Guest Post: How hard is it to hack the US election?

From NordVPN:

Digital privacy expert discusses how easy it is to hack into voting machines

October 29, 2019. With the looming 2020 election, it’s more important than ever to see if the US election can be hacked. Many security researchers have looked into the voting system and have found countless loopholes.

“Many of the hacks could be prevented by employing cybersecurity measures, replacing old voting machines with more secure ones, using paper ballots, or conducting security audits,” says Daniel Markuson, a digital privacy expert at NordVPN. However, according to him, most of these changes cannot be made without extra funding or new legislation, which does not seem to be forthcoming in the US.

How easy is it to hack into voting machines?

Different states use different voting machines – optical voting machines, that uses paper ballots, and direct recording electronic (DRE) machines. This means the whole system can’t be hacked at once, but it also means hackers can find the states with the weakest cybersecurity and strike there.

“22 states have chosen to use paper ballots only for security reasons. Their machines may be hackable, but they have paper ballots to compare their results with. The remaining states use either both Optical and DRE machines or only DRE machines,” explains NordVPN’s Daniel Markuson. “Most of these machines are more than 10 years old. They were designed at a time when no one considered the need for cybersecurity. They are so outdated that their software providers, including Microsoft, stopped issuing software updates a long time ago.”

Using a mixture of Optical and DRE machines leaves more than half of the country vulnerable. To make matters worse, there are 5 states (Delaware, Georgia, Louisiana, New Jersey, South Carolina) that use DRE machines only.

So what can hackers do with the voting machines?

• Physically tamper with the device’s hardware. This hack is probably the least likely to happen as it may be difficult to access the device without anyone noticing. It would also be hard to infect enough machines to sway an election. However, this is far from impossible. Voting machines have been thoroughly studied and exploited at hacking events such as DEFCON.
• Design multiple-use election cards for DRE machines. Normally, one election card equals one vote. However, hackers can create fake ones that could be used an infinite amount of times (as long as the election observers don’t notice anything). This hack is possible and isn’t too difficult to implement. The hardest part would be to mobilize enough people and resources to actually have any major impact.
• Remotely access the machines. This may not be feasible as most machines are not connected to the internet for security reasons. However, some are. And it doesn’t help if the voting machine maker left remote-access software on it. These machines can easily be exploited by inserting malicious code to alter the results.
• Connect to the same Wi-Fi network and access the machines. Public Wi-Fi isn’t safe – that applies to the election too. Most voting machines have no firewalls or security measures in place. It would be enough for a hacker to sit in the same room, connect to the same network, and run a targeted attack to take over the device.

“Hacking voting machines is possible, but that would require a lot of resources and might not be practical. To have a national effect, hackers have to think big. That means using various techniques to infect the voting process before voters even reach the booth,” says expert.

How to target the voting process

This is what hackers might try to do to achieve a sufficient scale to sway an election. The scary thing is that none of the hacks below are out of the ordinary or impossible to achieve.

• Use baiting to install malicious ballot program. Voting machines need to be set up for the election with a special ballot program. Most of the machines that are not connected to the internet will need an external device like a memory stick with a pre-loaded program. A hacker could easily use baiting techniques or replace legitimate devices with the hacker’s infected device.
• Infect an election official’s device and tamper with election programs. Many election officials’ details are easily accessible on the internet. The hacker could use a phishing technique to infect an official’s device, gain remote access, and change election program code. This would have an even bigger effect than baiting as this ballot program could now be installed all over the county or a state.
• Create fake election management systems that are already infected or are set up to vote for the hacker’s preferred candidate. It’s not uncommon for states/counties to hire small companies to provide them with election management systems. They might think they are buying a legitimate service, but how do they know that the service or software providers aren’t hackers or haven’t been breached themselves?
• Hack into voter registration systems and send phishing emails to voters. A hacker could also send false emails informing voters about long queues, a change in their voting center, or that their voting center is closed.

Can they hack your brain?

Hacking a voter’s brain is the worst hack of all. The Cambridge Analytica scandal that some say influenced the 2016 election showed the powerful new tools being used to shape public opinion without accountability. Even without concrete evidence on how many votes may have been swayed, it still planted a seed of doubt – “Is my vote worth a thing?”

“Americans are proud of their freedom of choice, so they rely heavily on media to gather information and form their opinions. Hackers or organizations can turn that against them by hacking social media with fake ads, fake profiles and disinformation,” says Daniel Markuson. “Such attacks are particularly dangerous as they can be governmental or state sponsored. This means a foreign government could try to interfere with the US election.”

ABOUT NORDVPN

NordVPN is the world’s most advanced VPN service provider, used by over 12 million internet users worldwide. NordVPN provides double VPN encryption, malware blocking, and Onion Over VPN. The product is very user-friendly, offers one of the best prices on the market, has over 5,000 servers in 60 countries worldwide, and is P2P friendly. One of the key features of NordVPN is zero-log policy. For more information: nordvpn.com.