During its “Hack the Vote” election simulation, cyber-security firm Symantec has revealed three easy ways an attacker with the right level of intelligence and motivation could impact the US presidential election and it will cost just $15 (roughly Rs. 1,000).
To analyse the ecosystem of an election – from electronic voting machines to data transfers, vote tabulation and broadcasting the results – the company tested the actual direct-recording electronic (DRE) voting machines and other equipment tosimulate a real-world voting system. According to the general process, voters use a chip card to cast their vote. Once someone has voted, the same card is re-used by the next voter. “Just like credit cards, these cards are essentially a computer with its own RAM, CPU and operating system. Which means they can be exploited like any computing device,” the company said in a statement.
“In examining the election process for vulnerabilities, we discovered that there’s an opportunity for a hacker to modify the code put on a voter’s chip card. Anyone who knows how to programme a chip card and purchases a simple $15 Raspberry Pi-like device, could secretly reactivate their voter card while inside the privacy of a voting booth,” added Symantec.
The card can be faked in two different ways – one, reset the card to allow someone to vote multiple times using the same chip card and second, programming the card to allow multiple vote casting. “There was no form of encryption on the internal hard drive of the voting machines we purchased, which were running an outdated operating system to display the ballots and record votes,” Symantec found.
The second method to influence the votes is tampering with tabulation. All the votes are registered in the voting and attackers could compromise the integrity of the voting data by manipulation of cartridges as these storage cartridges function like a USB drive which stores data in plain text with no embedded encryption. Thirdly, by propagating misinformation on social media networks, a hacktivist or attacker could also change voter behaviour.
Symantec said that these vulnerabilities can easily be fixed by installing security software at all points of the process.