Story image

Want to cause chaos? ICIT says hacking elections is easy

07 Aug 17

​Following the news that hackers at the DEFCON “Voter Village” were able to exploit vulnerabilities in voting machines in a matter of minutes, ICIT has drawn attention to its alarming report that details just how easy it really is to exploit vulnerabilities in voting machines and hack elections.

‘Hacking Elections is Easy! Part One: Tactics, Techniques, and Procedures’ delves into the problems we’re currently facing at almost every modern election.

To hack an election, the report states, a criminal doesn’t need to go through the effort of exploiting a national network of election technology, but instead can simply focus on the machines in swing regions of swing states to hack the election without drawing considerable notice.

According to ICIT, voter machines are so riddled with vulnerabilities that ‘even an upstart script kiddie could wreak havoc on a regional election, a hacktivist group could easily exploit a state election, an APT could effortlessly exploit a national election and any corrupt element with nothing more than the ability to describe the desired outcome could order layers of exploits on any of the multitude of deep web forums and marketplaces.’

Despite maintaining an illusion of security based on the semblance of complexity, the report asserts voting machines are neither secure or complex as in reality these stripped down computers utilise outdated operating systems and possess virtually every conceivable vulnerability that a device can have.

ICIT affirms the fundamental cybersecurity rule dictates that organisations assume their technology is vulnerable until proven otherwise, but despite proven vulnerabilities and a demonstrative lack of security, manufactures and officials have not improved e-voting systems.

‘Easily exploitable voting machines will continue to plague the democratic process so long as manufacturers are able to profit from and covertly obfuscate the vulnerabilities inherent within electronic voting systems.’

However, ICIT says attackers of the democratic process aren’t just limited to election machines.

‘Catastrophically disrupting the campaign of just about any political candidate can be done with little more than a DDoS attack on fundraising links and web properties, spam widgets on social media platforms, an insider threat who delivers a malicious payload on a USB drive or unsuspectingly by clicking a link in a spear phishing email, and a ransomware variant to encrypt important donor lists to further cripple fundraising.’

A skilled cybercriminal could essentially create a network of spoofed sites to confuse voters, and this is just the beginning according to ICIT.

‘By combining attack vectors and layering attacks, an adversary can manipulate the democratic process by inciting chaos, imbuing suspicion, or altering results.’

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.