Voting Machines Can’t Be Hacked on an Internet Scale – but IOT Devices Can Be

With the U.S. Presidential election almost upon us, we’ve been fairly inundated with speculation that the election may be “rigged,” with reports about how easy it would be for hackers to tamper with voting machines.

It’s only when you dig deep into these stories that most of them – the ones that come close to resembling responsible reporting – admit to one big, fat caveat to the whole scenario: voting machines are not connected to the Internet. And I’m not just talking about “some” voting machines; I mean all of them.

If a voting machine is not connected to the Internet, that means it can’t be hacked by some faraway intruder. Rather, it would have to be hacked by someone with physical access to the machine. Given that, the hurdles to rigging an election are all but insurmountable. It’s just not feasible to hack enough of the machines to materially affect an election.

Which is pretty much the polar opposite of the situation your typical customers face every day. While it’s certainly convenient and useful to have all sorts of devices connected to the Internet, it also exposes any security vulnerabilities they may have.

This was made painfully clear in the distributed denial of service attack in late October that took down a number of high-profile sites, including The New York Times, Spotify, Reddit and Wired.com. As Wired reports:

Initial reports indicate that the attack was part of a genre of DDoS that infects Internet of Things devices (think webcams, DVRs, routers, etc.) all over the world with malware. Once infected, those Internet-connected devices become part of a botnet army, driving malicious traffic toward a given target. The source code for one of these types of botnets, called Mirai, was recently released to the public, leading to speculation that more Mirai-based DDoS attacks might crop up.

If there’s any good news from the attack, it’s that the sites in question didn’t do anything wrong. Rather, the target was the DNS service provider they used, Dyn, based in New Hampshire. The DDOS attack effectively took out Dyn’s service, which in turn rendered a number of the sites using the service unreachable. (DNS, or Domain Name Service, essentially translates the common web site names that we all know, like NYT.com, into the numerical IP addresses that Internet routers use.)

So, it’s on Dyn to take steps to prevent future such disruptions. But it should also put any company that’s embarking on any kind of IOT effort on warning: left unprotected, their systems may be co-opted and used to launch an attack like the one on Dyn.

Offering that kind of protection actually presents a significant opportunity for any IT service provider, as detailed in this recent blog post.

As for the election, don’t worry about the current generation of voting systems, although the threat of Internet-based attacks should be enough to put any talk of Internet-based voting on the shelf. It appears the feds are getting that message. At the direction of Congress, the Dept. of Defense has been working on a viable Internet-based voting system for overseas personnel since before the 2004 election, without success. In 2015, Congress essentially said, “Never mind,” and repealed its directive.

Want to learn even more and access additional resources? Check out APC by Schneider Electric’s Channel Partner Program.

Also, follow the steps below to sign up for our Managed Services Program today!

• Ensure you are a Registered APC Partner
• Log into your Personal Page and click “Training & Education”
• Complete MSP Sales Associate Certification (3 courses)
• Schedule an MSP Business Planning Session with your APC representative.  Log in now!