If you’re registered to vote in the U.S., you probably recall the information collected at registration. To refresh your memory, personal details such as your name, address, date of birth, driver’s license number, and the last four digits of your social security number are all contained within your state’s voter rolls and records. All of this information is also very attractive to malicious hackers.
Meanwhile, as November 8th approaches, the tumultuous 2016 presidential election is front and center. Not only is this true in the eyes of the media, but also for the world of security. In recent months, we’ve witnessed multiple hacking attempts on voter registration data. But what does this mean for the election and beyond?
Let’s take a look at what’s been going on in these attempted and successful attacks. We’ll explore how a larger, successful breach could affect individual voters and the U.S.A. as a whole. What can be done, and what’s already been done, to secure these sources of personal data in the short-term and long-term? Let’s find out.
In late July, news first broke about a voter registration system breach in Illinois. State officials warned (via Facebook) that the system had been attacked. Around the same time, Arizona experienced a similar attack. While initially thought to affect 200,000 records, the Illinois attack has been revised to about 90,000 records that are believed to have been downloaded by hackers.
The Arizona attack was more limited. Additionally, officials don’t believe there was successful data exfiltration.
Since these attacks, the FBI has claimed that more than a dozen states are seeing traffic indicating that their systems are being scanned by potential attackers. They could be the same hackers, or another group inspired by the original attacks. Either way, widespread attempts are taking place all over the country to exploit similar vulnerabilities.
In Illinois, the election database was compromised using commonly available penetration testing tools to scan for vulnerabilities. The attackers also exploited a SQL injection vulnerability in the voter databases to steal the registration information.
A SQL injection attack occurs when an attacker executes malicious SQL statements to gain unauthorized access to information on a Web application’s database. These injection attacks are just one of many potential attack methods to carry out against voter databases.
The United States Computer Emergency Readiness Team (US-CERT) lists the following as other major avenues of attack:
The FBI believes that foreign hackers are at play in both of these attacks. Due in part to tracing the IP addresses involved, it’s also difficult to determine who may have been accessing this information.
These attacks involve reading or downloading voter information. Personal information at stake can be sold on the dark web to those looking to perpetrate identity theft or financial crime. For the victim, this can mean years of costly headaches attempting to reverse the affects and prevent further issues. As we’ve seen with past high profile data leaks, beyond the individuals affected, there is also significant trust lost with the breached organization.
This is the larger impact of these hacking attempts. The intent of attackers may be to sow distrust in the U.S. election system. Attacks such as those on Illinois and Arizona may cause currently unregistered voters to think twice before registering to vote.
Delving further into speculation, it isn’t unrealistic to consider hackers’ ability to leverage further attacks. These could also include adding or deleting records in the voter databases. Additionally, further attacks would call the integrity of the election system and the votes cast into question. If state-sponsored attackers are responsible for what we’ve seen so far, it is reasonable to assume that the intent lies in further manipulating or destabilizing the election process. These potential scenarios highlight why application and database security is crucial to the voter registration system.
For state governments maintaining the voter registration system, there are a number of threats to protect against. According to a security tip released by US-CERT, the Department of Homeland Security (DHS) recommends that network administrators patch applications and operating systems. This ensures that they are keeping up with the latest updates. Additional activities to make sure that voter data remains secure include:
Individual voters should also monitor personal data for inconsistencies or unexpected items. Credit card statements, bank statements, and credit reports can provide insight into whether an attacker is attempting to steal your identity.
We hope that our state governments know how to keep our information safe. However, determined hackers are still out there attempting to get at that data and in some cases they’re succeeding.
Personal information will always be a lucrative target for hackers seeking financial gains. This is not a new threat. Nevertheless, it has become a prominent story in what is already an eventful election cycle, leading to increasing concerns.
As individuals, this means being on guard with our personal information and keeping an eye on financial records to ensure that no one else is attempting fraud in our name. For those maintaining state voter registration systems, there are a variety of methods that the DHS provides to ensure that the systems are secure as we enter the last few days before the election. Stay safe and alert!
Claire McKenna is a Security Consultant at Synopsys. She received her undergraduate degree in Information Security and Forensics from Rochester Institute of Technology. Claire specializes in Web application security and has a growing interest in secure development and source code review. Outside of work, Claire enjoys spending time with her family and pets, playing video games, hiking, and kayaking.