Conspiracy theorists who think someone tampered with the 2016 U.S. election may actually have a case. The level of security on U.S. voting machines — or lack thereof — is practically an invitation to cyberhackers to tamper with election results, upload malicious software or compromise voter data.
Attendees at the annual hacking conference DefCon were able to crack into two dozen machines, representing five different voting machine models, using just basic computer security and reverse-engineering skills. The first system to cave was cracked in just 80 minutes.
There was no “master hack” that worked on every system. Still, the ease with which these friendly hackers were able to compromise the machines is alarming, since less-friendly hackers could surely achieve the same results with the same minimal effort.
The Parallax notes the DefCon “village” experiment was the first coordinated, research-based assault on electronic voting machines (EVMs) in the U.S. since 2007. That was 10 years ago, people. Are we really surprised that these machines — whether older, degraded models or newer, poorly-tested ones — are more vulnerable than they should be?
Why Was It So Easy?
Poorly-secured WiFi enabled hackers to remotely access some machines, while techies were able to leverage hard-coded default passwords — a weakness many consumer IoT devices share — in others.
As WatchGuard information security analyst Marc Laliberte previously told PYMNTS, this massive Achilles heel is the result of internet-enabled devices running an off-the-shelf, unencrypted version of Linux. Cybercriminals can leverage that vulnerability to seize control of everything from consumer video cameras and security equipment to DVRs, routers to refrigerators.
Laliberte said cybercriminals’ goal isn’t to spoil the food in a smart fridge, but rather to claim the IoT device as a member of a botnet — and potentially it to use to access other devices on a network and add them to the botnet. A botnet is essentially an army of IP addresses which can be used to flood a server, resulting in a distributed denial of service (DDoS) — multiple botnet-compromised networks attacking a target network.
Of course, hackers who specifically target voting machines likely have a different goal. The repercussions of their success could be much more long-term if they manage to alter the outcome of a major election, as many claim was the case in the 2016 presidential election.
Many of the vulnerabilities “discovered” by DefCon were indeed 10 years old, confirmed Finnish computer programmer Harri Hursti, who has been investigating security flaws in voting machines since 2005.
So, why the lack of progress? Parallax noted it’s partly because EVM security research has only been legally protected since 2015, and also partly because EVM vendors don’t like to let independent scientific researchers dig around inside their products. After the 2016 presidential election raised red flags over potential voting machine manipulation, DefCon finally took the initiative to build its EVM hacking village to test the theory’s plausibility.
The IoT Cybersecurity Improvement Act of 2017
The hacking village demonstrated that plausibility so overwhelmingly that a bipartisan group of senators — two members of which attended DefCon in person — has introduced a bill to better regulate and secure IoT devices, particularly those used by the government.
Reuters reported that the bill would require vendors of internet-connected equipment to ensure their products can be patched, and that they conform to industry security standards when selling to the U.S. government. It also stated devices with hard-coded passwords or known security vulnerabilities could no longer be sold to government entities. Meanwhile, good-faith cyber researchers would find expanded protections should they attempt to hack these devices in search of bugs and vulnerabilities.
A botnet comprised of insecure webcams, digital recorders and other IoT devices successfully knocked down Twitter, PayPal, Spotify and others in a massive DDoS attack last October. Without new legislation and security standards, what’s to stop hackers from doing the same thing again, or worse?
Response To The Proposed Bill
Many praised the bill, introduced by Senators Mark Warner (Democrat, Virginia) and Cory Gardner (Republian, Colorado) on Aug. 1 and sponsored by Senators Steve Daines (Republican, Montana) and Ron Wyden (Democrat, Oregon). However, critics think that the IoT Cybersecurity Improvement Act of 2017 doesn’t do enough.
DarkReading called it “well-intentioned” but “hard to enforce.”
The blog Stacey On IoT notes that, while it’s good for the government to talk about IoT security, the bill does nothing for consumers or enterprises — and really doesn’t do very much for the government, either. It simply mandates updates and protecting ethical hackers.
The American Enterprise Institute (AEI) thinks the draft contains ambiguities which could result in unintended consequences — and curb the bill’s effectiveness — if left unaddressed.
AEI suggests the senators must clarify what they mean by “internet-connected device” — does this include general purpose laptops, tablets and phones bought by the government? — and better define the scope of research exemptions. Do those exemptions cover freelance researchers who happen to be studying the same kind of device that the government is buying, or only those researchers who have been contracted by the government?
Revisions aside, AEI concluded the bill was sound and its provisions reasonable rather than onerous. “It is much more likely to do good than harm,” according to the institute.