Hackers are going to try and influence the U.S. election, and they'll try to use you to do it.
Two weeks ago an enormous distributed denial of service attack crashed the servers of Dyn, a domain name services company that lets users find their way around the internet. (As a brief recap, domain name services, or DNS, are what translate text URLs into a digital address that your computer and web servers can recognize.)
This attack was launched using a novel piece of malware that grabs traffic from internet-enabled devices like DVRs and thermostats to overwhelm a target's security. It's not the first time something like this has happened; denial of service attacks are common, but it does note a sea change in tactics. By grabbing hundreds of thousands of small devices the hackers unwittingly enlisted a massive number of consumers and their internet-of-things (IoT) devices into the hack.
While hackers have always used zombie bots, this is such a difference of degree as to be a difference of kind.
Now, experts say, hackers are gearing up to do the same thing again. This time the target is Tuesday's election.
"There's a number of different avenues to go own in terms of concern," said Neil Feather, president of SiteLock Web Security. "For me one of the big ones is the concerns about denial of service to infrastructure or something larger. There was obviously the big denial of service attack that happened a couple of weeks ago and there's a lot of speculation, I think well founded, that that was kind of a test for something more impactful."
It would only take, he pointed out, "a few strategically placed" infrastructure targets to have a real impact on voting.
However in advance even of Tuesday itself is the concern about a campaign of misinformation, launched using a combination of identity theft, clickbait and old-fashioned gullibility.
"More concerning, a bit less talked about and probably, frankly, easier to pull off," Feather said, "is for attackers to create some well strategized misinformation around the election. I've seen already some rumors and talk of voters being sent information that they can text in votes, for example, and trying to disenfranchise voters with misinformation."
Take, for example, this Twitter campaign encouraging Clinton voters (often in Spanish) to text in their vote. Trump supporters must still go to the polls.
It takes very little for hackers to pick up and broadcast a message for target audiences. One of the best ways to do that is by stealing a user's social media passwords and posting links to their accounts in an attempt to fool friends and contacts by posing as a trusted source. It's similar to e-mail spoofs, but with an added element of outright identity theft.
This is possible not because Facebook or Twitter have lax security, but because most users rely on only a handful of passwords across most sites. As a result, breaches like those at Yahoo, Target and Home Depot (just to name a few) supply bad actors with e-mail addresses and login data that they can cut and paste across dozens of other common websites.
Often enough, it works.
The goal for misinformation hacks is to penetrate a user's "trusted network." While a voter might not credit information spread by 95% of their Twitter follows of Facebook friends, something posted by a coworker or personal acquaintance has the patina of reliability. This could include outraged clickbait or more cut and dry deception, like an announcement that polling places have extended hours, designed to create confusion and frustration among voters.
Legitimate users then rebroadcast the information in good faith, often including original links from the hacked account, which are, frequently as not, little more than spear phishing sites.
"I've seen a lot of fake stories on my own personal Facebook feed," Feather said. "Probably the biggest one that went out was around President Obama trying to delete tweets that he had put up about Hillary Clinton to withdraw his support for her."
"Part of the problem is that we've been a little bit conditioned to believe and not to question what we see on social media, so I think that makes for fertile ground for that kind of thing to happen," Feather added.
Colombian hacker Andre Sepulveda used this technique to successfully manipulate elections in Latin America for nearly a decade, and now it looks like the tactic is coming to America.
U.S. presidential elections are particularly vulnerable to this kind of interference, as pointed out by James Scott, a Senior Fellow with the Institute for Critical Infrastructure Technology. Despite the coverage of "swing states," in fact most presidential elections come down to only the handful of competitive districts within that handful of competitive states.
A sophisticated hacker can have a disruptive impact by targeting just those few districts around the country and, given that dark web trolls can buy the voting records for all 50 states, precision identity theft would be fairly easy.
Still, Scott is less worried about socially engineering the election.
"That stuff is real," he said, "but we've seen things like that. It's going to be around, but I don't think it's going to be anything that could really affect an election."
More likely, he said, hackers will go for mass market targets.
"I think that you will see attempts to interrupt media people in particular," he said. "I'm just grabbing a random name, like Sean Hannity, somebody who is a high profile guy on a particular side. I can definitely see hackers hacking into social media accounts, gaining access and [sending] script-kiddy style tweets from Sean Hannity. Stupid stuff like that."
Beyond identity theft, the other major concern is an internet of things attack. The assault on Dyn has professionals deeply concerned, not least because of the potential for information and infrastructure-level disruption on Tuesday. Although some reports have raised the concern about truly catastrophic-level events, such as an assault on the power grid or manipulating the traffic lights in a major city, these are increasingly, even incredibly, unlikely scenarios.
"I don't really see any of that smart city hacking happening," Scott said, "you know, where all the lights are green."
Instead, and more likely, is an attack on information and websites, disrupting access to news or city government outlets while people are trying to vote. For individual hacktivists (or script kiddies), the most likely bad actors in Scott's opinion, the cloud power offered by hijacking the internet of things is plenty to target and probably take down a few individual websites.
It would be enough to grab the headlines away from an election, and confuse voters who are already dealing with a system that's already challenging as it is.
"Given the fact that election day is time boxed, disruption for even a couple of hours can have a pretty significant impact," Feather said. "When you do your risk assessment, it's probability times impact, and I think it would be a very big deal not only from an actual impact perspective but also from a perception standpoint."
American elections are disturbingly easy to hack already. Voting machines run on proprietary code which it's a felony to examine, and often produce no hard-copy records. Researchers have already demonstrated how to tamper with these machines without breaking any of their tamperproof seals, with one team reprogramming a Sequoia AVC Edge to play Pacman instead of record votes. Only a few major companies make almost all of the machines used nationwide, meaning that hackers don't have to target thousands of jurisdictions, just the few networks on which updates and software for these machines are coded.
It doesn't matter if the voting booth never gets plugged into the Internet if malware arrives in the system update.
Finally, as noted above, hacking an election can be subtle. A few percentage points in a few precincts is all it takes to sway elections for the House, Oval Office or Senate.
In the meantime, however, individuals should do their best not to become a part of the problem. Update all of your internet-enabled devices regularly, and change the password to your social media accounts. Otherwise, you might accidentally help hack an election.