DC voting experiment hacked

[Jeremy Epstein <jeremy.j.epstein () gmail com>]

As many of you know, DC is doing an Internet voting pilot - original
plan was to allow voters to download blank ballots as PDF, mark them,
and submit them (*).  They set up a test server and encouraged anyone
interested to take a whack - which promptly happened.  A team from
Univ of Michigan led by Prof Alex Halderman completely compromised the
system within 36 hours, using a shell injection vulnerability.  They
were able to modify every ballot submitted, as well as other changes
that they haven't described yet.

This is relevant for readers of this list because voting is one of
those cases where software security has a direct impact on your
government (whether you live in the US or another country)!

(*) After it became obvious that the system was completely hacked, DC
Board of Elections and Ethics backed off, and are now allowing
download of blank ballots, but ballots must be returned by paper mail,
email, or FAX.  Of course that's a mixed blessing - all three of these
have significant issues of their own - especially tampering and
privacy issues with email voting!


Explanation of the technical stuff at
http://www.freedom-to-tinker.com/blog/jhalderm/hacking-dc-internet-voting-pilot

Here's an excellent analysis of the impact by David Jefferson of
Verified Voting.

-----

University of Michigan Prof. Alex Halderman has now released some
details about his successful attack on the District of Columbia's
proposed Internet voting system which has been under test for the last
week.  (See www.freedom-to-tinker.com.)  It is now clear that
Halderman and his team were able to completely subvert the entire DC
Internet voting system remotely, gaining complete control over it and
substituting fake votes of their choice for the votes that were
actually cast by the test voters.  What is worse, they did so without
the officials even noticing for several days.

Let there be no mistake about it: this is a major achievement, and
supports in every detail the warnings that security community have
been giving about Internet voting for over a decade now.  After this
there can be no doubt that the burden of proof in the argument over
the security of Internet voting systems has definitely shifted to
those who claim that the systems can be made secure.

Computer security and election experts have been saying for over 10
years that the transmission of voted ballots over the Internet cannot
be made safe with any currently envisioned technology.  We have been
arguing mostly in vain that:

1) Remote attack: Internet voting systems can be attacked remotely by
any government, any criminal syndicate, or any self aggrandizing
individual in the world.

2) Effective defense virtually impossible: There are innumerable modes
of attack, from very easy to very sophisticated, and if anyone
seriously tried to attack an Internet election the election officials
would have essentially no chance at successfully defending.  The
election would be compromised

3) Attackers may change votes arbitrarily: An attack need not just
prevent people from voting (bad as that would be), but could actually
change large numbers of votes, allowing the attackers to determine the
winner.

4) Attacks may be undetected: An attack might go completely
undetected.  The wrong people could be elected and no one would ever
know.

Prof. Halderman demonstrated all of these points:

1) Remote attack: His team of four conducted their attack remotely,
from Michigan, via the Internet, without ever getting near Washington,
D.C.

2) Effective defense virtually impossible: Although they were
restricted from most modes of attack (which would be illegal even in
this test situation), they still succeeded in completely owning
(controlling) the voting system within about 36 hours after it was
brought up, even though they had only 3 days of notice of when it
would start.  They happened to use one particular small vulnerability
that they identified, but they are quite confident that they could
have penetrated in other ways as well.  Most likely they were the only
team to even attempt to attack the system seriously; yet in a real
election with something important at stake multiple teams might
attack.  The fact that the only team that even tried succeeded so
quickly is a demonstration lots of other groups from around the world
could also have done it.

3) Attackers may change votes arbitrarily:They not only changed some
of the votes, they changed them all, both those cast before they took
control of the system and those cast afterward.  There is no way that
officials can restore the original votes without the attackers' help.

4) Attacks may be undetected:The attack was not detected by the
officials for several days, despite the fact that they were looking
for such attacks (having invited all comers to try) and despite the
fact that the attackers left a "signature" by playing the Michigan
Fight song after every vote was cast!

This successful demonstration of the danger of Internet voting is the
real deal.  It doesn't get any better than this, people.

Alex Halderman, his graduate students Eric Wustrow and Scott Wolchok,
and their colleague Dawn Isabel, all deserve enormous credit,
congratulations, and thanks.

-----
_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________