Iowa Election App Vulnerable To Hackers

The US media only recently  learned that the Iowa Democratic Party planned to use a mobile app to report the Democrat Presidential Candidate caucus  results in their state, but the party refused to reveal details about the app. 

Now a fault in the smartphone app used to count and report votes from individual precincts has caused a severe delay to the results from Iowa  being made known. 

A  closer look shows that the App had potentially very serious problems that, so far as is presently known, did not come into play. These problems mean the App was  vulnerable to hacking.

The Democrats didn’t publish the app’s source code for independent security researchers to inspect. Nor did they give any information about how thoroughly the app had been tested which apparently it had not been very thoroughly tested. At the time the party wouldn’t even name the vendor that it hired to develop the app, a litlle-known firm named Shadow Inc. saying that doing so could inadvertently help potential cyber attackers.

Elected officials couldn’t get answers, either. The office of Democrta Senator for Oregon. Ron Wyden asked the Democratic National Committee for details about the app three times in lead-up to the Iowa caucuses, but the requests were ignored, 

The App was so insecure that vote totals, passwords and other sensitive information could have been intercepted or even changed, according to officials at Massachusetts-based Veracode, a security firm that reviewed the software.

A lack of adequate safeguards, including transmissions to and from the phone means that data was left largely unprotected. An attack would require some degree of sophistication, but it would have been much easier to pull off had a precinct worker used an open Wi-Fi hotspot to report votes instead of a mobile phone data plan.

To date there is no evidence that hackers intercepted or tampered with caucus results.

The turmoil over counting the votes in Iowa has raised fresh doubts about the election’s integrity. The question that has been asked is was the Iowa caucus chaos is a hit job by election-meddling Russians. The morning after caucus-goers filed into high-school gyms across Iowa, the state’s Democratic Party is still unable to produce results. The app it developed for precisely this purpose seems to have crashed.

The party was questioned by experts about the wisdom of using a secretive app that would be deployed at a crucial juncture, but the concerns were brushed away. Worried about Russian hacking, the party addressed security in all the wrong ways: It did not open up the app to outside testing or challenge by independent security experts.

If the App developer, Shadow Inc. had opened up the app to experts, they likely would have found many bugs, and the app would have been much stronger as a result. An app that is downloaded onto the phones of thousands of precinct officials across Iowa, with varying degrees of phone security and different operating systems, could not be fully protected against Russian or any other hackers. 

Underground “hacks for sale" allow remote attackers to infiltrate phones, especially ones without the latest system updates, as is the case for many Android phones. 

Creating a more hardened phone network is possible, but that would require issuing secure phones to every official, and providing training and technical support. There is no indication that any of that was done.Even without a more substantial reform of the complex and demanding caucus process, a simple adversarial confirmation system, which is a process used by many countries, would have worked well.

The US has experienced previous difficulties with obsolete election technology. The National Academy of Sciences released a lengthy report about it last year, complete with evidence-based recommendations for every step of the electoral process. 

The US Department of Homeland Security offered to test the app for the Iowa Democratic Party, but the party never took the government up on it, according to a US official familiar with the matter who was not authorised to speak publicly. The official said the party did participate in a dry run, known as a tabletop exercise.  
 

DefenseOne:       ProPublica:        The Intercept:

You Might Also Read:

Foreign Cyber Intrusions On The USA:

 

« Preparing Your Employees & Business Systems For A Cyber Attack
Leaked Report: The United Nations Was Hacked »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IX Associates

IX Associates

IX Associates is a UK based IT Integration business specialising in risk, compliance, eDefence, and network security solutions.

Nordic IT Security

Nordic IT Security

Nordic IT Security is a cyber security business forum in Scandinavia bringing together the converging worlds of IT, Cyber and Information Security.

PortSwigger

PortSwigger

PortSwigger's Burp Suite is an integrated platform for performing security testing of web applications.

GE Digital

GE Digital

GE Digital is a leading software company for the Industrial Internet. Products include Industrial Cyber Security for Operational Technology (OT).

achelos

achelos

achelos is an independent software development company providing innovative technical solutions for micro-processor chips / security chips and embedded systems in security-critical application fields.

CyberGuru

CyberGuru

CyberGuru is a service provided by CyberSecurity Malaysia specializing in cyber security professional training and development.

David Hayes-Export Controls

David Hayes-Export Controls

David Hayes-Export Controls provides assistance to companies affected by export controls or who are considering entering the market but are unsure of the commercial and regulatory implications.

Secure Digital Solutions (SDS)

Secure Digital Solutions (SDS)

Secure Digital Solutions is a leading consulting firm in the business of information security providing cyber security program strategy, enterprise risk and compliance, and data privacy.

Flix11

Flix11

Flix11 is a Cyber Security & ICT Solutions focused company. We provide a range of products and services in Cyber Security, Internet of Things (IoT) and infrastructure solutions.

Integrity

Integrity

Integrity is a PCI QSA and ISO 27001 certified company specialized in Information Security and IT Consulting.

Jamf

Jamf

Jamf is the only Apple Enterprise Management solution of scale that remotely connects, manages and protects Apple users, devices and services.

Contextual Security Solutions

Contextual Security Solutions

Contextual Security Solutions is a leading provider of penetration testing services and IT security & compliance audits.

Brightworks Group

Brightworks Group

BrightWorks Group offer comprehensive technology operations and security operations consulting services, tailored to meet your specific needs.

Cyviation

Cyviation

Cyviation's mission is to mitigate ever-growing and menacing Cyber Security threats, focusing on aircraft, airlines and airports.

Evervault

Evervault

Evervault provides engineers easy solutions to complex data security and compliance problems.

OpenAI

OpenAI

OpenAI is an AI research and deployment company dedicated to ensuring that general-purpose artificial intelligence benefits all of humanity.