A non-partisan threat: text messages and their impact on election campaign security
Ahead of the 2018 midterm elections, we saw a record number of campaigns use mobile devices as an easy way to reach voters. In fact, NBC reporter, David Ingram reported earlier this year that,
"Political campaigns and parties say they’re sending many more texts this year than in past elections as they search for alternatives to social media. Those efforts have been boosted by newly popular software that allows volunteers to send thousands of texts an hour without violating federal rules about bulk texting."
While many see this as a very efficient way to engage voters, others view it as a profitable window for attackers to spread misinformation or trick users into clicking malicious links. In fact, PBS Newshour reported the night before the election that “fake” text messages were sent to voters, one even claiming that the text was from President Trump.
Lookout hosts special briefing on Capitol Hill
Lookout recognized that mobile devices could influence the elections, so that is why we held a special briefing on Capitol Hill in early October. During the briefing, we showed congressional staffers how cybersecurity attacks could impact the entire democratic process — from political campaigns and elections to journalists, lobbyists, and activists that participate in the process. At the end of the session, we demonstrated that once a user clicked on a malicious link, it could even control that device’s two-factor authentication token.
Since mobile endpoints played a big role for campaigns in the midterm elections, we thought we’d share insights from our briefing on the Hill, so that voters and campaigns can take precautions in the future. Below are a few of the questions we were asked during the session, as well as the full video from the event.
Congressional briefing on Capitol Hill Q&A
How could an attacker use a mobile device to hack an election campaign?
Mike Murray, CSO, Lookout: The machinery of democracy has become a post-perimeter environment, just like the rest of our society. Campaign processes such as fundraising and neighborhood canvassing used to be done on paper, but now are often handled by mobile devices.
When people think about election security, they sometimes envision disruption out of a Hollywood thriller — selected power blackouts, computers screens going dark, that sort of thing. More prosaic but far more insidious are attacks happening right now targeting technology 95 percent of Americans own today — their phones. Mobile devices follow users everywhere, including chiefs of staff and the candidates themselves.
A mobile device is a far more potent “spy” device than a traditional computer. Attackers have had a lot of practice perfecting social spear phishing campaigns, using publicly available information (known as open source intelligence or OSINT) to research a target’s personal preferences, college attended etc. Once a text message is clicked on or a malware app is downloaded, that device is owned by the attacker — passwords, camera, audio recorder, everything.
How could an attacker gain access to a mobile voting app?
Mike: Proposals emerging for mobile voting apps certainly raise security concerns. There are millions of phones involved in the machinery of our democracy, and they are vulnerable. The attacks our country saw during the 2016 election cycle has raised the visibility of election security. The good news is there are remedies. In particular, it’s critical for the public and private sectors to work together to help secure elections in a comprehensive way. For instance, private security companies have offered their security software to states and cities for free, and some partner directly with agencies, like the Department of Homeland Security, on an ongoing basis.
What are some of the cyber concerns that election officials are wrestling with, or should be worried about?
Mike: One of the biggest concerns is the targeted release of stolen campaign data to influence the outcome of election, sometimes known as “the October Surprise.” Think about all the sensitive, confidential information inside any campaign — donor records, voter registration data, campaign strategy calls, unguarded conversations. A single, infected phone at the right level gives attackers access to all of this information. Earlier this year, White House Chief of Staff John Kelly’s personal phone was compromised. No phone is immune.
Over 170 million devices use Lookout endpoint security products. We estimate that at any given time one percent are infected, and for campaigns under constant attack it could well be higher. One percent becomes a very significant number when you consider the size of a national political campaign — ten devices out of every thousand.
How can political campaigns and governments secure mobile devices?
Mike: What’s needed at all levels is an understanding of the full Spectrum of Mobile Risk. To provide the best mobile protection for campaigns today, a mobile security solution must protect against four main vectors of attack:
- Attacks against or through Applications
- Attacks against the Device OS or firmware
- Attacks on the device from the Network or through proximity (e.g. Bluetooth, NFC)
- Attacks against the device through the Web (e.g., phishing) or content delivered to the device
These advanced solutions can be seamlessly integrated with existing Enterprise Mobility Management (EMM) and Mobile Device Management (MDM) platforms to create true mobile protection for today's political campaigns.
How can AI help stop election cyber attacks?
Mike: Modern campaigns can be huge, loosely affiliated operations encompassing thousands of individuals. These people are being targeted by phishing attacks. Surveillance by humans alone simply can’t keep pace and respond in time. There is an expression in security, “The defender has to always be right, the attacker only has to be right once.”
Our work protecting the DNC is illustrative. Fewer than 30 minutes elapsed before Lookout discovered a custom phishing kit being was targeted at the DNC. This later turned out to be an unsanctioned security test from a state party, but could easily have compromised the Democratic Party’s voter database. We worked with the technology provider and the DNC to thwart the phishing kit before it could be deployed.