In a few hours’ time, western democracy – perhaps even world peace – will be at the mercy of vulnerable code in black boxes on dilapidated bare bones PCs with virtually zero endpoint security, otherwise known as e-voting machines. Security experts are warning that the combination of a highly polarised contest and obsolete information technology make domestic or foreign cyber attacks on tomorrow’s US presidential and other elections a near certainty. The warning comes from the US Institute for Critical Infrastructure Technology, which in the second part of its devastating investigation “Hacking elections is easy” details specific weaknesses in the electronic voting systems widely installed with federal funding after 2002. “Electronic voting manufacturers operate without sufficient accountability, oversight, and governance. Rather than produce robust, secure systems, they distribute bare bones proprietary systems with less native security than a cheap cell phone.” According to the report, state voter registration systems have already been compromised at least twice.
On 28 June this year, the FBI notified the cyber response team at the Arizona Department of Administration that credentials related to the voter registration system had been compromised. Upon investigation, malware was discovered on a vounty computer. The compromised database contains the name, address, date of birth, phone number, email and party affiliation of the more than 3 million registered voters in Arizona.
… Meanwhile, and perhaps even more worrying, “white hat” attacks on many of the most widely installed vote-counting machines show elementary weaknesses. In one Windows XP-based system, the attack “succeeded without any level of sophistication, though many of the individual exploits failed because the target system was too old for them to run… researchers targeted the unencrypted Microsoft Access database that stores ballot information and the results. The password ‘shoup’, used for all database files, was discovered in approximately ten seconds.”
In another, “passwords were weak and standardized across machines. Wireless traffic was intercepted in less than two minutes, and the weak WEP communications key was rapidly compromised using open source tools.” A system used in almost 900 jurisdications has “almost no security” and is “susceptible to internal software bugs and external attacks”.
Full Article: World’s fate hangs on dubious election technology.