Categories: SecurityWorkspace

Online Attacker Attempts First US e-Voting Hack

In the first known example of an attempt to hack a US election, an online attacker took advantage of the lax security surrounding the online process of requesting absentee ballots in the 2012 primary in Miami-Dade County, Florida, to order more than 2,500 ballots.

The scheme could have actually worked if it was done with more skill, stated a grand jury report released in December, but whose findings only recently came to light.

Online security dangers

Although the attack failed to affect the election’s outcome, it succeeded in verifying the dangers of election processes that allow voters to cast their ballots via email over the Internet.

While voting irregularities have cropped up in numerous US elections, no known hack of a live election has been attempted, said David Jefferson, computer scientist at Lawrence Livermore National Laboratory and a member of the board of directors of Verified Voting and the California Voter Foundation.

“There have been many demonstrations of how to do it, but this is the first one that we know of, in the United States, in a real election, where an actual technical attack was perpetrated. So it’s a big deal for that reason,” he said. “It shows that there are people somewhere with the motivation and the technical capability to pull something like this off.”

Known nationally for the “hanging chad” controversy that resulted in the invalidation of many votes during the closely contested 2000 presidential election, Florida now has the dubious honour of being the first state to have confirmed an attempt to hack an actual election. As a result of rumoured absentee ballot fraud in the 14 August, 2012 elections, a grand jury was impanelled to investigate the allegations.

The grand jury found that the company hired by the Miami-Dade County elections department to create and monitor the voter registration system became suspicious when more than 2,500 online requests appeared at nearly the same time.

Overseas proxies

Requests came from a group of overseas proxies, or anonymisers, that hid the actual source of the traffic. The scheme would have succeeded except for the attacker’s use of IP addresses in Ireland, England and India, along with the fact that the requests for ballots came in faster than a human could input the data.

The report clearly stated that the system’s basic security measures did nothing to stop the attacker.

“The security of the online absentee ballot request systems is very low as there are no user-specific log-ins or passwords required by the voter requesting a ballot,” according to the grand jury report.

Security upgrade

As a result of the incident, the grand jury recommended that Miami-Dade County’s election department upgrade the website to require that voter’s log in to a secure site using a username and password. While such a system could be attacked to get access to each user’s account, the security measures would make wholesale fraud involving thousands of votes more difficult.

Election officials should also understand that Internet voting is inherently insecure, LLNL’s Jefferson said. The incident shows that US elections must tread carefully on how the Internet is used to augment the election process, he said.

“In the precinct voting situation, where people vote in person using a piece of paper or voting machine, I think the country is moving in the right direction,” Jefferson said. “The converse trend, toward Internet voting, is huge and much worse. We really can’t go to Internet voting now or any time in the near future.”

What do you know about IT in Russia? Take our quiz.

Originally published on eWeek.

Robert Lemos

Robert Lemos covers cyber security for TechWeekEurope and eWeek

Recent Posts

TikTok ‘Halts E-Commerce Expansion Plans’

TikTok reportedly scraps plans to expand TikTok Shop livestream commerce in Europe and US after…

2 hours ago

European Parliament Passes Landmark Tech Regulations

European Parliament votes to adopt Digital Markets Act and Digital Services Act, but campaigners warn…

3 hours ago

Indian Economic Police Raid Offices Of Smartphone Maker Vivo

Indian economic crime agency Enforcement Directorate raids dozens of locations across India belonging to China's…

5 hours ago

French Music Service Deezer Slumps On Market Debut

Spotify and Apple Music competitor Deezer falls below opening price after long-delayed IPO in Paris…

5 hours ago

Foxconn Expects Stronger Sales In Spite Of Economic Gloom

iPhone manufacturer Foxconn revises full-year expectations upward amidst strong consumer and data centre demand, bucking…

6 hours ago

Samsung ‘To See Profits Jump’ On Data Centre Demand

Industry analysts expect Samsung's profits to jump 15 percent for the second quarter as strong…

7 hours ago