DC Internet Vote Scheme Hacker: "Within 36 Hours We Had Total Control of Server, Ability to Change Votes, Reveal Secret Ballot"

Wednesday, 06 October 2010 13:00 By Brad Friedman, THE BRAD BLOG | Report | name.

As we posited in our coverage yesterday of DC's Internet Voting scheme which was hacked with the University of Michigan fight song, J. Alex Halderman, asst. professor of electronic engineering and computer science at the university, was, indeed, at the heart of the hack.

He details tonight that he and a small team of students were happy to participate in the test that DC election officials had announced, with just three days notice, inviting hackers to try and penetrate the system they planned to use this November, as developed with the Open Source Digital Voting Foundation.

Halderman writes in his explanation of how they did it:

Within 36 hours of the system going live, our team had found and exploited a vulnerability that gave us almost total control of the server software, including the ability to change votes and reveal voters’ secret ballots.

And if you think that's chilling, Halderman goes on to note that all cast ballots on the system were modified and overwritten with write-in votes, all passwords taken - including the encryption key, which e-voting supporters constantly suggest will keep such systems safe - before they went on to install a back door to let them view any votes cast later, after their attack, along with the names of voters and whom they voted for...

  • We collected crucial secret data stored on the server, including the database username and password as well as the public key used to encrypt the ballots.
  • We modified all the ballots that had already been cast to contain write-in votes for candidates we selected. (Although the system encrypts voted ballots, we simply discarded the encrypted files and replaced them with different ones that we encrypted using the same key.) We also rigged the system to replace future votes in the same way.
  • We installed a back door that let us view any ballots that voters cast after our attack. This modification recorded the votes, in unencrypted form, together with the names of the voters who cast them, violating ballot secrecy.
  • To show that we had control of the server, we left a "calling card" on the system's confirmation screen, which voters see after voting. After 15 seconds, the page plays the University of Michigan fight song. Here's a demonstration.

Halderman also notes what many of us have been trying to tell Internet Voting proponents for so many years: it's incredibly difficult, if not impossible, to make the system secure...

The specific vulnerability that we exploited is simple to fix, but it will be vastly more difficult to make the system secure. We've found a number of other problems in the system, and everything we've seen suggests that the design is brittle: one small mistake can completely compromise its security. I described above how a small error in file-extension handling left the system open to exploitation. If this particular problem had not existed, I'm confident that we would have found another way to attack the system.

Sounds like this Internet Voting thing for overseas and military voters, which has now been called off in D.C. as of last week's hack, is as brilliantly thought out and executed as the electronic voting and concealed vote counting that nearly the entirety of the nation is currently saddled with at local polling places.

Halderman, as we also noted yesterday, was also behind hacking Pac-Man onto a Sequoia touch-screen voting machine last August, as well as on the Princeton team which initially hacked Diebold's touch screen system with a vote-flipping virus back in 2006.

[Hat-tip @rickstah on the Twitters.]

UPDATE 10/6/10, 11:49am PT: Livermore National Laboratories computer scientist Dr. David Jefferson, writing on behalf of VerifiedVoting.org comments on Halderman and Team's successful hack of the D.C. Internet Voting scheme today by pointing out, among other things, that "effective defense" against such attacks is "virtually impossible"...

It is now clear that Halderman and his team were able to completely subvert the entire DC Internet voting system remotely, gaining complete control over it and substituting fake votes of their choice for the votes that were actually cast by the test voters. What is worse, they did so without the officials even noticing for several days.

Let there be no mistake about it: this is a major achievement, and supports in every detail the warnings that security community have been giving about Internet voting for over a decade now. After this there can be no doubt that the burden of proof in the argument over the security of Internet voting systems has definitely shifted to those who claim that the systems can be made secure.

Jefferson also notes, among several other points very well worth reading, this one...

Most likely they [Halderman and his MI students] were the only team to even attempt to attack the system seriously; yet in a real election with something important at stake multiple teams might attack. The fact that the only team that even tried succeeded so quickly is a demonstration lots of other groups from around the world could also have done it.

...and this one...

The attack was not detected by the officials for several days, despite the fact that they were looking for such attacks (having invited all comers to try) and despite the fact that the attackers left a “signature” by playing the Michigan Fight song after every vote was cast! This successful demonstration of the danger of Internet voting is the real deal.

Want something actually worth being angry about "Tea Partiers"? How about the fact that your Congress has allocated millions of federal tax-dollars via the Military and Overseas Voting Empowerment (MOVE) Act to pay for these Internet Voting pilot project experiments which use real voters in real elections as guinea pigs to test this un-overseeable technology.

Want the self-governance guaranteed by our Constitution? Hint: When electronic, computerized systems are used to conceal vote casting and counting from public view - as is the case in virtually every election in the US, using the Internet or not - that ain't self-governance.

Last modified on Wednesday, 06 October 2010 17:56