Press Release
U.S. EAC Voting System Standards Fail to Protect Systems In Penetration Security Tests
Coalfire Report: Security Tests Show Vulnerabilities in U.S. Election Assistance Commission (EAC) Standards, Machines and System Infrastructure
Westminster, CO – Nov. 6, 2018 – Coalfire, a provider of cybersecurity advisory and assessment services, released a report today, “Securing the Vote: Research on Voting Vulnerabilities and Recommendations,” presenting the results of penetration tests and assessments conducted on state voting systems. The firm found that its team of penetration testers was able to reverse engineer voting media and replace software in voting systems with a program that emulates it, but recompiled with malicious logic, instructs it to record malicious votes—despite the systems having passed EAC voting system standards. Coalfire found additional vulnerabilities across end-to-end voting process and infrastructure and a lack of cybersecurity rigor in the Voluntary Voting System Guidelines (VVSG) 1.1 standard issued by the EAC.
Coalfire’s analysis was derived from expert security assessments and penetration testing against voting networks and systems across 10 states. The team analyzed the strengths and weaknesses of VVSG 1.1 and reviewed the VVSG 2.0 standard currently in draft form.
“The U.S. voting system is peppered with vulnerabilities, and voters are losing confidence,” said Tom McAndrew, CEO of Coalfire. “Our voting systems require significant improvement from the hardware and software that run voting machines, the networks that connect the votes and databases, and the policies and standards that oversee their operations.”
Voting Infrastructure Overview and Threats
Coalfire tested voting machines and devices from a range of manufacturers against the risks associated with insecure devices. Following an assessment of the gaps in the current VVSG 1.1 standard, the company concluded the standard was sound in the fundamentals but lacking in specifics and much-needed end-to-end testing requirements. The vulnerabilities and risks in the components of voting systems could lead to compromise even if the systems in question were certified by VVSG 1.0.
Coalfire conducted an analysis of the additional cybersecurity vulnerabilities in the end-to-end voting process, which has no testing requirements. These vulnerabilities can be found in network infrastructure, voter registration systems, and equipment in storage, which can be compromised if proper controls are not implemented; and elections staff, which could become victims of social engineering schemes. Coalfire found that securing the vote requires a holistic review of the entire ecosystem to determine how an attacker might leverage any existing vulnerabilities or create new ones, chaining them into a successful compromise.
“The standards to which these systems are certified cover the essentials of security, but adherence to the standards doesn’t prevent them from being subverted,” said Mike Weber, Vice President, Coalfire Labs. “There needs to be a requirement for this level of extensive testing – as alluded to in Section 8 of the Secure Elections Act, ‘Hack the Election,’ which suggest a bug-bounty-style program to leverage the security community to help find ways to secure these systems.”
The report elucidates the problem, including ongoing governmental legislation efforts to address the issue, funding challenges, and the fractured accountability of voting security, and explains specific security vulnerabilities found in voting machines and in the electronic voting infrastructure overall, describing where the VVSG 1.1 framework falls short and where the penetration tests failed in voting systems. It includes recommendations for what should constitute end-to-end security requirements to assure machine controls actually provide security and work as intended.
About Coalfire
Coalfire is the trusted cybersecurity advisor that helps private and public-sector organizations avert threats, close gaps and effectively manage risk. By providing independent and tailored advice, assessments, technical testing and cyber engineering services, we help clients develop scalable programs that improve their security posture, achieve their business objectives and fuel their continued success. Coalfire has been a cybersecurity thought leader for more than 17 years and has offices throughout the United States and Europe.
For more information, visit Coalfire.com.
Press Contact:
Mike Gallo
For Coalfire
212-239-8594
Luminacoalfire@luminapr.com