Symantec explains how a $15 device can hack the U.S. presidential elections
Cyber security firm Symantec has revealed three easy ways an attacker could ‘hack’ into the upcoming Clinton versus Trump election for just $15 by using Raspberry Pi-like device.
“To get started, we purchased actual direct-recording electronic (DRE) voting machines off an online auction site and other equipment to simulate a real-world voting system,” said Symantec.
The company claims that their research discovered “three easy ways an attacker with the right level of intelligence and motivation could erode the trust that American citizens have in their election process.”
So, how did Symantec simulate the U.S. presidential election hack?
Generally, during a voting process, voters use a chip card to cast their votes that are handed over to them while entering polling stations that use electronic voting machines. Once someone has voted, the same card is re-used by the next voter.
In this situation, a hypothetical hacker by using a simple, inexpensive device could re-programme the chip card used by voters to cast their ballot, Symantec said.
“Just like credit cards, these cards are like a computer with their own RAM, CPU and operating system. Which means they can be exploited like any computing device,” the company said in a statement.
“In examining the election process for vulnerabilities, we discovered that there’s an opportunity for a hacker to modify the code put on a voter’s chip card. There was no form of encryption on the internal hard drive of the voting machines we purchased, which were running an outdated operating system to display the ballots and record votes,” said Symantec.
“Anyone who knows how to programme a chip card and purchases a simple $15 Raspberry Pi-like device, could secretly reactivate their voter card while inside the privacy of a voting booth. We found a card reader that fits neatly into the palm of our hand and used it to reset our fake voter chip cards two different ways,” Symantec claimed.
In the first method, Symantec had reset the card to allow someone to vote multiple times on the same chip card, while in the second method, they programmed the card to allow that card to vote multiple times.
In both the methods, that attacker is filling the digital ballot box and casting doubt in the validity of the results from that polling station.
Symantec claimed to have discovered that there was no form of encryption on the internal hard drive of the voting machines that it had purchased. According to the company, the lack of full disk encryption on the internal hard drive (as well as the external cartridges) presents opportunities for hackers to reprogram and alter ballots.
“Potential hackers would also be unhindered by the voting machine’s lack of internet connectivity. Some types of malware, such as Stuxnet, can take advantage of air-gapped networks and vector through physical access to a machine. The lack of full-disk encryption on the DRE machine makes it easily exploitable, requiring only a simple device to reprogram the compact hard drive,” the company emphasized.
All the votes are registered in the voting and attackers could compromise the truthfulness of the voting data by manipulation of cartridges as these storage cartridges function like a USB drive, in which it stores data in plain text with no embedded encryption. A hacker could easily add false votes onto the cartridge or rewrite vote information to alter the outcome.
However, these vulnerabilities can easily be fixed by installing security software at all points of the process, Symantec said.