It’s no secret, given the hacks that have plagued the Democratic National Committee and the Clinton campaign. But security researchers warn that it’s just the beginning.
“There’s not even a doubt in my mind that there are other actors out there that have yet to be found,” Crowdstrike CEO George Kurtz told CNNMoney. “I’m sure there will be other hacks that come out over the course of this election and certainly beyond that.”
Kurtz, whose firm was brought in by the DNC to investigate the hack, called the hack a watershed moment.
He said Crowdstrike has been fielding calls from Washington as political parties wrap their heads around a new type of threat: Hackers trying to manipulate the U.S. election.
Far from Washington, hackers descended on Las Vegas to show off their party tricks at Black Hat, the annual conference that puts security on the frontlines. They hacked cars, ATMs and mobile devices. This year, there was a new addition: a simulated version of a hackable electronic voting machine, assembled by security firm Symantec.
Brian Varner, a security researcher at Symantec, said the electronic voting machine is another frontier for hackers.
Seventy-five percent of the country’s votes are cast using paper ballots and even many electronic machines print a ballot so that there’s a paper trail. But five states (Georgia, Delaware, Louisiana, South Carolina and New Jersey) use electronic voting machines that leave no way to audit results after the fact, according to Pamela Smith, president of Verified Voting, which advocates for transparency in voting machines.
Some of the electronic machines use a voter access card, which you receive when you go to the polls. The card can be reused by multiple voters.
These machines represent an opportunity for hackers. But they must gain access to the physical card ahead of time in order to manipulate it.
In a demo, Varner showed CNNMoney how a voter access card can be hacked by a small device that reprograms the card, giving voters the ability to cast their vote as many times as they wish.
“I can probably put about 400 votes in myself in less than a couple minutes and the poll workers would be none the wiser,” Varner said.
Varner also cited multiple vulnerabilities in the way voter results are delivered. In one scenario, he described how a hacker could intercept the signals from an electronic voting machine connected to the Internet, similar to how hackers could intercept a user’s data when he or she connects to WiFi at a coffee shop.
“We don’t know what the transport network looks like between this machine and the actual database server that’s aggregating the votes and then sending it up for live broadcast,” he said. “Anywhere along that path … the communications could be intercepted.”
There’s enough risk that there should be standards for voting machines, Veracode CTO Chris Wysopal told CNNMoney.
“The process could be a lot safer,” he said. “I can tell you security doesn’t just happen.”
Homeland Security Secretary Jeh Johnson recently brought up the idea and urged the federal government to consider whether voting machines should be considered critical infrastructure.
Putting electronic voting machines into the category of critical infrastructure, which also includes power grids, airports, and hospitals, would allow DHS to set security standards for voting machines across the country, Wysopal said.
“That would mean there are certain things you can’t do,” he said. For example, “you can’t connect it to the Internet, if you’re using USB key, you have to have a process to makes sure they’re not infected, you have to have the right level of auditing.”
While political hacking may be in focus, it’s nothing new.
“Maybe nobody found it beforehand, [but] I’m not saying it wasn’t happening,” Kurtz said.
“I think [political campaigns] have always been hacked,” Wysopal said.
He said the existence of Wikileaks and other forums have encouraged whistleblowers to leak secretive documents.
“Years ago, we had Watergate — where you had a couple of boxes of files that were stolen,” Crowdstrike’s Kurtz said. “Now we’re talking about 20,000, 30,000 files that are being dumped on the Internet by nation state actors. So there’s broad ramifications for potentially trying to manipulate the outcome of an election.”
The psychological impact of Americans believing the election could be rigged could have broad — and disastrous — implications.
“If someone is able to cast doubt that a particular voting machine was compromised or votes were manipulated, what does that do? It causes chaos.” Kurtz says.
By Laurie Segall