Home Hackers Demonstrate Vulnerabilities in Internet Voting

Hackers Demonstrate Vulnerabilities in Internet Voting

One of the ongoing concerns about the move away from paper ballots to other sorts of electronic voting mechanisms is the vulnerability of these systems to tampering. Doubly so, perhaps, when the voting moves online. But Internet voting could conceivably provide a way for overseas and military voters to easily return their ballots, and so it’s something that many municipalities are rightly interested in.

The District of Columbia has been conducting a pilot program that would provide online voting for absentee voters, and the city held a test in which they invited the public to help evaluate the system’s security.

Enter Alex Halderman, who detailed on his blog the ways in which he, along with a team of PhD students from the University of Michigan, was able to find a number of exploits in the city’s online voting system. And find them quickly: “Within 36 hours of the system going live, our team had found and exploited a vulnerability that gave us almost total control of the server software, including the ability to change votes and reveal voters’ secret ballots.”

Multiple Vulnerabilities in Online Voting

Absentee voters have the opportunity to either download a PDF and return it by mail or upload a completed electronic document. And vulnerabilities were found in the way the system processes these uploaded ballots. “We confirmed the problem using our own test installation of the web application,” says Halderman, “and found that we could gain the same access privileges as the server application program itself, including read and write access to the encrypted ballots and database.”

Other vulnerabilities included:

  • The ability to collect secret data stored on the server, including the database username and password as well as the public key used to encrypt the ballots.
  • Ballots that had already been cast could be modified to contain write-in votes for certain candidates.
  • A back door was installed to let the researchers view ballots cast after the initial attack, showing how voters had cast their ballots.
  • To show that they had control of the server, they left a “calling card” on the system’s confirmation screen, which voters see after voting. After 15 seconds, the page plays the University of Michigan fight song. Here’s a demonstration.

What This Means for Internet Voting

As Halderman notes, the specific vulnerability that he and his group exploited was pretty simple to fix. However, it is a lot more challenging to make the system secure. As he notes, “We’ve found a number of other problems in the system, and everything we’ve seen suggests that the design is brittle: one small mistake can completely compromise its security.”

And while it’s frightening that these vulnerabilities were found within just a few days of asking people to challenge the system’s security, it’s commendable that the District of Columbia asked for testing of systems that researchers have long said contained many vulnerabilities.

Photo credits: Flickr user LD Cross

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.