In the first known example of an attempt to hack a U.S. election, an online attacker took advantage of the lax security surrounding the online process of requesting absentee ballots in the 2012 primary in Miami-Dade County, Florida, to order more than 2,500 ballots. The scheme could have actually worked if it was done with more skill, stated a grand jury report released in December, but whose findings only recently came to light. The attack failed to affect the outcome of the election, but succeeded in verifying the dangers of election processes that allow voters to cast their ballots via email over the Internet. While voting irregularities have cropped up in numerous U.S. elections, no known hack of a live election has been attempted, said David Jefferson, computer scientist at Lawrence Livermore National Laboratory and a member of the board of directors of Verified Voting and the California Voter Foundation.
“There have been many demonstrations of how to do it, but this is the first one that we know of, in the United States, in a real election, where an actual technical attack was perpetrated. So it’s a big deal for that reason,” he said. “It shows that there are people somewhere with the motivation and the technical capability to pull something like this off.”
Known nationally for the “hanging chad” controversy that resulted in the invalidation of many votes during the closely-contested 2000 presidential election, Florida now has the dubious honor of being the first state to have confirmed an attempt to hack an actual election. As a result of rumored absentee ballot fraud in the August 14, 2012 elections, a grand jury was impaneled to investigate the allegations.
The grand jury found that the company hired by the Miami-Dade County elections department to create and monitor the voter registration system became suspicious when more than 2,500 online requests appeared at nearly the same time.
The requests came from a group of overseas proxies, or anonymizers that hid the actual source of the traffic. The scheme would have succeeded except for the attacker’s use of IP addresses in Ireland, England, and India, along with the fact that the requests for ballots came in faster than a human could input the data.
The report clearly stated that the system’s basic security measures did nothing to stop the attacker.