In Sweden every year nearly half the citizens are glued to the TV watching Melodifestivalen, a music festival and song contest where watchers vote for their favorite acts. The winning act is then sent off to compete at the Eurovision Song Contest flying the Swedish flag.
With some 3.7 million people tuned in, this is a perfect opportunity for a hacker to show off, cause trouble and generate publicity. That is what likely happened during a recent show when the new-fangled voting system went completely down, on the last day of the show. Not only that, all the existing votes from the two previous nights got purged. Talk about embarrassing.
The problem, according to a published report, was the brand new smartphone app used for voting.
More than half a million people used the app for earlier votes without a problem but on the last night, disaster struck with the televised crash leaving the organization looking into the possibility of a hack.
What makes the diagnosis so tough is the large volume of votes that may have simply overwhelmed the servers. In fact, the system failed just as it was at peak load, which could mimic the impact of a denial of service attack. Still, there is the possibility that the system was compromised by a massive amount of fake votes. However, the log in system could have blocked that sort of attack.
Fortunately, for the Melodifestivalen festival, the smartphone app was not the only means of voting and by the time that app crashed more than a million and half voters had had their say, with the eventual winner being far ahead in the lead.
Lessons to learn
While there is still a bit of mystery surrounding the Melodifestivalen incident, there are also lessons to be learned. First, the fact that the source of the problem was unknown for so long is a problem in itself. An incident this dramatic leaves equally dramatic clues. Any proper security system, trained IT staffers and decent forensics should have solved this mystery faster than Sherlock Holmes. More critical, if this was a denial of service attack, it should have been stopped in its tracks. If a trove of fake votes was the culprit, then it should have been anticipated and strict measures taken to prevent it.
Security is important for any organization, but when you have 3.7 million TV viewers hanging on every vote, the stakes are indeed high. I hope that if this was a hack, it is not part of a trend where the bad guys are only looking to make a bold public statement.