A device costing as little as $15 could be used to vote multiple times in the US presidential election race between Donald Trump and Hillary Clinton.
Cyber security firm Symantec says it has conducted research on the vulnerabilities in electronic voting machines and in a blog post published today, outlined how hackers could potentially impact the presidential election.
Four key threats that were discovered include:
• Stuffing the digital ballot box: Voters entering polling stations that use electronic voting machines are handed a chip card that gets loaded with their voter ID. Anyone who knows how to reprogram a chip card and purchases a $15 device can reset the card and vote multiple times.
• Encryption absent: The lack of full-disk encryption on the voting machine that Symantec examined makes it easily exploitable, requiring only a simple device to reprogram the hard drive.
• Tampering with tabulation: On a voting machine, votes are collected in a simple storage cartridge, and physically transferred to a central database for tabulation. A number of attacks could compromise the integrity of voting data, including the manipulation of cartridges and voting databases.
• Spreading distrust through misinformation: It's plausible for hackers to hijack means of communication and spread false election results on YouTube, broadcast media, social media and other channels.
If this occurred, they could potentially influence voters to gravitate toward the poll leader - or not cast a ballot if the election looks like a landslide victory.
"We purchased actual direct-recording electronic (DRE) voting machines off an online auction site and other equipment to simulate a real-world voting system,' Symantec said in the blog post.
"Altogether, our research and development cost less than $500 and revealed three easy ways an attacker with the right level of intelligence and motivation could erode the trust that American citizens have in their election process.
"Voters entering polling stations that use electronic voting machines are handed a chip card what they use to cast their vote.
"Once someone has voted, they turn the card back into the polling station volunteer and it gets re-used by the next voter.
"Just like credit cards, these cards are essentially a computer with its own RAM, CPU and operating system. Which means they can be exploited like any computing device.
"In examining the election process for vulnerabilities, we discovered that there's an opportunity for a hacker to modify the code put on a voter's chip card.
"Anyone who knows how to program a chip card and purchases a simple $15 Raspberry Pi-like device, could secretly reactivate their voter card while inside the privacy of a voting booth.
"We found a card reader that fits neatly into the palm of our hand and used it to reset our fake voter chip cards two different ways.
"In one scenario, we reset the card to allow someone to vote multiple times using the same chip card. Our second method programmed the card to allow that card to cast multiple votes. In both approaches, that attacker is stuffing the digital ballot box and casting doubt in the validity of the results from that polling station."
"We also discovered that there was no form of encryption on the internal hard drive of the voting machines we purchased, which were running an outdated operating system to display the ballots and record votes.
"These types of hard drives are similar to those used in digital cameras. The lack of full disk encryption on the internal hard drive (as well as the external cartridges) presents opportunities for hackers to reprogram and alter ballots."