With Donald Trump already talking about the presidential election being rigged, Symantec has set up a simulated voting station that shows how electronic systems might be hacked to alter actual vote tallies for just a few hundred dollars.
They found that while it’s possible to change the number of votes cast for each candidate, it would be very difficult to do so on a large enough scale to swing the election one way or the other.
However, enough machines in random precincts could be provably compromised so that general public confidence in the official outcome would be undermined, says Samir Kapuria, Symantec’s senior vice president for cyber security.
Using a voting-machine simulator that contains an aggregate of known vulnerabilities from real-world voting machines and some that Symantec found itself, Kapuria demonstrated several ways attackers could taint voting results.
Symantec researcher Brian Varner says U.S. representatives and senators have contacted him to learn about the vulnerabilities and exploits with the goal of figuring out how to better secure the voting.
Varner says standards are needed for computerized voting systems sold in the U.S. in order to beef up security. ATMs, which are analogous to voting machines, have such standards because they serve a single industry that built consensus around them.
A range of exploits could leave electronic voting open to a range of exploits from a lack of encryption to Wi-Fi connectivity and the physical integrity of the devices, he says.
It’s a difficult problem, though, because elections are set up by individual states that don’t necessarily want to give up authority over what systems they use. This summer, the secretary of state in Georgia turned down a Department of Homeland Security offer to help secure its voting system saying it was a federal power grab.
Other security experts are concerned as well. Bruce Schneier, for one, has written urgently for action before this fall’s election.
“But while computer security experts like me have sounded the alarm for many years, states have largely ignored the threat, and the machine manufacturers have thrown up enough obfuscating babble that election officials are largely mollified,” he writes.
“We no longer have time for that. We must ignore the machine manufacturers’ spurious claims of security, create tiger teams to test the machines’ and systems’ resistance to attack, drastically increase their cyber-defenses and take them offline if we can’t guarantee their security online.”
Symantec’s research supports his worries. In addition to being a relatively inexpensive undertaking – just several hundred dollars, Kapuria says – hacking the voting system isn’t that difficult. Varner says it would take someone with a lot of focus and a skill set of seven out of 10, with one being a person who carries out compromises by Googling instructions and blindly following them.
Sign up for CIO Asia eNewsletters.