The Categorical Threat Landscape to Consider When Reading NASS’ Open Letter to Congress

Authored By: James Scott, Sr. Fellow, ICIT & Drew Spaniel, Researcher, ICIT

On September 26, 2016, the National Association of Secretaries of State (NASS) released an Open Letter to Congress that urged for the informed communication of facts about the security of election systems with the American public. This communique builds upon the NASS letter with open source information described in our Hacking Elections is Easy! Research Report series.

After recent successful cyber-criminal exfiltrations of voter registration databases and recent cyberattacks on political organizations, attributed to Russian state-sponsored advanced persistent threat groups, State election officials are only now beginning to come to terms with the expansive hyper-evolved cyber-threat landscape surrounding United States election systems. Despite their protests that election officials are equipped to handle threats such as cyberattacks in the short and long-run, the inherent vulnerabilities built-into dilapidated black-box proprietary election systems and the substantial deficiency in cyber-hygiene among the personnel that manage elections are insurmountable obstacles without an extensive overhaul of the training and machines used in the election process, and without a considerable investment of resources.

Layers of Physical and Technical Security Insufficient to the Hyper-Evolved Threat Landscape:

Local elections are managed by volunteers with little or no cyber-hygiene training in 9000 precincts and at hundreds of thousands of polling locations across the country. Multiple layers of physical and technical security are in place to ensure the integrity of the election process. However, the layers of security are managed and enforced by non-technical, undertrained personnel, who may not be able to recognize or prevent a threat actor from physically infecting a system with malware that could spread to local components such as the JBC or to the State’s Central Tabulator. Further, some election machines, such as the DS200, iVotronic, eScan, and eSlate have either accessible network ports or rely on a network connection. The vulnerabilities of each voting machine in-use and the locations where it is used are documented in ICIT’s Hacking Elections is Easy! Part 2.

One common soundbite tossed around by defensive election officials is that voting machines are not connected to the internet. This is not always true because even if the individual machine is not directly connected to the internet, it may be connected to a volunteer PC at the JBC, which may have an active connection.  For example, if voting machine A is connected to PC B and B is connected to the internet, the A is also connected to the internet through the network. As such, a remote attacker can inject malicious code into election systems by targeting internet facing systems.

Air-gapped local level machines may be infected via a poisoned vendor update that is installed on the machine by a trusted vendor. There is a history of vendors installing updates days before an election, without prior approval from the state election board, local and state election officials may be unaware of the alteration and possible infection of local election systems. Election systems are physically secured when not in use and public accuracy and performance tests are conducted for objective observers. These measures do not prevent a malicious insider from infecting a system and they do not adequately indicate whether a machine is infected with malware because the conditions of the malware can be programmed to detect spoofed sample elections, can be activated based on time of day, or can be controlled via a number of other variables.

The Lack of a Centralized System is a Risk, Not a Benefit:

If a local election system is infected with malware, then it may infect a state system through its removable media or a network connection. If precinct results are communicated to the state level “over a wire” then the results are susceptible to a man-in-the-middle attack. There is no central point of entry from which an attacker can compromise a national election because there is no centralized National voting system. However, an attacker does not need a central system to impact an election. The lack of a National system just means that some states manage secure election systems while others lack the resources or expertise to do so. Attackers traditionally target the lowest hanging fruit. The lack of a centralized and standardized system of election cybersecurity is akin to the lack of a tree; some fruit will pile atop others, but an attacker only needs to compromise those at the bottom to compromise the integrity of the whole structure.

An attacker only needs to compromise the results of one or two pivotal states in order to alter the results of the election.  Post-election audits are the main failsafe against deliberate manipulation, unintentional software, and hardware or programming issues. Audits are only comprehensive if every single ballot in every single precinct in every single state is recounted and matched to the electronic results. Otherwise, there is room for error and there is room for doubt. If the attacker plans their attack with the audit methodology and statistical model used in the target state, then they can alter the results to be plausible according to the audit, but false in reality.

Sophisticated Attackers Will Target the System Where It Counts:

The highest value target that an attacker could compromise is the state-level vote tabulation system. The NAAS contends that tabulation systems are not connected to the internet. Network air-gaps have not been adequate cyber-deterrents to malware for over a decade. Results, spreadsheets, updates, and other data enters tabulation systems through removable media. Therefore, to compromise a target tabulation system, an attacker just needs to infect removable media or to infect a state level PC and allow the malware to laterally move on its own. If an attacker can compromise state systems and exfiltrate voter registration databases to sell for identity theft on Deep Web marketplaces, then they can infect state PCs with malware capable of crossing the air-gap. Further, some tabulation systems are networked so that vendors or hired  “Election Liaisons” or “Consultants” can remotely manage the systems when the election officials lack the expertise to do so. Additionally, the attacker may not need to infect the system with malware to compromise the election, they may only need access. Some tabulation applications have hidden built-in features capable of fractionalizing votes based on a predetermined desired outcome or on information contained in a voter registration profile. This means that an insider threat or an attacker who compromises a remote connection to a tabulation application can alter the outcome of the election without the use of malware and possibly within the bounds of an audit if the alteration is subtle.

Black-Box Vendor Solutions Only Contain Vulnerabilities and Risk:

The NASS is quick to point out that there is no confirmation that voting results have ever been altered through hacking. In Hacking Elections is Easy! Part 1, ICIT reported that over a decade ago security researchers proved that vendor black-box election systems were extremely vulnerable because they lacked even basic security applications, and that many decade-old vulnerabilities still plague the systems in use. With that evidence in mind, it may be more likely that the reason that no cases of compromise were detected may be that the dilapidated, bare-bones black-box proprietary vendor solutions lack the basic security mechanisms to detect compromise.  More funding is needed to replace election systems at the local and state levels with transparent, penetration tested elections systems that were built with security by design. Questioning the security of the proprietary vendor solutions and of the cyber-expertise of election officials does imbue some doubt into the election process, but it also ensures a more transparent process that proceeds according to the will of the American voters.

Some states have begun to realize that they lack the resources and expertise to adequately address the modern hyper-evolved threat landscape surrounding election systems. The good news is that despite staunch contentions, some states have begun to accept and employ the assistance offered to them by the federal government. These states are conducting extensive testing for cyber threats according to federal agency alerts and EAC best practices.  The majority of states have not accepted federal assistance at the time of this writing.

Hacking an Election is Easy!:

The current election security posture dependent on dilapidated and insecure local, state, and vendor systems does not require sophistication to compromise. As described in Hacking Elections is Easy! Part 2: Psst! Wanna Buy a National Voter Database? Hacking E-Voting Systems Was Just the Beginning, an adversary could easily access Deep Web, purchase a hacker-for- hire or Access-as-a-Service, purchase a 0-day exploit (such as for Windows systems that support most election applications or for Microsoft Excel, which state employees use to design tabulation spreadsheets, often on their internet enabled PCs) and compromise the tabulation system at the state level. While on state systems, the attacker can exfiltrate voter registration information to sell on Deep Web to recoup their costs. During the ICIT investigation for the aforementioned paper, an advertisement on TheRealDeal Market, offered the voter registration database from any state.  As previously mentioned, if the attacker knows how to exploit the fractionalized voting feature hidden in some tabulation software, then they may not need to employ malware to alter or pre-design election outcomes.

At the moment, despite the physical and technical mechanisms in place, hacking elections is easy because the election process relies on election personnel who are undertrained in cyber-hygiene and because it relies on dilapidated black-box proprietary voting systems that are little more than stripped-down unsecured endpoint PCs from over a decade ago. The States need a significant investment in resources, a stringent level of standardization and oversight pertaining to how election cybersecurity is managed, and they need to adopt transparent voting systems that support layered security-by-design.


2017 Forum Banner

Leave a Reply