Following the news that hackers have attempted to break into more than 10 US state election databases, Tod Beardsley, Senior Research Manager at Rapid7 commented below. On top of this, he has also published a detailed blog on the hacking threats facing the US election system.

Tod Beardsley, Senior Research Manager at Rapid7

Tod-Beardsley“Musings around election hacking often devolve into “movie plot threats.” Coined by cryptographer Bruce Schneier, a movie plot threat describes possible, but extremely unlikely scenarios — the sort of which that are so unlikely that actually defending against them in the real world causes more harm than good.

For example, it is possible that foreign hackers could infiltrate voting machine software, and therefore cause votes cast for one candidate to be counted for another. However, such an attack is literally incredible. Voting machines in the U.S. are never [as far as we are aware] directly connected to the Internet on Election Day, which means the attacker would need to get at the machines well before November 8, while the software is being written or loaded onto the machines. While this sort of infiltration is possible, such a campaign would require formidable espionage assets, have a high risk of being detected before the election, and the effects would be noticeable in bizarrely inaccurate exit polling during and after the election.

There is also wide speculation around the current “probing” activity directed at online voter registration sites. In isolation, this might seem alarming. However, all online systems are “probed” all the time. Automated and routine vulnerability scans of internet assets is a normal part of online weather, is sourced from all over the world, and is well understood by experienced IT security practitioners.

Finally, if online voter registration records are vandalized on election day in order to deregister otherwise legitimate voters, polling places can and will fall back to the paper-based provisional balloting system guaranteed by the Help America Vote Act of 2002 (HAVA). So, while an outage of voter registration records would certainly be inconvenient, it would not prevent the election from taking place. It just wouldn’t be worthwhile in terms of effort, cost, and risk to attack elections this way, given the ease of local recovery through provisional balloting.”

Information Security Buzz