About 15 years ago, cryptographers began to worry that electronic voting technology could expose society to great political risks, including altering election outcomes or suppressing voting. Yesterday, a leak published by The Intercept showed that the feared scenario may have come to fruition. Compounding the danger, the attackers also neutralized the second-factor authentication that many enterprises require their employees to use in high-security contexts and that companies are strongly encouraging their consumers to use.
Despite longstanding concerns over the vulnerability of electronic voting systems to hacking, the overwhelming majority of votes in the U.S. are now recorded using some form of electronic technology. According to an analysis by the Pew Research Center, 47% of registered voters live in jurisdictions that use only optical ballot scanning, about 28% live in jurisdictions using only direct-recording electronic (DRE) devices (e.g., touch screens), while 19% live where both technologies are used. That leaves only 6% not using either technology.
Cryptographers have had three primary concerns about electronic voting: the theft of voter credentials using phishing; the corruption of voter computers using malware; and software vulnerabilities in voting systems exposing the submitted ballots and the tallying systems themselves to manipulation. The two first types of attacks would attempt either to modify or suppress votes of individual voters, while the third would circumvent the voter and manipulate the tally directly. Another concern was that technicians working for the voting machine companies might be corrupted to provide backdoor access to individual machines or directly tamper with their software.
Yesterday’s leak revealed at least one more type of attack to worry about: spear phishing of employees at voting software companies. This happened to VR Systems, a Florida-based vendor of systems for managing voter rolls and determining who can or cannot vote at polling stations. Its products are used by more than 150 jurisdictions in eight states. The spear phishing was similar in style to the now-famous Podesta phishing email, except a bit more sophisticated: it would also steal codes from users relying on second-factor authentication devices, thereby neutralizing this important security technology. Similar to the attack on Podesta, the attack on VR Systems was also successful.
Next, the attackers launched a second round of attack, days before the 2016 presidential election, in which unwitting officials involved in the management of the voter registration systems were sent emails with apparent documentation materials — weaponized with malware. Attack emails were also sent to more than 100 local government organizations.
As the leaked document doesn’t state whether the second stage of the attack was successful, let’s look at the probabilities:
Industry numbers show that somewhat simplistic targeted attacks have a success rate of approximately 25%, whereas sophisticated attacks can have yields in excess of 50%. However, it only takes one employee to make a mistake for an organization to be corrupted. That means that even if we were to use the more conservative estimate of risk — 25% — the chances for all 100 users to remain secure is less than one in a million million, or roughly 2-41 for all the nerds out there. To understand just how likely that is to happen, consider this: you are approximately 8,000 times more likely to win the Powerball jackpot than for 100 unprotected users all to make the right decision. This risk is in spite of the fact that most organizations have periodic security awareness training for their employees.
So just what does “unprotected” mean in this context?
Protection isn’t a matter of whether a person has a traditional spam filter – which, slightly oversimplified, will make sure he doesn’t receive an email from a stranger, containing the word “Viagra”. In addition, traditional anti-phishing filters won’t do a lot of good either, as they rely on blacklists, i.e., long lists of known bad URLs. Targeted attacks circumvent these security mechanisms easily: by not using the same bad URL thousands and thousands of times. And finally, typical anti-virus software, also based largely on the blacklist paradigm, won’t do a lot of good. So unprotected really means having no protection at all, or only “traditional” security measures.
This is a wake-up call for anybody who still feels that the status quo of security technologies is sufficient to keep evil at bay.