The convenience of mobile voting makes it a prime target for hackers
According to the United States Elections Project, approximately 138 million Americans voted in the 2016 presidential election, only accounting for 58.1% of the eligible population. With the 2020 election season ramping up, officials are considering new ways to drive voter participation, including exploring mobile voting.
When it comes to participation, mobile voting pilots to date have been a success. A recent study of a 2018 pilot in West Virginia measured a three to five percentage point increase in voter turnout. However, mobile voting also introduces new threats. If the mobile devices used to vote are compromised, there is a significant risk that malicious actors could manipulate or intercept votes by taking control of the device, directly impacting the validity of our elections.
During the 2018 election cycle, the U.S. attorney for West Virginia received a report detailing an attempted intrusion to access the mobile voting pilot app. In response, the Justice Department announced an FBI investigation into the alleged hacking attempt, which found the hackers to be unsuccessful, but shows that the threat is very real.
Risks state and local governments must consider
Potential voters may assume that the mobile voting applications are safe to use. However even when apps are secure, devices could already be compromised. This can be a result of various actions, including clicking links that download malicious apps or leaving the device exposed through vulnerabilities or malware. According to Lookout research, 56% of Lookout users have clicked on a phishing URL while on their mobile device between 2011-2016.
The high percentage of users that fall for phishing links illustrates how easily devices can be compromised by installing malicious third-party applications. While we typically think of phishing as a method of stealing credentials, malicious apps can go much further, to install applications that make devices insecure and enable bad actors to access cameras, speakers and a broad range of stored information.
Phishing isn’t the only way this can occur. It is also just as easy for users to unknowingly download malicious apps from third party app stores, similarly compromising their devices.
As a result, even if a voting application is protected, the device may already host malware due to a previous action taken by a user. As a result, all the sensitive data shared through the app is also put at risk, creating a privacy concern for potential voters and an election integrity concern for the government.
Protecting the election starts with protecting voters
To best protect voters from becoming a victim on election day, local governments should educate users and encourage them to follow basic mobile security best practices. These include keeping applications and device software up to date, using caution when downloading mobile apps, avoiding unsecured public Wi-Fi and considering mobile security solutions with advanced phishing protection.
The public and private sectors need to continue to work together to secure all facets of the election. For instance, Defending Digital Campaigns, a nonprofit focused on providing access to cybersecurity, is partnering with companies to offer free or low-cost email security, encrypted messaging and security training to election campaigns and committees. These types of efforts are critical to keeping elections secure, starting from the campaign process.
To get to a point where we can fully embrace mobile as a platform to cast official votes, government officials need to move security to the device itself and adopt a post-perimeter security solution that protects against phishing attacks, including on social media, messaging applications and games, and malicious apps. Device security is a baseline to keep data–and our election process–safe. This post-perimeter security approach is the necessary architecture for governments as the convenience of mobile voting makes it a new reality.
Bob Stevens is Vice President of Americas for data security firm Lookout.