Cyberattack on Florida election is first known case in US, experts say



Tim Chapman / Miami Herald
About 2,000 rejected absentee ballots at Miami-Dade Elections Department, mostly for lack of signatures or review of signatures from the last election.
 
By Gil Aegerter
Staff Writer, NBC News

An attempt to illegally obtain absentee ballots in Florida last year is the first known case in the U.S. of a cyberattack against an online election system, according to computer scientists and lawyers working to safeguard voting security.

The case involved more than 2,500 “phantom requests” for absentee ballots, apparently sent to the Miami-Dade County elections website using a computer program, according to a grand jury report on problems in the Aug. 14 primary election. It is not clear whether the bogus requests were an attempt to influence a specific race, test the system or simply interfere with the voting. Because of the enormous number of requests – and the fact that most were sent from a small number of computer IP addresses in Ireland, England, India and other overseas locations – software used by the county flagged them and elections workers rejected them.

Computer experts say the case exposes the danger of putting states’ voting systems online – whether that’s allowing voters to register or actually vote.

“It’s the first documented attack I know of on an online U.S. election-related system that’s not (involving) a mock election,” said David Jefferson, a computer scientist at Lawrence Livermore National Laboratory who is on the board of directors of the Verified Voting Foundation and the California Voter Foundation.

Other experts contacted by NBC News agreed that the attempt to obtain the ballots is the first known case of a cyberattack on voting, though they noted that there are so many local elections systems in use that it's possible that a similar attempt has gone unnoticed.

There have been allegations of election system hacking before in the U.S., but investigations of irregularities have found only software glitches, voting machine failures, voter error or inconclusive evidence. Where there has been evidence of a computer security breach -- such as a 2006 incident in Sarasota, Fla., in which a computer worm that had been around for years raised havoc with the county elections voter database -- it was unclear whether the worm's appearance was timed to interfere with the election.

In any case, experts say they’ve been warning about this sort of attack for years.

“This has been in the cards, it’s been foreseeable,” said law Professor Candice Hoke, founding director of the Center for Election Integrity at Cleveland State University.

The primary election in Miami-Dade County in August 2012 involved state and local races along with U.S. Senate and congressional contests (see a sample ballot here). The Miami Herald, which first reported the irregularities, said the fraudulent requests for ballots targeted Democratic voters in the 26th Congressional District and Republicans in Florida House districts 103 and 112. None of the races’ outcomes could have been altered by that number of phantom ballots, the Herald said.

Overseas “anonymizers” -- proxy servers that make Internet activity untraceable -- kept the originating computers’ location secret and prevented law enforcement from figuring out who was responsible, according to the grand jury report, issued in December. The state attorney’s office closed the case in January without identifying a suspect.

Read the Miami-Dade County grand jury report (PDF)

Then came the Herald report, which said that three IP addresses in the United States had been identified among those sending the requests and that there had been a delay in getting that information to investigators, which a Miami-Dade elections official confirmed to NBC News.
 Terry Chavez, spokeswoman for the state attorney’s office for Miami-Dade County, also confirmed to NBC News that the investigation was reopened to look into those IP addresses. Chavez said she could release no details on the investigation.

Rep. Joe Garcia won the Democratic primary in the 26th District and went on to win the general election. Jeff Garcia, his chief of staff and no relation, said last week that no state or federal investigators had contacted the congressman's office about the case.

State Rep. Jose Javier Rodriguez, a Democrat who won the District 112 seat, said Thursday that his office had not heard from investigators about the case either. A message left at the legislative office of state Rep. Manny Diaz Jr., the Republican who won the primary and the general election in District 103, was not immediately returned.

The Herald report said that as the requests began coming in, elections officials figured out that they were improper and started blocking the IP addresses. “I guess they finally gave up,” the newspaper quoted Bob Vinock, an assistant deputy elections supervisor for information systems, as saying.

People who study election security say the fact that this attempt did not succeed should be of little comfort to election officials. They warn that attempts to attack voting systems are likely to increase.

“In this case the attack was not as sophisticated as it could have been, and it was easy for elections officials to spot and turn back,” said J. Alex Halderman, an assistant professor of computer science and engineering at the University of Michigan who studies the security of electronic voting. “An attack somewhat more sophisticated than the one in Florida, completely within the norm for computer fraud these days, would likely be able to circumvent the checks.”

• Fraudulently obtaining absentee ballots is just one way elections might be subverted by digital means, experts say. Among the other methods and attack points:
• Malware. Rogue software infects millions of home computers across the country. Jefferson said hackers could use malware to change votes or prevent them from being cast in an online election.
• Denial of service attacks. Jefferson said that hackers could use botnets to prevent election-system servers from working for hours, or perhaps longer. In fact, during an election in June 2012, a DOS attack hit the San Diego County Registrar of Voters' website, preventing voters from tracking the results.
• “Spoofing” of election websites. For example, Hoke said, legitimate requests for absentee ballots could be misdirected to another site. The data then could be misused, or the requests could hit a dead end, and voters would be left wondering where their ballots were.
• Exploiting software flaws in digital voting machines, known as DREs. The flaws could allow insertion of viruses or alteration of programming code that would change votes or delete them. (Read one description of hacking a voting machine.)
• Tampering with email return of marked ballots. Experts say email return is troublesome because of the multiple points for attack along the ballots’ electronic path. “The overwhelming consensus of the computer science community is don’t do it, it’s a bad idea,” said Jeremy Epstein, a senior computer scientist at SRI International. But in about half the states, email absentee ballot return is an option for members of the military and their families, along with some other U.S. citizens living overseas.
• Wholesale hijacking of an online voting system. In 2010, the District of Columbia Board of Elections and Ethics tested an Internet-based voting system for a week, asking computer experts to probe it for flaws. It took only 48 hours for a team led by Halderman to break in and take control of the site – even altering it so that the University of Michigan fight song played after a vote was cast.

Read the University of Michigan researchers’ report on the DC hack (PDF)

In terms of illegally getting access to absentee ballots, Epstein said, the attacker or attackers who failed in Florida might have had an easier time with Washington state and Maryland.

He said that last summer he demonstrated to the FBI a method of changing individual voters’ addresses and other information online in those two states by predicting their driver’s license numbers.




J Pat Carter / AP file
bsentee ballots for the general election marked for delivery to the U.S. Postal Service for mailing are seen at the Miami-Dade County election center in Doral, Fla., on Oct. 5.

First he used publicly available information to gain a voter’s full name and address. Then, he predicted the individual’s driver’s license number – which is based on a combination of the person’s name and numbers and letters -- and used the information to access their voter registration online. From there, he said, he could have changed their addresses and had absentee ballots sent out.

“Imagine if (attackers) changed the address for 2,500 votes. It could be completely automated, and they have the ballots sent to a post office box or whatever,” Epstein said. “Then the registered voters would have no idea until they tried to vote.”

In October, Halderman and other researchers sent letters warning elections officials in both states of the danger of staking system security on driver’s license numbers.

The letter to Washington officials (read it here in PDF) also said that other security features in the state’s MyVote system would be only a speed bump to a dedicated hacker.

“Although the MyVote system uses a CAPTCHA, an image of distorted text intended to deter simple automated attacks, this provides only minimal defense,” the letter says. “Attackers can use commercial services to defeat the CAPTCHA at a cost of less than $0.001 per voter.”

Shane Hamlin, assistant director of elections in the Washington Secretary of State's Office, told NBC News that state election officials have acted on the recommendations in the October letter and will require additional information to register to vote or change registration online.

Maryland election officials did not immediately return a call from NBC News seeking comment, but the Washington Post reported last month that Ross K. Goldstein, deputy administrator of the Maryland State Board of Elections, acknowledged the security hole and said the online voter registration system was being updated to address the issue.

“I believe technology can solve problems, and there are steps that we definitely can, and plan to, take to mitigate the risks,” the newspaper quoted him as saying.

While elections officials are attracted to the savings that online voting and registration systems promise, the cost of guarding online registration and voting systems is large, Hoke said. And that might negate the financial advantage of online balloting touted by some elections officials and vendors who want to sell electronic voting products.

“It’s cheap, if you don’t care whether elections are stolen,” she said.

That possibility -- of an election being stolen through digital means -- haunts researchers. For Jefferson, it’s a matter of national security.

“The legitimacy of government depends on it being impossible for single parties to change the results of elections,” he said.