Election hacking has become a key topic during this year's presidential elections, more so now that candidates and voters are being actively targeted by actors that are assumed to be acting with Russian support.
In this modified edition of CSO Online's Hacked Opinions series, we explore the myths and realities of hacking an election, by speaking with a number of security experts.
Q: Can the national election really be hacked? If so, how?
"It’s unlikely that the national election could really be hacked to alter the outcome. Voter registration databases have recently proven vulnerable, but adding, modifying, or deleting records doesn’t produce the intended effect (changed outcome); it just raises questions about the integrity of the database on election day," said Levi Gundert, CP of Intelligence and Strategy, Recorded Future.
So if the desired result is tampering, or to call into question the integrity of the system itself, Gundert added, then it’s possible to "hack" a national election, "especially if a majority of voter registration databases were compromised."
Such a task could be accomplished remotely from the internet (as we’ve recently seen in Arizona and Illinois), or by an insider.
Based on state information provided by BallotPedia, the precincts in swing states like Florida that use Direct Recording Electronic (DRE) systems without a paper trail are the only ones that are even remotely problematic, Gundert explained.
"DRE systems are computers so there’s multiple ways to attack them, especially if you have access to components early in the supply chain. However, if the operating system and application hasn’t yet been tampered with, then remote access via the internet on election day is highly unlikely because these systems won’t be connected to the internet."
But, if an attacker has physical access to DRE systems, then additional hardware (Bluetooth, WiFi, GSM, CMDA, etc.) could be added to allow for remote access at a later time, "but again, the scale of hardware additions needed would be impractical," Gundert said.
Should the vulnerabilities in voting machines surprise anyone though? Alex Rice, CTO and co-founder of HackerOne, pointed out that slot machines currently undergo more security assurance and regulation than voting machines.
"The fact that voting machines are vulnerable shouldn't be a surprise to anyone, all technology has been proven vulnerable and these computer systems are no different. Voting computers have not been subjected to basic security best practices such as third-party source code review, vulnerability disclosure, and any level of transparent peer review that a critical system should undergo before they are depended on by our democracy.
Q: What about local elections? Are they the easier target? If so, how can they be hacked?
Sign up for CIO Asia eNewsletters.