Verified Voting Blog: Dangers of Internet Voting Confirmed

For years, computer security experts have said that casting ballots using the Internet cannot be done securely. Now, after a team from the University of Michigan successfully hacked the Washington D.C. Board of Elections and Ethics (DCBOEE) public test of Internet voting, we have a visceral demonstration of just how serious the threats really are.

Prior to rolling out the Internet voting system this November year, the DCBOEE allowed a 5 day trial period, inviting the public to test the ballot casting system and probe its security. Despite short notice given to the public, Dr. Alex Halderman and a team of students took up the challenge. What they were able to achieve in 36 hours demonstrates how vulnerable Internet voting is to a whole host of attacks, and how serious the security threats really are.

In testimony before the DC Council Hearing of The Committee on Government Operations and The Environment, Dr. Halderman detailed the extent to which his team was able to take complete control of DCBOEE’s Internet voting system:

  • In initial probes of the DCBOEE’s network, the Michigan team discovered that a master password had not been changed from the original system default. By simply looking up the default password in the owner’s manual they were able to take control not only of the Internet voting software and the hardware that controls network communications, but access security camera video feeds and watched staff configure the system and enter passwords.
  • Using multiple methods of attack, Dr. Halderman’s team used a common hacking technique called shell injection to control the web form used by voters to cast votes . They not only changed the results of all votes cast during the test (big winners were HAL 9000 and Master Control Pro), but they played the University of Michigan fight song after a voter cast their ballot.
  • Even more disturbing, the team found that they were not the only ones probing the system. After the Michigan team took control of the system, they noticed attack attempts originating in Iran and China probing the same default passwords they had used. Taking on the role of defender of the DCBOEE network, the team blocked these foreign attacks, changing the network password and adding other security measures.
  • Exploring files on the test voting server, the team found a PDF file that contained the actual PIN numbers sent to overseas voters for use in November. These PINs are the ‘secret’ identifiers that voters would have used had the system been deployed. The Michigan team probed the system as white hats, but others with more malicious intent could have easily obtained this document with equal ease and cast false votes for every single voter in the coming election.

In his testimony, Dr. Halderman noted that while the individual weaknesses they exploited can be fixed, this and any other Internet voting system will have many other vulnerabilities that will be discovered by others. Flaws and vulnerabilities cannot be avoided because they are part of the structure of the Internet.

In response to the demonstrated ability of hackers to take control of the DCBOEE system, officials had no option but to cancel deployment of Internet voting in November. But do legislators and election officials fully understand what Dr. Halderman’s team has taught us? We’ve been given a lesson on how easy it is for attackers to penetrate and control not just this system, but any Internet voting system. Now the question is, will States moving forward with Internet voting pay attention and learn?

httpv://www.youtube.com/watch?v=LaR7n5PI_aE
httpv://www.youtube.com/watch?v=SDHtSU4qKzw
New York Times – Voting Test Falls Victim to Hackers
Computer World – Security concerns prompt D.C. to suspend Web-based overseas voting
Computer World – D.C. Web voting flaw could have led to compromised ballots

3 responses to “Dangers of Internet Voting Confirmed”

  1. Mitch Trachtenberg says:

    Thank you for posting this important information, and many thanks to Prof. Halderman, his students, and the others on the panel.

    In my opinion, the most important part of your posting is this:

    Dr. Halderman noted that while the individual weaknesses they exploited can be fixed, this and any other Internet voting system will have many other vulnerabilities that will be discovered by others.

    The important issue is not whether DC did a good job, a mediocre job, or a poor job of implementing internet voting. The important issue is that top computer scientists, who have worked on network security for their entire professional careers, are warning the rest of us that INTERNET VOTING CANNOT BE SECURE, at least while retaining voter anonymity, at least on the internet as it exists today. That is a lesson that politicians MUST learn.

    Anonymous voting is best done by going to a controlled location, receiving and then marking a piece of paper, and watching as the paper is deposited in a box that is watched by multiple people. Chain of custody controls can then be maintained on the box’s contents until they can be counted.

    The only time people should be offered a less secure method is when they are incapable of voting in that way. And if the method must be less secure, it should still be as secure as is possible. So, for example, mail voting is better than remote electronic voting, machine-assisted voting with a voter-verified paper audit trail is better than machine-assisted voting without such a trail, and so on.

  2. […] warning message has been delivered in academic papers, at conferences on voting, on blogs, in talks at google – in every venue where they can make their position public. In 2010, […]

  3. […] warning message has been delivered in academic papers, at conferences on voting, on blogs, in talks at google, in public hearings – in every venue where they can make their position […]