sb-as logo
Story image

Want to cause chaos? ICIT says hacking elections is easy

07 Aug 2017

​Following the news that hackers at the DEFCON “Voter Village” were able to exploit vulnerabilities in voting machines in a matter of minutes, ICIT has drawn attention to its alarming report that details just how easy it really is to exploit vulnerabilities in voting machines and hack elections.

‘Hacking Elections is Easy! Part One: Tactics, Techniques, and Procedures’ delves into the problems we’re currently facing at almost every modern election.

To hack an election, the report states, a criminal doesn’t need to go through the effort of exploiting a national network of election technology, but instead can simply focus on the machines in swing regions of swing states to hack the election without drawing considerable notice.

According to ICIT, voter machines are so riddled with vulnerabilities that ‘even an upstart script kiddie could wreak havoc on a regional election, a hacktivist group could easily exploit a state election, an APT could effortlessly exploit a national election and any corrupt element with nothing more than the ability to describe the desired outcome could order layers of exploits on any of the multitude of deep web forums and marketplaces.’

Despite maintaining an illusion of security based on the semblance of complexity, the report asserts voting machines are neither secure or complex as in reality these stripped down computers utilise outdated operating systems and possess virtually every conceivable vulnerability that a device can have.

ICIT affirms the fundamental cybersecurity rule dictates that organisations assume their technology is vulnerable until proven otherwise, but despite proven vulnerabilities and a demonstrative lack of security, manufactures and officials have not improved e-voting systems.

‘Easily exploitable voting machines will continue to plague the democratic process so long as manufacturers are able to profit from and covertly obfuscate the vulnerabilities inherent within electronic voting systems.’

However, ICIT says attackers of the democratic process aren’t just limited to election machines.

‘Catastrophically disrupting the campaign of just about any political candidate can be done with little more than a DDoS attack on fundraising links and web properties, spam widgets on social media platforms, an insider threat who delivers a malicious payload on a USB drive or unsuspectingly by clicking a link in a spear phishing email, and a ransomware variant to encrypt important donor lists to further cripple fundraising.’

A skilled cybercriminal could essentially create a network of spoofed sites to confuse voters, and this is just the beginning according to ICIT.

‘By combining attack vectors and layering attacks, an adversary can manipulate the democratic process by inciting chaos, imbuing suspicion, or altering results.’

Story image
Commvault expands Metallic SaaS portfolio
Metallic Cloud Storage Service brings together technology from Commvault and Microsoft Azure for security and scale.More
Story image
Fujitsu new tech ensures inter-business data trust
The technology can verify when and by whom the data was created, and whether it has been tampered with, to ensure trusted data exchange.More
Story image
Creating private data regulations for employees
Whether employees are hired on a part-time or full-time basis, everyone must know about data privacy regulations. Everyone needs to be responsible for keeping the organisation’s data secure. More
Story image
Cisco report: Remote working is here to stay, making cybersecurity a top priority
"With this new way of working here to stay and organisations looking to increase their investment in cybersecurity, there’s a unique opportunity to transform the way we approach security as an industry to better meet the needs of our customers and end-users.”More
Story image
Acronis expands global data centre network, including new facilities in NZ
The expansion ensures that the full range of Acronis Cyber Protection Solutions will be available to partners and organisations around the world.More
Story image
New project development inhibited by cybersecurity, Kaspersky research states
"There are still some practical steps that can be taken to make sure that an emerging technology or a product reaches its launch. Cybersecurity doesn’t have to be another corporate barrier, but it should be on an integral part of the project all long."More