'Taking your CPU for a joyride': Why this week's cyberjacking raises online voting concerns

A cybersecurity expert at Western University says a new method of hacking that affected websites in Canada and around the world this weekraises security concerns for Ontario municipalities that plan to use online voting in elections later this year.

Aleksander Essex runs Western's Whisper Lab, a small research groupwith a specialized focus on cyber security.

He says in acryptojackingattack, hackers don't steal information or install malware. Instead, they surreptitiouslyuse the computing power of the target's computer to mine digital currencies.

"It's like they're taking your CPU for a joyride," he said.

On Sunday,visitors to government websiteshad their web browsers hijacked into running a Javascriptcalled Coinhive, which is used to mine thecryptocurrency Monero. More than 4,000 sites were affected worldwide including municipalities, public libraries, school boards and public health organizations. More than 200 websites inCanada were affected, including Ontario's Information and Privacy Commission, the city of Cambridge, Ont., and the city of Yellowknife.

The hackers targeted a plug-in called Browsealoud which reads web content for visually impaired users. The hackersswitched theBrowsealoudJavascript with one that runs the crypto miner.

International cybersecurity researcherScott Helmespotted the hack and began to alert operators of the targeted websites. Within a few hours,Browsealoudwas pulled down. It remains offline while the hack is investigated.

Hack used to mine digital currency

But for a few hours, visitors of the affected sites may have unknowingly had their computers used to mineMonero, which Essex said is popular among the "dark web" because it's a more anonymous digital currency than Bitcoin.

In public statements, operators of many of the affected sites were quick to point out that no user information was stolen in the hack. Also, no malware was installed on users' computers.

A statement from Ontario's Information and Privacy Commissioner was typical: "We know that no data was accessed or lost, and the script has been disabled."

City of Cambridge spokesperson George Georgiadissaid it wasn't a hack in the "traditional sense" because no user data was stolen.

But to Essex, the hack is worrying because it shows how easily municipal websites can becompromised, particularlywhen many Ontario municipalitiesplan to use online voting in this fall's elections.

"You could have had a scenario where instead of a crypto miner, they downloaded a vote stealing Javascript," said Essex. "Yes, the hackers were making money today, but maybe in October they're stealing votes. From a technical standpoint, it's something to be watching for and to be concerned about."

Toronto said no to online voting

Essex has consulted with municipalities interested in exploring online elections.

Toronto for example, looked at the idea but opted to stay with paper ballots.

"They studied the problem and concluded that the threats to the cybersecurity side of things were just too great," said Essex.

Guelph used online voting in 2014 but will return to paper ballots this year. Pickering, Ont., a city whose website was affected by this week's attack, plans to have online voting this fall.

'Cyberthreats happen all the time'

Cambridge used online voting in 2014 without a problem and plans to use it again in this fall's election.

Georgiadissaid Cambridge will use a third-party provider called Dominion Voting Systems. He's confident the company has the proper protections in place toensure the integrity of the vote.

Still, he said Cambridge will print paper ballots in the weeks leading up to the election so if any cyber threats pop up, they can revert to traditional voting.

"Cyberthreats happen all the time," he said. "If there's a high risk, we won't go with [online voting]."

Elections Canada abandoned plansto experiment with an online voting pilotproject before the 2015 general election due to budget cuts.

• Elections Canada drops plan for online voting due to cuts

Essex said municipalities placing trust in third-party providers should also consider what's called "penetration testing," essentially hiring others to test the security by trying to hack it.

"Municipalities should fundamentally understand what the limitations of today's internet truly are," he said."Because guess what, it's not unhackable because these cities did get hacked and moving from that to vote stealing is a one step move."