American e-voting is vulnerable to hacking, but that doesn’t mean Moscow’s agents hacked Illinois and Arizona voter databases — this time.
When an FBI alert to state election authorities warning them of hacking leaked to the media this week, the result was one of studied panic. Two voter registration databases in Arizona and Illinois had been penetrated, and some experts saw it as confirmation that Russia had escalated its campaign of hacking U.S. political organizations.
Russian President Vladimir Putin just “unleashed the hounds” on the U.S. election system, one industry executive declared.
So far, there is scant evidence that hackers working on behalf of Russian intelligence penetrated two fairly inconsequential voter databases in Arizona and Illinois. The FBI told election authorities in Arizona that Russian hackers were responsible for stealing a set of user credentials but provided no details about whether it was a criminal or state-sponsored group.
In a letter to the FBI on Monday, Senate Minority Leader Harry Reid asked the bureau to investigate whether Russia is attempting to manipulate results of November’s elections. Russian efforts to do so are “more extensive than is widely known and may include the intent to falsify official election results,” he wrote.
Cybersecurity experts have long warned that computerized voting systems are vulnerable to hacking, and what once seemed like wild prognostication is increasingly coming true. Hackers working on behalf of the Russian government penetrated the servers of the Democratic National Committee. When emails from the party’s servers appeared on WikiLeaks, it sparked a scandal that caused the resignation of party chief Debbie Wasserman Schultz.
That operation has the classic appearance of Russian information warfare, and security experts have accused state-sponsored Russian hackers of targeting a wide variety of political organizations, including the two major presidential campaigns.
By gaining access to voter registration databases in Arizona and Illinois, hackers did not obtain the power to manipulate vote totals, though they could certainly cause chaos.
“I suppose they could just nuke the voter database,” said Dan Wallach, a computer scientist at Rice University. “I’m picturing in my head Vladimir Putin dressed up as the Joker.” Deleting the rolls of registered voters on Election Day would severely undermine the vote’s integrity, but Wallach was quick to add that the evidence for Russian involvement remains thin.
According to Toni Gidwani, the director of research operations at ThreatConnect who has closely studied recent Russian information operations, the attack on the two voter registration databases does not fit the modus operandi of Fancy Bear, a hacking group tied to Russian intelligence linked to the DNC breach.
Moreover, if this was Russia’s crack hackers on the case — and cybersecurity experts describe Fancy Bear as among the best — they didn’t know much about American voting systems. In Arizona, voter registration information is a matter of public record, usually available for a nominal fee. “If you buy it you have to swear, ‘I’m not going to use it to send you Amway catalogs,’ or whatever,” said Matt Roberts, a spokesman for Arizona’s secretary of state. Other voter records are easily obtained by purchase.
In the Arizona case, hackers stole the username and password of a user with access to the voter registration database. They then posted that username and password online. After the information appeared online, the FBI notified Arizona election officials that they had been compromised and that a Russian hacker was responsible. Though the registration system was shut down for about a week, Roberts said the database was never compromised.
The FBI has not specified whether that Russian hacker was a criminal actor or working on behalf of the government. The bureau declined to answer questions from
In Illinois, unidentified hackers exploited a security hole that computer science professors assign as homework to their undergraduates. That vulnerability — a so-called SQL injection — “indicates systemic failure to provide basic information security controls,” said Matt Tait, the CEO of Capital Alpha Security and a former information security specialist for GCHQ, the British equivalent of the National Security Agency.
In a message to Illinois election authorities, Kyle Thomas, the director of voting and registration systems at the Illinois State Board of Elections, described the attack as “highly sophisticated” and “most likely from a foreign (international) entity.” But experts dismissed the claim of an advanced operation. Any computer user can download free tools online to scan for such vulnerabilities, and the fact that the state’s voter database included such a hole has been the subject of ridicule by information security specialists.
According to Ken Menzel, the general counsel for the Illinois State Board of Elections, hackers entered the voter registration database on June 23 and spent a few weeks getting the lay of the land. That database includes about 15 million records and information about anyone who has registered to vote in Illinois in the past 10 years. It also includes voter age, addresses, sex, and, in some cases, the last four digits of a Social Security number or a driver’s license number.
On July 12, the hackers started exfiltrating information from the database and immediately gave themselves away. “We noticed the spike in bandwidth and shut things down,” Menzel said. All in all, the hackers made off with about 200,000 records.
So in two cases, unidentified hackers — one working on behalf of a mysterious Russian entity — penetrated poorly protected databases that don’t touch actual voting systems. This does not mean that a a hack of such a database could not cause chaos, as Wallach says, but it shows what could be possible.
Computer researchers have for the past 20 years broken into, hacked, and retrofitted computerized voting machines in a desperate attempt to prove to electoral authorities that the devices represent huge risks to the integrity of the vote. Researchers at Princeton, for example, have hacked one such device to turn it into a system for playing Pac-Man. Irregularities caused by voting machines have already cast doubt about the outcome of one election in the United States, a 2006 Florida congressional race in which 18,000 votes went missing.
In 2014, Moscow-linked hackers made history when they broke into a system displaying vote totals for Ukraine’s presidential election to claim that a far-right candidate was leading. Russian state media quickly latched onto the results as evidence that Ukraine’s post-revolutionary government had been co-opted by fascist forces.
Computerized election systems in the United States probably include large numbers of vulnerabilities, though the patchwork nature of American voting arrangements provide some safeguards against manipulation. American states are responsible for handling elections, and sometimes systems will differ down to the county level. This diversity provides some protection, as a computer vulnerability in one county might not be exploitable in another, Wallach said. This makes it more difficult to pull off a widespread manipulation of the vote.
But with Democratic presidential nominee Hillary Clinton threatening to pull off a landslide victory against her GOP rival, Donald Trump, this election could prove a test for voting systems in states that normally aren’t in play. Clinton has, for example, a fighting chance in Georgia, a reliably Republican state that Democrats haven’t won since 1992. Georgia uses an election machine that provides no auditable paper record, which security experts have said is particularly vulnerable to interference.
Concerns about the integrity of such machines have coincided with Trump’s provocative comments that if he goes down in defeat, it will be because the election was rigged. “The only way we can lose, in my opinion — I really mean this, Pennsylvania — is if cheating goes on,” Trump said during a rally in the state this month. Pennsylvania is another state that uses large numbers of voting machines that provide no paper record.
“Because it is impossible with most e-vote systems to affirmatively prove the counting infrastructure was not hacked, voters will have to rely on trust,” Tait said. “Trust which is eroded by the negligence exhibited by the state election boards’ terrible IT security controls in these two cases.”
By Elias Groll