First-ever cyberattack on US election points to broad vulnerabilities

Experts have confirmed that a fraudulent online request for 2,500 ballots in Florida last year was the first known cyberattack against a US election. And it could be just the tip of the iceberg.

Voters stand on line to vote in Florida's Miami-Dade County in this 2004 photo. A cyberattack against the county sought to influence a 2012 primary election by fraudulently requesting 2,500 ballots.

Marc Serota/Reuters/File

March 18, 2013

Over a 2-1/2 week period last July, more than 2,500 online “phantom requests” for absentee ballots were made to Miami-Dade County election headquarters, marking the first known cyberattack on a US election.

The fake requests for ballots targeted the Aug. 14 statewide primary and included requests for Democratic ballots in one congressional district and Republican ballots in two state House districts, according to a recent Miami Herald report.

The fake requests were done so clumsily that they were red-flagged and did not foul up the election. In any case, they would not have been enough to change the outcome. But now confirmed as the first cyberattack aimed at election fraud, the incident is further evidence that the vote-counting process is vulnerable, particularly as elections become more reliant on the Internet.

Why many in Ukraine oppose a ‘land for peace’ formula to end the war

“This is significant because it’s the first time we’ve seen a very well documented case of attempted computer election fraud in the US,” says J. Alex Halderman, a cybersecurity researcher at the University of Michigan who focuses on election-system vulnerabilities. “This should be a real wakeup call because it illustrates the sort of computer voting attacks that many scientists have been warning were possible for years.”

Florida officials “were lucky” that the attacks were so clumsy, he says. The requests poured into the voter headquarters in clumps, much faster than normal, and in many cases the clumps arrived from the same handful of computer IP addresses. At this point, it is unknown what the attackers wanted to achieve.

But if they had been only slightly more sophisticated – distributing the requests across a larger number of IP address, for instance – the attack would have been much harder to detect.

“We’ve seen very sophisticated attacks against US corporations,” Dr. Halderman says. “If that level of sophisticated attack were directed against these election systems it could have been disastrous.”

Halderman knows. In three afternoons and without breaking any tamper-proof seals or leaving any traces, he and a colleague at Princeton hacked into a kind of paperless touch-screen voting machine used by almost 9 million voters in the 2008 presidential election. Just to show how much damage they could do, they installed Pac-Man in place of the voter software.

Howard University hoped to make history. Now it’s ready for a different role.

In 2006, he and Princeton researchers proved that, with just a few minutes access to a touch-screen voting machine, they could install a practically undetectable software virus that could spread to other machines and switch those machines' votes at election time before finally deleting all traces of itself.

Rapid advances in cyberweapons and malicious software put electronic-voting machines used in the 2012 election at risk and could have tipped the presidential election in some states, cybersecurity experts warned prior to the vote.

“This Florida case is not significant because thousands of votes were lost or changed, it’s significant because it demonstrates the feasibility of the pathway to attack the vote – and because there is online access to other pieces of the voting process,” says Pamela Smith, president of Verified Voting, a nonprofit group focused on ensuring US election integrity.

Some Florida officials say the attack also illustrates a need to take such violations more seriously. Law-enforcement officials had dropped their investigation until news media picked up on a Miami-Dade County grand jury investigation into the attack in December.

The Miami-Dade state attorney’s office reported it was unable to identify the hacker because the actions were masked by foreign IP addresses, the Miami Herald reported. But at least some of the IP addresses originated in Miami and could have been further traced, the paper found.

“In this case it seems more of an attack on the voting process,” says Ion Sancho, supervisor of elections in Leon County, Fla., who has studied cybersecurity in detail for systems he oversees. “Most Americans are unaware of the overall insecurity of the Internet and blind to the hacking threat to US elections systems. What we desperately need are law-enforcement authorities that will really take these kinds of attack seriously and really go after them.”