One of the ongoing concerns about the move away from paper ballots to other sorts of electronic voting mechanisms is the vulnerability of these systems to tampering. Doubly so, perhaps, when the voting moves online. But Internet voting could conceivably provide a way for overseas and military voters to easily return their ballots, and so it's something that many municipalities are rightly interested in.
The District of Columbia has been conducting a pilot program that would provide online voting for absentee voters, and the city held a test in which they invited the public to help evaluate the system's security.
Enter Alex Halderman, who detailed on his blog the ways in which he, along with a team of PhD students from the University of Michigan, was able to find a number of exploits in the city's online voting system. And find them quickly: "Within 36 hours of the system going live, our team had found and exploited a vulnerability that gave us almost total control of the server software, including the ability to change votes and reveal voters' secret ballots."
Multiple Vulnerabilities in Online Voting
Absentee voters have the opportunity to either download a PDF and return it by mail or upload a completed electronic document. And vulnerabilities were found in the way the system processes these uploaded ballots. "We confirmed the problem using our own test installation of the web application," says Halderman, "and found that we could gain the same access privileges as the server application program itself, including read and write access to the encrypted ballots and database."
Other vulnerabilities included:
- The ability to collect secret data stored on the server, including the database username and password as well as the public key used to encrypt the ballots.
- Ballots that had already been cast could be modified to contain write-in votes for certain candidates.
- A back door was installed to let the researchers view ballots cast after the initial attack, showing how voters had cast their ballots.
- To show that they had control of the server, they left a "calling card" on the system's confirmation screen, which voters see after voting. After 15 seconds, the page plays the University of Michigan fight song. Here's a demonstration.
What This Means for Internet Voting
As Halderman notes, the specific vulnerability that he and his group exploited was pretty simple to fix. However, it is a lot more challenging to make the system secure. As he notes, "We've found a number of other problems in the system, and everything we've seen suggests that the design is brittle: one small mistake can completely compromise its security."
And while it's frightening that these vulnerabilities were found within just a few days of asking people to challenge the system's security, it's commendable that the District of Columbia asked for testing of systems that researchers have long said contained many vulnerabilities.
Photo credits: Flickr user LD Cross