Security Firm Shows How to Hack a US Voting Machine

[Petrovic]

Quote

Three days before the US Presidential Election takes place, California-based security firm Cylanceshowed the world how easy is to hack one of the many voting machine models that will be deployed at voting stations across the US on Election Day.

The machine that Cylance researchers chose for their test was the Sequoia AVC Edge Mk1, one of the most popular models.

Attack works by reflashing the voting machine's firmware

To hack the voting machine, researchers said that an attacker would need access to the device. This isn't a problem since most voting machines are offline devices, so most voting machine hacks are offline attacks, which require physical access to the device.

In the video embedded above, the researchers show how easy is to reflash a machine's firmware via a PCMCIA card.

The technique researchers created modifies the Public Counter, but also the Protective Counter, which is a backup mechanism that acts as a redundant verification system to ensure the first vote results are valid.

Voting machines have always been problematic devices

The dangers of hackers altering voting machines has always been on the minds of many Americans, ever since the US government passed the Help America Vote Act (HAVA) in 2002, which freed almost $4 billion in federal funds that states could use to modernize their voting systems.

Most states chose modern, touchscreen-enabled devices, and a gold rush ensued, with many manufacturers hurrying to put out voting machines, which most of the times were improperly designed or tested.

A Politico Magazine editorial from August 2016 details a long list of incidents caused by malfunctioning voting machines and reveals how easy was to hack early voting machine rigs.

Despite woeful setups, nobody has attempted to hack a voting machine until now, and Cylance's research is one of the first attempts to illustrate how a voting machine hack would work.

Previously, researchers have only analyzed the source code of voting machines, and presented theoretical attacks, in a research paper released in 2007.

Should US citizens be worried?

It's been a turbulent two years for the US. The US election process has turned into a dog and pony show with neverending drama and scandals surrounding the two main candidates.

Hacking and cyber-attacks have been one of the main topics of discussion for this year's election. The DNC hack, the DCCC hack, the Guciffer 2.0 persona, the DC Leaks websites, WikiLeaks' meddling, and the scanning and pilfering of voter registration databases have thrown the US media into a frenzy of overblown and apocalyptic headlines.

If readers are worried that the Cylance research spells some kind of doom, don't. US officials have already explained that attacks on the actual voting machines are almost impossible, and not something they fear. If they happen, they'll occur in one or two isolated precints, but not in a coordinated nation-wide attack.

FBI Director James Comey appeared at a House Judiciary Committee hearing in September to answer questions regarding a flash alert his agency sent in June when it warned states that hackers had attempted, and even succeeded in stealing user records from US voter registration databases.

His take on someone attempting to hack actual voting machines and voter registration databases starts at 01:56:50 [quotes below the video].

There have been a variety of scanning activities, which is a preamble for potential intrusion activities, as well as some attempted intrusions at voter registration databases beyond those we knew about in July and August.

We are urging the states just to make sure that their deadbolts are thrown and their locks are on and to get the best information they can from DHS, just to make sure their systems are secure.

And again, these are the voter registration systems. This is very different from the vote system in the United States, which is very very hard for someone to hack into, cause it's so clunky and dispersed. It's Mary and Fred putting a machine under the basketball hoop at the gym. Those things are not connected to the Internet, but the voter registration are.

So we urge the states to make sure you have the most current information, and your systems are tight cause there's no doubt that some bad actors have been poking around.

The US voting system in need of an overhaul

A study by the Brennan Center for Justice released in the autumn of 2015, just when the US Presidential Race was heating up, revealed that there are many states that are using outdated voting machines, or voting machines that went out of production.

As for Cylance, they hope that this first ever demonstration of a real world attack scenario on voting machines triggers a response from US officials.

The company hopes for increased supervision and monitoring of voting machines to limit physical access, so a threat actor can't insert cards or other devices into voting rigs.

In the long term, Cylance hopes that state officials replace outdated and insecure machines, with something that has been vetted by the infosec industry.

 

Article source