Yes, I know. As of this writing, the Iowa Democratic Party and some other experts are saying that no hacking probably occurred during the Iowa Caucus. Well, what do you expect them to say? But, as everyone in cybersecurity knows, the easiest way into a network is to hack one of its endpoints. Giving out free apps to thousands of people, many of whom had little cybersecurity awareness, was always courting disaster. This is because, once a single endpoint is compromised, it can be used by the attackers as a platform to move up through the network, acquiring data and causing problems as they go. In other words, if the Iowa Caucus was not hacked, they were really lucky.
I doubt if I’m alone in thinking that something like this could have happened. True, we have been given little information from the app developer, and so writing about the caucus being hacked is, for the moment, more of a thought experiment. But thought experiments can be useful. So I’m going to write this post as if hacking had actually occurred, because even if it didn’t happen here, it could easily happen somewhere else. I’m going to write this from the viewpoint of a dedicated attacker; from the viewpoint of someone who wanted to disrupt the Iowa Caucus or any other political event that uses apps to gather and transmit information.
So what is this caucus app anyway? It was, according to those willing to speak about it, developed by a little-known, Washington-based firm called Shadow Inc., which is the tech arm of Acronym, (“We build power + modern infrastructure for a new progressive movement.”). Shadow similarly states that their mission is “to build political power for the progressive movement.” Shadow is connected to a digital marketing company for progressive organizations called Groundbase. All of these fall under the umbrella of NGP VAN, “the leading technology provider to Democratic and progressive campaigns and organizations”. NGP VAN is behind every Democratic caucus and primary. They support all Democrats with voter data and apps in every election from the local to the national level,
As soon as Shadow got into trouble with the Iowa Caucus results, Acronym basically threw them under the bus with the following disclaimer.
This is an interesting statement considering that, on their website, they wrote that “in January 2019 we launched Shadow, a tech company focused on enabling organizers to run smarter campaigns.” So which is it? Did you launch the company or just invest in it? In any event, it looks like all mistakes are going to be blamed on Shadow. In this light, a statement on the Shadow website seems particularly ironic. “We see ourselves as building a long-term, side-by-side “Shadow” of tech infrastructure to the Democratic Party and the progressive community at large.” Yeah, it looks like you succeeded in casting quite a shadow.
The app was made to send local results to the central committee via smartphones. They were to be backed up by regular phone lines, in case something went wrong with the app. Before the caucus, Troy Price, the chairman of the Iowa Democratic Party, claimed that “we are fully prepared to make sure that we can get these results in and get those results in accurately.” The apps capabilities were kept secret and it was not independently tested. Interestingly, and, again, ironically, here is the Twitter page for Gerald Niemira, the CEO of Shadow.
So what happened? All we know, at this point, is that people could not use the app to send in their results. Some said they could not log in. If, for the purposes of this post, we look at this from the hacking angle, this could either mean that there was a malicious DDoS (Distributed Denial of Service) attack, an accidental DDoS attack, or someone stole the login credentials of some of the caucus participants. For a malicious DDoS attack to occur, malicious actors would employ bots to overwhelm a server, or servers, with requests, effectively bringing it down. In an accidental DDoS attack, the network operators would not take into account the amount of traffic that could occur, and legitimate traffic could, incidentally, take down the server. Stolen log in credentials would stop caucus participants from using the app.
But if I were designing an attack, I would spearfish one or more of the naive participants, get them to sign in on a spoofed login page, collect their credentials, and take over their identity. This would put me into a position where I could pretend to be them. I could, then, send out more legitimate looking spearphishing emails from their accounts or just use the stolen accounts as a platform to move through the network and collect more data.
Ideally, with my new identity, I could download the caucus app and back engineer it. If a nation-state attacker was behind such a ploy, they could alter the app to include malware. They could even get others to download the infected app by issuing a fake update.
Alternatively, if I gained a foothold on the network, I could get access to the network’s reporting mechanism which the app would use. Here, I could alter the reporting parameters, making the app send in false results or no results at all. I could also change the land line reporting numbers to make calls go anywhere but to the central committee. In short, no results, or manipulated results would be reported. Caucus leaders were required to submit their results via the app and include a photo of the result report form (Caucus Math Sheet). It is possible that the two did not match and this triggered a halt in the process. Others claimed that the app kept resetting and they did not have time to record the results. In this case, this would probably indicate a design flaw. The latest explanation from Shadow claims that the results reported from the app were incompatible with the data compiler at the central committee. This doesn’t seem to make much sense. Wasn’t this tested beforehand?
Hacking smartphone endpoints is always the easiest vector to exploit. From what I have read, caucus participants would be able to use the caucus app on their own smartphones. In other words, individuals, some of whom, no doubt, lacked cybersecurity savvy, were personally responsible for securing their phones and behaving responsibly while online. Remember, when it comes to endpoints, you only need one vulnerable one to compromise an entire network. This was a disaster waiting to happen.
I must reiterate here that I’m not saying that a hack was responsible for the lack of timely results. I am, however, pointing out where vulnerabilities lie when adopting this smartphone reporting method. All elections are headed into the cyber realm. In an ideal world, this would be a huge step forward for democracy. Unfortunately, it would be a huge step into cybersecurity insecurity at the same time.
But if the Iowa Caucus app was hacked, who would do it and how would they benefit? There are a number of possible bad actors who would hack the caucus for a variety of reasons. Some nation-state hackers would be happy just to tarnish the American election process. Others may specifically want the Democrats to look bad. In addition, there may be others who believe that such a hack would benefit a particular candidate. Maybe they could manipulate the app to achieve this end. Finally, since this occurred on the same day that President Trump would be delivering his State of the Union address, it could have been done to make him look good by comparison. In short, nation-states such as Iran, Russia, North Korea, and China would gain benefits of one kind or another, but political groups could also benefit.
It was only a matter of time before someone got their hands on the app’s code. Motherboard got it shortly after the caucus. When experts analyzed the app, the general assessment was that it was amateurish in design and readily hackable.
ProPublica had cybersecurity firm, Veracode, inspect the app. The firm found that, “an adversary could exploit it to intercept and change caucus results as they were being submitted through the app.” But from what I have read elsewhere, problems more likely evolved from a lack of training for those using the app. Some people were logging in with their precinct number rather than their pin number, for example. Again, this just shows that app developers assume more cyber awareness of the people using their app than the users actually possess.
Dan Guido, CEO of cybersecurity consulting firm, Trail of Bits, stated that “at minimum, we would have recommended restricting it to only phones that meet certain minimum criteria.” Among these criteria should be a foolproof way to protect endpoints from both irresponsible users and malicious hackers. This can only be guaranteed with hardware-based protection.
In some ways, the Iowa Caucus debacle was a positive development. Some failure in voting app use has to occur in the inevitable move from analog to digital voting. This will be a long, pothole-riddled road. Other problems will be encountered which will be far worse than those we have seen in Iowa. The trip will be a rocky one but, in the end, it will probably require all voters to use devices that meet specific cybersecurity standards to qualify for cyber voting. This whole process will be similar to the change that we have seen in income tax filing. In 2001, only 30% of people filed their income tax online. Today, the number is over 90%. So, it seems, the journey towards safe online voting is just beginning, and I have a feeling I’ll be writing about this topic again.