could effortlessly exploit a national election and any corrupt element with nothing more than the ability to describe the desired outcome could order layers of exploits on any of the multitude of deep web forums and marketplaces.’

Despite maintaining an illusion of security based on the semblance of complexity, the report asserts voting machines are neither secure or complex as in reality these stripped down computers utilise outdated operating systems and possess virtually every conceivable vulnerability that a device can have.

ICIT affirms the fundamental cybersecurity rule dictates that organisations assume their technology is vulnerable until proven otherwise, but despite proven vulnerabilities and a demonstrative lack of security, manufactures and officials have not improved e-voting systems.

‘Easily exploitable voting machines will continue to plague the democratic process so long as manufacturers are able to profit from and covertly obfuscate the vulnerabilities inherent within electronic voting systems.’

However, ICIT says attackers of the democratic process aren’t just limited to election machines.

‘Catastrophically disrupting the campaign of just about any political candidate can be done with little more than a DDoS attack on fundraising links and web properties, spam widgets on social media platforms, an insider threat who delivers a malicious payload on a USB drive or unsuspectingly by clicking a link in a spear phishing email, and a ransomware variant to encrypt important donor lists to further cripple fundraising.’

A skilled cybercriminal could essentially create a network of spoofed sites to confuse voters, and this is just the beginning according to ICIT.

‘By combining attack vectors and layering attacks, an adversary can manipulate the democratic process by inciting chaos, imbuing suspicion, or altering results.’

How to stay safe when shopping online
Online shopping is a great way to avoid the crowds – but there are risks.
Dell EMC embeds security in latest servers
Dell EMC's 14th generation of PowerEdge servers has comprehensive management tools to provide security across hardware and firmware.
Why data backups should be a part of daily operations
"Disaster recovery needs to address complete system failure and provide a set of security policies to govern disaster incidents."
Businesses focusing on threats from within - survey
Over 50% of respondents reported that 100 days of dwell time or more was representative of their organisation.
Corelight and Exabeam partner to improve network monitoring
The combination of lateral movement and siloed usage of point security products leaves many security teams vulnerable to compromise.
SailPoint releases first identity annual report
SailPoint’s research found that many organisations are lacking maturity in their governance processes over identities.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.