Security Researchers Publish Details of Online Voting Hack
In late 2010, Michigan researchers led by Prof. J. Alex Halderman were in the news for hacking into the test bed for Washington D.C.'s new Internet voting system. Now the team is back in the news after publishing the details of the hack at the 16th Conference on Financial Cryptography and Data Security, on Feb. 28.
The researchers, graduate students Eric Wustrow and Scott Wolchok, Dawn Isabel of the U-M technical staff, and Prof. Halderman, released the technical details in their paper entitled, "Attacking the Washington, D. C. Internet Voting System."
In the paper, the researchers describe how they examined the code for the system and found a shell-injection vulnerability, exfiltered data, and created a compiler that substituted malicious ballots for genuine ones. In addition, they were able to steal the cryptographic secrets used in balloting secrecy, steal the key to replace past and future votes, and unearth 937 pages of supposedly secret passwords that actual voters were mailed to give them access to the system. They modified the system to play the Michigan fight song on the thank you page after each ballot was cast. Finally, they sanitized system logs to cover their tracks. Of additional interest, the researchers were able to take over the security cameras that monitored the voting system server. They also detected and defended against an additional attack on the system that they trace to the Persian Gulf region.
In summarizing their findings, the researchers point to many vulnerabilities that make electronic voting, and particularly on-line voting, virtually impossible to secure. Among the weaknesses they point to are the use of commercial open source software to develop systems, the lack of an ability to auditing cast ballots, tensions between ballot secrecy and integrity, architectural brittleness in web applications, and the exposure of the system to Internet-base threats.
Speaking as part of a panel discussion on e-voting at the RSA Security Conference on March 1, Prof. Halderman reiterated that because of the many challenges of securing on-line voting, the technology simply can't be used safely in the foreseeable future.
Posted: March 12, 2012
Attacking the Washington, D. C. Internet Voting System, by Scott Wolchok, Eric Wustrow, Dawn Isabel, and J. Alex Halderman. Presented at the 16th Conference on Financial Cryptography and Data Security, Feb. 28, 2012, Kralendijk, Bonaire.
The Register: Election hacked, drunken robot elected to school board (3/1/12)
Slashdot: Voting System Test Hack Elects Futurama's Bender To School Board (3/2/12)
Slashdot: In Theory And Practice, Why Internet-Based Voting Is a Bad Idea (3/2/12)
Gizmodo: Hacked DC School Board E-Voting Elects Bender President (3/2/12)
FOX News (video): Electronic Election Fail (3/2/12)
Marketplace: Internet voting way too risky, say experts (3/5/12)
Technorati: Why Internet Based Voting is "Unfixably Broken" (3/5/12)
Washington Post: D.C. vote-hackers publish their vote-hacking exploits (3/6/12)
Slashdot (video): Prof. J. Alex Halderman Tells Us Why Internet-Based Voting Is a Bad Idea (3/12/12)