While most of the attention of international media was on the voting snafus in the Iowa Democratic caucus earlier this month, a much more serious incident was developing in Israel. The registration data of all of Israel’s 6.5 million voters was leaked thanks to a faulty download site for the Likud party’s election management app. The breach included full names, addresses and identity card numbers for all users.
How did the Israel voter data breach happen?
The culprit in this breach was not a faulty app, but the public-facing website that directed interested parties to the app downloads.
An app called Elector was used by Prime Minister Benjamin Netanyahu’s Likud party to deliver election-related news to supporters. However, in Israel each party is given access to the government’s database of basic contact information for all registered Israeli voters regardless of their party affiliation.
The app’s official website leaked the administrative username and password via an unprotected API endpoint listed in the homepage source code. This did not require any hacking acumen to access; anyone who cared to view the source code for the page would see the admin login credentials listed in plaintext by simply clicking through the “get-admin-users” link.
Both the Elector app and website were created by a software development company called Feed-b. The company took both the app and website down on February 11 and reported having fixed the issue, but could not say how long the vulnerability was present for or if there had been any illicit access of the voter data. The Elector app has been available since May of 2019; it is unclear if the admin login credentials have been visible for that long, but that is the maximum potential breach window.
While Likud is allowed to have access to this trove of voter data, Israeli political parties are not supposed to share it with third-party contractors or developers. The Israeli Justice Ministry’s Privacy Protection Authority (PPA) has announced an investigation into the incident. However, it is unlikely that anyone involved with Elector or Likud will face legal consequences as Israeli privacy law does not have allowances for fines or criminal charges in this sort of situation.
Election manager breach part of a trend?
The issue with the voting app in Iowa was a major news item, but it was hardly the first or most serious incident of this nature. It is rare for a breach of a country’s election system to be an “unforced error” of the sort seen in this breach of the Israel election management app, however. Advanced hackers backed by nation-states usually have to work hard at penetrating foreign voter data systems to obtain these sorts of personal details.
James Carder, Chief Security Officer & Vice President of LogRhythm, expanded on why attacks on exactly this sort of voter registry information are part of a dangerous trend:
“It is worrisome that an app developed specifically for elections did not have advanced security measures in place – especially when millions of voter records were contained within it. Unfortunately, in this Elector incident, personally identifiable information including names, addresses and phone numbers for over six million voters was left exposed. This data can now be weaponized in future attacks, and it leaves those impacted vulnerable to future fraud.
“On top of that, these types of incidents can have real geopolitical ramifications. Exposed voter information could easily lead to fraudulent voting, allowing cyber criminals to manipulate the voting system and potentially elect individuals or pass laws that the population wasn’t going to support. And given how connected our world is – with nuanced diplomatic relations and economic unions – those fraudulently approved officials and laws could then have international ripple effects.
“This incident should serve as a wake-up call for other developers of election technology. Just last week, the U.S. had an issue with an app for the Iowa caucuses. While the situation in that case was less about security and more about general functionality of the app, the incident with Elector demonstrates the potential damage of hastily built election applications. And either way, these breaches and malfunctions can infringe upon the trust and confidence citizens have in their government; it could make them wonder how long these types of malfunctions and vulnerabilities have existed and if they’ve managed to compromise past elections.
“Cybersecurity around all elections should be a hyper-focus. Given the sensitive nature of the data needed to execute an election and the national and global impacts of the results, developers of election technology – whether it’s an app or something else – need to take the necessary precautions to protect voter data. First and foremost, anyone creating these technologies should employ secure software development and application security best practices. This will help identify and remediate any code-based vulnerabilities before the technology is made available to the public, and it will also assist with maintaining the security of the application as maintenance is performed. And then anyone collecting or storing this information should have real-time monitoring and clear visibility into their operations. This will allow them to rapidly detect and neutralize security threats.”
The election management site breach is an extremely serious oversight on the part of the Likud party, and something that very much should have been detected. Attacks on government systems seeking exactly this sort of information have not been unusual in recent years. A similar incident in Bulgaria in mid-2019 saw the theft of the personal information of about five million voters from the country’s national tax agency. A string of hacks on Click2Gov payment portals from 2017 to 2018 is expected to have been responsible for the theft and sale of some 300,000 records of personal and payment information for taxpayers and property owners. And in 2015, a hack of the US Office of Personnel Management that had been ongoing for about a year exposed the personal information of 22.1 million current and former federal employees. Those are just a few of the largest examples.
This is also not the first data breach issue for Likud. Just a few short months ago, the party had a separate election management database of about a million “persons of interest” breached by a reporter for financial newspaper The Marker. As with the more recent breach, the reporter was able to simply walk right through the front door and obtain this personal data with no hacking involved – this time it was in an unsecured database accessible via an app that Likud was planning to use for monitoring polling stations. This election management database contained similar personal information and was likely built from the same voter data found in this more recent breach, but some entries had designations like “supporter” or “non-supporter” appended to them.
What happens when the government is breached?
The voter data leaked in this breach increases the risk of identity theft and personalized scam attempts for just about every adult citizen of Israel. It’s a “doomsday scenario,” roughly equivalent to a leak of home addresses, phone numbers and Social Security numbers from a United States government election management database.
Javvad Malik, Security Awareness Advocate for KnowBe4, reflected on how this leak came to be and how similar election management data breaches might be prevented in the future:
“Any time vast amounts of personal information is being collected, processed, and stored, all aspects of security need to be taken into consideration. Application security remains a concern for a large number of organisations, and not a week goes by where vast amounts of data aren’t exposed due to misconfigures cloud buckets which set permissions to public.
“It’s important for organisations to realise that there is no step they can take to fix these issues, and neither is there a 7 step plan that can be followed that applies to all scenarios. Rather a culture of security needs to be embedded within organisations so that the right questions are asked at the right time to account for risk and potential exposure, and based on that, ensure that the most effective controls are implemented.
“Without this change in mindset, we will continue to see breaches occur. And with so much information digitally available, the impact will only continue to grow.”
And Ilia Kolochenko, Founder & CEO of web security company ImmuniWeb, addressed the specific issue of API vulnerabilities such as the one seen in this election management app breach:
“Security weaknesses affecting APIs are rapidly becoming one of the most critical aspects of modern application security. Their complexity and architectural obscurity hinder security testing with traditional tools and automated scanners. As a result, many dangerous security flaws remain undetected for years.
“Often, the APIs are riddled with a full spectrum of OWASP API Security Top 10 issues, some of which are intertwined and require chained exploitation. Moreover, compared to web applications, virtually no APIs or web services are protected by a WAF, making them a perfect target for cybercriminals. Worse, such attacks are hard to spot and frequently remain undetected, unreported and uninvestigated.”
None of this will be any help or comfort to the people of Israel, who are left to wonder who might have scraped their sensitive voter data while it was available and what they might end up doing with it.