Could bots swing Brexit?
How reliable are Parliament petitions? And could bots change the UK’s future? These are the questions our Chief Security Officer, Gerry Grant has been mulling over.
First up I’m not saying that this has happened, just that it COULD happen.
Second, this isn’t the only petition on the Parliament site that is vulnerable to this type of attack, so this article is NOT a comment on my opinions of Brexit.
Third, if it has happened on this petition it almost certainly wasn’t the Russians.
The BBC published an article (https://www.bbc.co.uk/news/technology-47668946) suggesting that ‘bots’ probably are not gaming the popular ‘Revoke Article 50’ petition that resides on the House of Commons website (and which as I write has over 5 million signatures). By gaming we mean attempting to fix the results of the petition. The BBC even quotes a couple of cyber security experts (both of whom I greatly respect by the way) saying that the verification process used by these petitions would be a deterrent.
Well I hate to disagree but here goes.
The process for signing one of these petitions works like this:
Step 1: User visits the petition webpage and hits the button to sign the petition.
Step 2: User fills in their details, including email address and presses continue.
Step 3: The web site confirms your email address and then sends an email to that ‘unique’ email address.
Step 4: The user receives an email with a link to click. Once the link is clicked the users name is added to the petition. If the email address has been registered on the petition before an email is sent to the user to inform them that they have already had their name added to the petition.
All pretty decent and seems to prevent any bots or malicious actors from adding lots of fake names to the petition.
So how would you game this system?
This is going to require a couple of requirements to be successful. First a list of names, postcodes and access to a significant number of unique email addresses. Nobody has the time to manually create and populate a meaningful number of petitioners and respond to the corresponding amount of emails (think 5 figures plus) so scripts are needed to automate all of this work.
The first two requirements are easy to obtain. There are thousands of lists of names available, both common first names and surnames. Download one of these lists and it is a simple task to write a script to generate thousands of unique names that are going to sign the petition.
Creating random postcodes is just as simple. Again, it is possible to download every postcode in use in the UK. This list will even tell you what Parliamentary Constituency each postcode belongs to. In theory an attacker could write a script to assign postcodes to each ‘unique’ user that is in a constituency that voted leave. This could create the impression that these areas have changed their mind since the 2016 referendum in regard to Brexit.
The most difficult aspect to ‘fixing’ the result of the petition is the creation of all the unique email addresses. No signature is added to the petition unless the ‘user’ clicks on a link to verify that they have access to the unique email address that is used in the sign-up process. So how would a malicious actor get around this?
There are many different websites that offer ‘temporary’ email addresses to people. These websites offer a great service allowing people to sign up to online services without having to give away any personal details. Every time a user visits one of these sites, the service will give them a new unique email address. These email addresses can last for anything from 10 minutes to over 24 hours.
Now we have all of the elements needed to start creating fake signatures, all of which will look like they come from the UK and start to boost the number of signatures on the petition.
The workflow would then look a bit like this:
Step 1: The script will generate a fake name and select a valid postcode
Step 2: The script creates a unique email address using the API (application programming interface) of one of the temporary email services
Step 3: The script visits the petition website and fills in the details, confirms the email address is correct
Step 4: The script monitors the email inbox for the verification email and ‘clicks’ the link
I’m no programmer but I reckon that I could write the script for this in an afternoon. It’s worth noting though that the email creation method described above is not the only way to do this. There are other ways.
The email verification check in place for these petitions may deter some of the less determined attackers but for those that are even slightly more motivated, ‘gaming’ the system is relatively easy.
So, what other deterrents could be put in place?
To make things even more difficult for attackers the website developers should implement a reCaptcha code to make users prove that they are not a robot. In addition, monitoring IP addresses would allow repeat visitors to be blocked.
Andrea Leadsom has said regarding the petition - “Should it reach more than 17.4 million respondents, I am sure there would be a very clear case for taking action.” Well if someone is willing to give me immunity from the Computer Misuse Act and leave me in peace for a couple of hours, I’m pretty sure I can write a bot that will deliver that number for her.