Security firm exposes voting machine vulnerability before election day (VIDEO)

7 Nov, 2016 20:39 / Updated 8 years ago

A voting machine used in at least a dozen states is vulnerable to a software attack that could compromise its vote tally and backup system, security firm Cylance revealed ahead of the US elections.

Cylance disclosed a vulnerability within the Sequoia AVC Edge Mk1 voting machine, which is used at varying levels in states across the US, according to VerifiedVoting.org, including in more than 1,000 municipalities in Wisconsin.

California-based Cylance said a Sequoia AVC Mk1 could be compromised by attacking software through the machine's firmware port, allowing a manipulation of the machine's vote tallies as well as its backup system, known as Protective Counter. The firm released a video demonstrating such an attack.

"The decision to announce the research findings was intended to encourage remediation of the vulnerabilities prior to Election Day," the firm said, adding that "insecure machines" must be phased out.

Cyber security on Election Day has been a concern for federal and state officials, as all but two states have asked the US Department of Homeland Security to assess their election systems for any vulnerabilities, Reuters reported late last week. While cyber-threat awareness has increased, the FBI said it has not boosted staffing dedicated to election crime, a spokeswoman told Reuters.

Security experts questioned the intent of the Sequoia AVC revelations on the eve of election day.

"This disclosure seems political in nature," Katie Moussouris, founder of Luta Security, told The Verge. "Releasing this publicly, after DHS and states have been aware of these types of attacks for years, only serves to fuel the fires of doubting the election results. This is a case of not helping security while simultaneously undermining the democratic process."

Andrew Appel, a Princeton researcher who has also revealed vulnerabilities in Sequoia machines, said the kind of attack demonstrated by Cylance would have to occur after a poll is closed, meaning a verified tally would exist in the machine's flash memory.

"If there’s any question about the results cartridge, it can be compared to the printout and the flash memory of the computer," Appel said, according to The Verge. "Now if the machine was hacked in advance of the election, it could write bad results in all three places — but that doesn’t seem like what they’ve demonstrated here."

Last year, the Brennan Center for Justice reported that many states still use outdated voting machines. "Forty-three states are using some machines that will be at least 10 years old in 2016," the Brennan Center found, and 14 states have machines that will be 15 years old. Almost every state employs machines that are no longer manufactured, according to the Brennan Center.

Election integrity has been a hot topic within the presidential campaign. Without offering evidence, Republican presidential candidate Donald Trump has consistently said over the last several months of his campaign that voter fraud and a "rigged" election system that will favor Democratic nominee Hillary Clinton could undo his candidacy. For instance, last month, he tweeted: "Of course there is large scale voter fraud happening on and before election day. Why do Republican leaders deny what is going on? So naive!"