Online Attacker Attempts First US e-Voting Hack
The first known attempted hack of a US election occurred in the 2012 primary in Miami-Dade County, Florida, last year, according to researchers
In the first known example of an attempt to hack a US election, an online attacker took advantage of the lax security surrounding the online process of requesting absentee ballots in the 2012 primary in Miami-Dade County, Florida, to order more than 2,500 ballots.
The scheme could have actually worked if it was done with more skill, stated a grand jury report released in December, but whose findings only recently came to light.
Online security dangers
Although the attack failed to affect the election’s outcome, it succeeded in verifying the dangers of election processes that allow voters to cast their ballots via email over the Internet.
While voting irregularities have cropped up in numerous US elections, no known hack of a live election has been attempted, said David Jefferson, computer scientist at Lawrence Livermore National Laboratory and a member of the board of directors of Verified Voting and the California Voter Foundation.
“There have been many demonstrations of how to do it, but this is the first one that we know of, in the United States, in a real election, where an actual technical attack was perpetrated. So it’s a big deal for that reason,” he said. “It shows that there are people somewhere with the motivation and the technical capability to pull something like this off.”
Known nationally for the “hanging chad” controversy that resulted in the invalidation of many votes during the closely contested 2000 presidential election, Florida now has the dubious honour of being the first state to have confirmed an attempt to hack an actual election. As a result of rumoured absentee ballot fraud in the 14 August, 2012 elections, a grand jury was impanelled to investigate the allegations.
The grand jury found that the company hired by the Miami-Dade County elections department to create and monitor the voter registration system became suspicious when more than 2,500 online requests appeared at nearly the same time.
Overseas proxies
Requests came from a group of overseas proxies, or anonymisers, that hid the actual source of the traffic. The scheme would have succeeded except for the attacker’s use of IP addresses in Ireland, England and India, along with the fact that the requests for ballots came in faster than a human could input the data.
The report clearly stated that the system’s basic security measures did nothing to stop the attacker.
“The security of the online absentee ballot request systems is very low as there are no user-specific log-ins or passwords required by the voter requesting a ballot,” according to the grand jury report.
Security upgrade
As a result of the incident, the grand jury recommended that Miami-Dade County’s election department upgrade the website to require that voter’s log in to a secure site using a username and password. While such a system could be attacked to get access to each user’s account, the security measures would make wholesale fraud involving thousands of votes more difficult.
Election officials should also understand that Internet voting is inherently insecure, LLNL’s Jefferson said. The incident shows that US elections must tread carefully on how the Internet is used to augment the election process, he said.
“In the precinct voting situation, where people vote in person using a piece of paper or voting machine, I think the country is moving in the right direction,” Jefferson said. “The converse trend, toward Internet voting, is huge and much worse. We really can’t go to Internet voting now or any time in the near future.”
What do you know about IT in Russia? Take our quiz.
Originally published on eWeek.