'Taking your CPU for a joyride': Why this week's cyberjacking raises online voting concerns

A cybersecurity expert at Western University says a new method of hacking that affected websites in Canada and around the world this week raises security concerns for Ontario municipalities that plan to use online voting in elections later this year.

Aleksander Essex runs Western's Whisper Lab, a small research group with a specialized focus on cyber security. 

He says in a cryptojacking attack, hackers don't steal information or install malware. Instead, they surreptitiously use the computing power of the target's computer to mine digital currencies.

"It's like they're taking your CPU for a joyride," he said. 

On Sunday, visitors to government websites had their web browsers hijacked into running a Javascript called Coinhive, which is used to mine the cryptocurrency Monero. More than 4,000 sites were affected worldwide including municipalities, public libraries, school boards and public health organizations. More than 200 websites in Canada were affected, including Ontario's Information and Privacy Commission, the city of Cambridge, Ont., and the city of Yellowknife. 

The hackers targeted a plug-in called Browsealoud which reads web content for visually impaired users. The hackers switched the Browsealoud Javascript with one that runs the crypto miner.

International cybersecurity researcher Scott Helme spotted the hack and began to alert operators of the targeted websites. Within a few hours, Browsealoud was pulled down. It remains offline while the hack is investigated. 

Hack used to mine digital currency

But for a few hours, visitors of the affected sites may have unknowingly had their computers used to mine Monero, which Essex said is popular among the "dark web" because it's a more anonymous digital currency than Bitcoin. 

In public statements, operators of many of the affected sites were quick to point out that no user information was stolen in the hack. Also, no malware was installed on users' computers. 

A statement from Ontario's Information and Privacy Commissioner was typical: "We know that no data was accessed or lost, and the script has been disabled."

City of Cambridge spokesperson George Georgiadis said it wasn't a hack in the "traditional sense" because no user data was stolen. 

But to Essex, the hack is worrying because it shows how easily municipal websites can be compromised, particularly when many Ontario municipalities plan to use online voting in this fall's elections. 

"You could have had a scenario where instead of a crypto miner, they downloaded a vote stealing Javascript," said Essex. "Yes, the hackers were making money today, but maybe in October they're stealing votes. From a technical standpoint, it's something to be watching for and to be concerned about."

Toronto said no to online voting

Essex has consulted with municipalities interested in exploring online elections.

Toronto for example, looked at the idea but opted to stay with paper ballots. 

"They studied the problem and concluded that the threats to the cybersecurity side of things were just too great," said Essex. 

Guelph used online voting in 2014 but will return to paper ballots this year. Pickering, Ont., a city whose website was affected by this week's attack, plans to have online voting this fall.

'Cyberthreats happen all the time'

Cambridge used online voting in 2014 without a problem and plans to use it again in this fall's election. 

Georgiadis said Cambridge will use a third-party provider called Dominion Voting Systems. He's confident the company has the proper protections in place to ensure the integrity of the vote. 

Still, he said Cambridge will print paper ballots in the weeks leading up to the election so if any cyber threats pop up, they can revert to traditional voting. 

"Cyberthreats happen all the time," he said. "If there's a high risk, we won't go with [online voting]."

Elections Canada abandoned plans to experiment with an online voting pilot project before the 2015 general election due to budget cuts.

• Elections Canada drops plan for online voting due to cuts

Essex said municipalities placing trust in third-party providers should also consider what's called "penetration testing," essentially hiring others to test the security by trying to hack it. 

"Municipalities should fundamentally understand what the limitations of today's internet truly are," he said. "Because guess what, it's not unhackable because these cities did get hacked and moving from that to vote stealing is a one step move."