Election systems across the world are vulnerable to attack by malicious cyber actors, cyber intelligence company FireEye warned in a new report released today.

The report comes weeks after the UK’s National Cyber Security Centre (NCSC) warned that some areas of the British electoral system were also vulnerable to cyber attack, despite the country’s heavily paper-based ballot system.

“There are central vote tabulating machines that may be connected to an Intranet or the public Internet. It may be possible for remote adversaries to attack those machines”, FireEye said. It admitted, however, that it has not observed attacks against elections infrastructure, and that the US’s decentralised and unstandardised voting system, “a nation-wide coordinated attack on voting machines would require high technical sophistication, lengthy planning, and extensive resources.”

The California-based company highlighted weaknesses in electronic voter registration, DDoS against state elections websites, attacks against voting machines, and attacks against election management systems.

DDoS or website defacement is popular with cyber actors to prevent voters from locating and accessing their local polling station location.

During the 2015 Russian local elections, cyber threat actors conducted low-impact DDoS attacks against eight websites, including the country’s President, Central Commission and four opposition news websites. FireEye suggested the actors involved were trying to disrupt the political process in Russia.

The United States uses 57 types of voting machines, sold by 17 different vendors. US voting machines are not required to be connected to an external or public network.

“We identified key themes in their security flaws, namely that voting machines are particularly vulnerable to malware introduced through removable hardware. This
is due to the generally weak security on the voting machines themselves, as well as similar basic security flaws and challenges as many Industrial Control Systems,” the report’s authors said.

It pointed to election management systems as a particular weakness, saying that while they are run on specially configured PCs, these often run on older operating systems such as Windows 98 or Windows XP, or outdated versions of Linux.

Preventing these situations can be mitigated by enforcing strict password security, ensuring voting machines are up-to-date, and asking individual voters to check their belongings to prevent physical tampering, the company concluded.