by James Scott, Sr. Fellow, ICIT and Drew Spaniel, Fellow, ICIT
‘Clunky as Heck’ and Security via Obscurity Create Only an Illusion of Secure Elections
“Election Officials, consider your voting machines, networks and tabulators infected until you’ve forensically proven otherwise.” James Scott, Senior Fellow, ICIT
The first step to correcting the plague of cyber-kinetic vulnerabilities riddling our election system is to admit these problems exist, then bring in qualified personnel to expediently patch vulnerabilities, upgrade technologies and erect cyber defenses around the perimeters of targeted technologies such as manufacturer updates, voting machines and scanners, state websites, state servers and local and state tabulators. This quick blog post is a last attempt by cybersecurity experts to influence local and state election officials to patch the listed vulnerabilities existing within their space that could hinder the natural outcome of the election process. Figure 3 in this post is a checklist for state officials to use when analyzing their networks for vulnerabilities pre-election.
The results of the 2016 elections will decide: the next President of the United States, the majority control of the Senate, the potential to appoint up to four Supreme Court justices, and numerous state and local level positions. While political tensions and opinionated discourse run rampant in the days before the election, it is paramount to the continued solidarity of the United States of America, that the integrity of the election process remains demonstratively uncompromised. Election systems are vulnerable at the local, state, and manufacturer level. The decentralization of the U.S. election system offers no benefit to security. The fallacy of the decentralization argument is the conclusion that because systems are not networked at the state level, the result of the national election cannot be affected. This simply is not the case. All decentralization means is that while some states secure election systems to various degrees according to the modern threat landscape, other states barely secure systems at all. Security through obscurity is not a defense. As discussed the Hacking Elections is Easy! report series, an adversary who targets local machines in a pivotal county of a swing state or that targets a state tabulation system directly, can significantly impact the results of a national election through the results of the target state. Local and State level election systems are vulnerable to exploit due to black-box proprietary code, exploitable features and insecure design, vulnerable removable media, interconnectivity, and antiquated cybersecurity strategies. With mere days before Election Day, state and local election officials have limited options available to mitigate a tide of partisan backlash and allegations of fraudulent results.
In the Short Term, Local Level Compromises can be Mitigated by Increasing Cyber-Hygiene:
State and local election officials have limited resources, a limited number of personnel trained in cybersecurity and cyber-hygiene, and a limited number of options to increase the security, transparency, resiliency, and integrity of the election system before Election Day. At the local level, the direct recording electronic (DRE) and optical scanning (OpScan) voting systems are nothing more than rushed-to-market vendor applications built without security-by-design principles, operating on stripped down personal computers that lack any form of native security or layered defense, and that are roughly a decade outdated. Every one of these systems exhibits major security flaws ranging from exploitable open ports to insecure remote connections to vulnerable removable media, as shown in Figure 1. Script kiddies, self-radicalized lone wolf threat actors, or nation state APTs can infect local level systems with malware through their exploitable ports and connections, through undisclosed flaws in their black-box proprietary code, by infecting vulnerable removable media, or by poisoning vendor updates with malware. The most efficient and most probable attack vectors on local level machines is to compromise removable media or by poisoning a vendor update. Removable media, which includes memory cards, USB drives, and other forms of memory, can be infected with malware by an insider threat or by physically tampering with the device on Election Day. In the short term, local level officials can protect machines from compromise via infected removable media by training their volunteers and personnel in cyber-hygiene, by closely monitoring all personnel, by securing removable media with tamper evident seals in conjunction with requiring personnel to interact with machines and removable media in pairs, by securing machines at their storage sites, and by hiring an objective testing authority to conduct penetration testing on a random sample of machines to test for indicators of compromise, suspicious behavior, or the fractionalization of votes. An adversary would poison a vendor update by compromising the vendor systems or update server, or by posing as an insider threat within the organization. To mitigate this attack vector, local officials should not allow any updates to be installed on the system until after Election Day.
In the Short Term, State Level Compromises can be Prevented by Focusing on Cyber-Security:
As depicted in Figure 2, state election officials are responsible for securing their websites, servers, internet enabled PCs, election management systems, and most importantly, the state tabulators that are used to aggregate the results of local level precincts. Recently, cyber-adversaries have targeted state election registration websites and state servers, in order to exfiltrate voter registration databases and to install malware on the network. Voter registration information can be sold on Deep Web marketplaces for identity theft or to aggregate with other stolen and publicly available information to create robust victim dossiers. These assets are vulnerable due to poor access controls and a lack of layered security. State officials can hire objective cybersecurity professionals or accept the federal assistance offered by DHS and the FBI to secure these assets. The most efficient vector to impact an election is to target the central tabulator. The primary defense around the tabulator is an air gap, which has not hindered the spread of sophisticated malware since 2006. The state tabulator can be compromised through a poisoned vendor update, through infected local level removable media, through USB and other connections to State PCs, and through remote connections established for vendors and contractor management of the system on Election Day. In the short time before Election Day, state officials can mitigate attacks against the tabulator by refusing vendor updates, by disconnecting management connections, by scanning local level media for infection, by prohibiting any exchange of data with state PCs, and by hiring cybersecurity professionals to conduct a comprehensive audit, scan, and penetration test of the tabulator, and to search for indicators of compromise or for signs of vote fractionalization. Local and state officials can also increase trust in the system by prohibiting “vigilante poll watching “ (which could distract personnel from recognizing insider threats), by publishing real time accounts of precinct and state results, and by conducting either multiple basic result audits or by conducting full audits of all elections.
After Election Day, Replace Black-Box Proprietary Systems with Transparent and Secure Systems:
Electronic election systems were not built with security-by-design and will consequently need to be replaced in the long term. It is important to remember that reverting to the wholly paper ballot system is not an ideal alternative because the paper system was actually more inefficient and insecure than the current electronic machines. Instead, to improve the integrity and resiliency of election systems, the dilapidated electronic voting systems that rely on black-box proprietary code can be replaced by modern, transparent, and trusted systems that incorporate the principles of resiliency, security-by-design and layered defenses. Election personnel can be trained in cybersecurity and cyber-hygiene so that threats can be mitigated and so that the local and state levels are less reliant on vendors, contractors, and consultants. Election machines will need to be better secured in storage to prevent unauthorized access. Objective cybersecurity professionals can conduct regular penetration tests on the systems to ensure that the machines do not have exploitable ports or connections, that the machines remain free of malware, and that the machines do not exhibit any suspicious operations, such as the fractionalization of votes.
These Problems Do Not Disappear on November 8, 2016:
An air gap is never a defense. ‘Clunky as heck’ means more maneuvering space for hackers thrive in the habitat provided by chaos. And there are two types of organizations: those who have already been breached and those who have been breached but haven’t realized it yet; what makes the local, state and national election system any different? It’s time to replace security theater with meaningful layers of cyber-kinetic security that can thwart the stealth and sophistication of the actors participating in this hyper evolving threat landscape that is targeting election systems.
Figure 2: State Election System Threat Landscape
Figure 3: Example Local and State Attack Chains
|Local||DRE/OpScan System||Exploitable Open Ports||Insider Threat||Infected Removable Media, Logic Bombs, etc.|
|Local||DRE/OpScan System||Lack of Native Security||Physical Disruption||Repeated Voting, Reset of machine, etc.|
|Local||DRE/OpScan System||Vulnerable Removable Media||Physical Access||Insertion of Foreign Memory, Infection of Removable Media, Corruption of Data|
|Local||DRE/OpScan System||Reliance on Vendor/ Consultant||Code Injection||Poisoned Update from Manufacturer Server|
|State||Central Tabulator||Antiquated Air-Gap Defense||Sophisticated Malware||Win32/USBStealer (2005)Sofacy (2007)Stuxnet (2010)Uroburos (2011)
|State||Central Tabulator||Antiquated Air-Gap Defense||Code injection||Poisoned Update from Manufacturer Server|
|State||Central Tabulator||Antiquated Air-Gap Defense||Infected Local Level Data||Hursti Attack|
|State||Central Tabulator||Insecure Remote Connection||Compromised External Channel||Man-in-the-Middle Attack, Compromised Election Consultant/ Vendor Credentials, etc.|
|State||Central Tabulator||Flawed Black-Box Proprietary Code||Code Injection or Alteration||Fractionalization|
|State||Website||Insecure Code||SQL Injection||Florida State Website Compromise|
|State||Website||Poor Access Controls||Stolen Credentials||Arizona State Website Compromise|
|State||Server||Open Ports||Script Kiddie Tools||Shodan, NMap, Metasploit, etc.|
|State||Server||Unauthorized Remote Access||Compromise-as-a-Service||Hacker-as-a-ServiceAccess-as-a-Service|
|State||PCs||Poor Cyber-Hygiene||Social Engineering||Malvertising, Spear-Phishing Emails, Watering-Hole Attacks, Drive-By Downloads, etc.|