Researchers have successfully hacked a popular voting machine responsible for over eight million US voters on Tuesday, demonstrating how tallies can be altered at will.
Security and AI vendor Cylance claimed an industry first in being able to show how to exploit critical vulnerabilities in a Sequoia AVC Edge Mk1 voting machine – apparently one of the most popular in use in the US.
In a video demonstrating the attack, the firm shows how – with direct access to the machine – attackers could remove and replace its internal flash memory cards, enabling them to manipulate the voting tallies in the memory, and cause a vote for one candidate to be credited to another by altering the screen display.
Cylance is not yet able to reveal exactly how it did this as the information is currently with Sequoia and the government, and it is hoped steps will be taken to mitigate the threat ahead of the presidential elections on Tuesday.
In the short-term, the vendor is recommending increased supervision of the machines, in order to restrict physical access; verification of any hardware or software errors; monitoring of tamper-evident seals; and improved vetting and monitoring of polling place volunteers and officers.
Longer term, Cylance hopes that any machines without hardware-based firmware and data verification capabilities be phased out.
The affected machine looks set to be used by 8.2 million voters in over 22,000 precincts on Tuesday.
“We believe that both the public and the appropriate regulatory agencies needed to be made aware of these issues immediately so that appropriate measures could be taken to better secure these voting machines,” said Cylance CEO and president, Stuart McClure.
“We also hope that the information we provided to the manufacturer will assist them in developing better devices moving forward so that we can ensure a secure election process.”
Cybersecurity has been at the top of the agenda during the presidential campaign, with Hillary Clinton coming under constant fire from her opponent over an FBI investigation into her use of a private email server for official business.
FBI boss James Comey has now confirmed that the latest batch of emails reviewed by the Feds do not change its initial conclusion that the presidential hopeful has committed no wrongdoing.
Ironically, the cybersecurity posture of Donald Trump’s businesses has also been called into question after a researcher found that many of them are running the no-longer supported Windows Server 2003 and Internet Information Server (IIS) 6.
There are also fears that Russia might be trying to influence the outcome of the election, after the FBI confirmed attempts to hack the voter registration system.