Iowa Election App Vulnerable To Hackers

Uploaded on 2020-02-06 in TECHNOLOGY--Hackers, GOVERNMENT-Local, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The US media only recently  learned that the Iowa Democratic Party planned to use a mobile app to report the Democrat Presidential Candidate caucus  results in their state, but the party refused to reveal details about the app. 

Now a fault in the smartphone app used to count and report votes from individual precincts has caused a severe delay to the results from Iowa  being made known. 

A  closer look shows that the App had potentially very serious problems that, so far as is presently known, did not come into play. These problems mean the App was  vulnerable to hacking.

The Democrats didn’t publish the app’s source code for independent security researchers to inspect. Nor did they give any information about how thoroughly the app had been tested which apparently it had not been very thoroughly tested. At the time the party wouldn’t even name the vendor that it hired to develop the app, a litlle-known firm named Shadow Inc. saying that doing so could inadvertently help potential cyber attackers.

Elected officials couldn’t get answers, either. The office of Democrta Senator for Oregon. Ron Wyden asked the Democratic National Committee for details about the app three times in lead-up to the Iowa caucuses, but the requests were ignored, 

The App was so insecure that vote totals, passwords and other sensitive information could have been intercepted or even changed, according to officials at Massachusetts-based Veracode, a security firm that reviewed the software.

A lack of adequate safeguards, including transmissions to and from the phone means that data was left largely unprotected. An attack would require some degree of sophistication, but it would have been much easier to pull off had a precinct worker used an open Wi-Fi hotspot to report votes instead of a mobile phone data plan.

To date there is no evidence that hackers intercepted or tampered with caucus results.

The turmoil over counting the votes in Iowa has raised fresh doubts about the election’s integrity. The question that has been asked is was the Iowa caucus chaos is a hit job by election-meddling Russians. The morning after caucus-goers filed into high-school gyms across Iowa, the state’s Democratic Party is still unable to produce results. The app it developed for precisely this purpose seems to have crashed.

The party was questioned by experts about the wisdom of using a secretive app that would be deployed at a crucial juncture, but the concerns were brushed away. Worried about Russian hacking, the party addressed security in all the wrong ways: It did not open up the app to outside testing or challenge by independent security experts.

If the App developer, Shadow Inc. had opened up the app to experts, they likely would have found many bugs, and the app would have been much stronger as a result. An app that is downloaded onto the phones of thousands of precinct officials across Iowa, with varying degrees of phone security and different operating systems, could not be fully protected against Russian or any other hackers. 

Underground “hacks for sale" allow remote attackers to infiltrate phones, especially ones without the latest system updates, as is the case for many Android phones. 

Creating a more hardened phone network is possible, but that would require issuing secure phones to every official, and providing training and technical support. There is no indication that any of that was done.Even without a more substantial reform of the complex and demanding caucus process, a simple adversarial confirmation system, which is a process used by many countries, would have worked well.

The US has experienced previous difficulties with obsolete election technology. The National Academy of Sciences released a lengthy report about it last year, complete with evidence-based recommendations for every step of the electoral process. 

The US Department of Homeland Security offered to test the app for the Iowa Democratic Party, but the party never took the government up on it, according to a US official familiar with the matter who was not authorised to speak publicly. The official said the party did participate in a dry run, known as a tabletop exercise.  
 

DefenseOne:       ProPublica:        The Intercept:

You Might Also Read:

Foreign Cyber Intrusions On The USA:

 

« Preparing Your Employees & Business Systems For A Cyber Attack
Leaked Report: The United Nations Was Hacked »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Cambridge Intelligence

Cambridge Intelligence

Cambridge Intelligence are experts in network visualization and finding hidden trends in complex connected data. Applications include cybersecurity.

HDI Global SE

HDI Global SE

HDI Global SE provides customised insurance solutions for industrial and commercial clients worldwide including Cyber Liability insurance.

AGAT Software

AGAT Software

AGAT Software is an innovative security provider specializing in external access authentication and data protection solutions.

Jscrambler

Jscrambler

Jscrambler addresses all your JavaScript and Web application protection needs.

ATIA

ATIA

ATIA provides consulting services in the design and implementation of IT system, Information Security, ISO certification, and professional IT training and education.

Simility

Simility

Simility's multi-layered fraud detection solution uses superior machine learning & device intelligence technology to safeguard your online businesses.

Dathena

Dathena

Dathena is a company developing data governance software based on machine learning algorithms.

Navaio IT Security

Navaio IT Security

Navaio helps clients with IT Security related challenges with a primary focus on Identity and Access Management, Data Governance, User Awareness and Cyber Resilience Services.

Cytellix

Cytellix

Cytellix is an industry-standards-based, managed cybersecurity service provider, specializing in proactive behavioral analytics and situational awareness of an organization’s cyber posture.

Agio

Agio

Agio is a hybrid managed IT and cybersecurity provider servicing the financial services, health care and payments industries.

UKsec: Virtual Cyber Security Summit

UKsec: Virtual Cyber Security Summit

Join 100s of UK Cyber Security Leaders Online for Expert Cyber Security Talks, Strategy Insights, Cyber Resilience Tips and More.

Silent Sector

Silent Sector

Silent Sector is a cybersecurity services company that specializes in providing a wide range of managed security services.

watchTowr

watchTowr

Continuous Attack Surface Testing, with the watchTowr Platform. The future of Attack Surface Management.

eCapital

eCapital

eCAPITAL is a leading venture capital firm that provides early to growth stage funding to technology companies in fields including software & information technology, cybersecurity and industry 4.0.

APIsentry

APIsentry

APIsentry is a leading provider of comprehensive API security solutions, specializing in protecting organizations from a wide range of cyber threats targeting their Application Programming Interfaces.

CLEAR

CLEAR

With more than 17 million members and a growing network of partners across the world, CLEAR's identity platform is transforming the way people live, work, and travel.