Protecting Our Electoral System: DC Internet Voting Pilot Hacked

Washington, DC plans to move ahead with a system that they hope will make it easier for citizens overseas to voter. Last week the District announced a new pilot project.

“The Board of Elections and Ethics today announced that the public examination phase of the Digital Vote by Mail pilot project for overseas voters will begin on Friday, September 24.

Digital Vote by Mail is a first-in-the-nation use of open source technology to provide a secure means for overseas voters to obtain, print and mail their ballot – and, if the voter chooses, also digitally mark and return their ballot. After testing is completed, the service will be made available to overseas voters, who often do not have enough time to receive and return their ballot by mail in the few weeks between the September primary and the November general election. Prior to Digital Vote by Mail, the only option for these voters was to sacrifice the secrecy of their ballot by using e-mail or fax.

During the test period, which will continue through Thursday, September 30, individuals who wish test and comment on the technology and usability of the application will be granted access to the application, a complete system architectural diagram, and access to the underlying source code.”

Information about the project can be found here, and below is a sample invitation letter from the site (click to enlarge).

Testers are given access to the source code for the program and must answer a survey about the program. A review of the questions doesn’t inspire confidence in the overall security of the system, and one may find themselves wondering why the questions are so vague. Screen shot below (click to enlarge).

Apparently, some of the applicants for this pilot program had the same idea and were able to hack into the voting system in under 48 hours.

“I assembled a team from the University of Michigan, including my PhD students, Eric Wustrow and Scott Wolchok, and Dawn Isabel, a member of the University of Michigan technical staff.

Within 36 hours of the system going live, our team had found and exploited a vulnerability that gave us almost total control of the server software, including the ability to change votes and reveal voters’ secret ballots. In this post, I’ll describe what we did, how we did it, and what it means for Internet voting.”

The author of the post points out some well intentioned reasons for exploiting the voting system, and the most disturbing part of the article is that it took two days for DC to take down the program.  It was only after other testers noticed the University of Michigan fight song had been inserted. Who is overseeing this program? It appears that a lot of trust was placed with the testers and as previous elections have shown, there are a number of folks out there who would do terrible things with such access.

Here is a description of what the hackers were able to do:

Our demonstration attacks

D.C. launched the public testbed server on Tuesday, September 28. On Wednesday afternoon, we began to exploit the problem we found to demonstrate a number of attacks:

• We collected crucial secret data stored on the server, including the database username and password as well as the public key used to encrypt the ballots.
• We modified all the ballots that had already been cast to contain write-in votes for candidates we selected. (Although the system encrypts voted ballots, we simply discarded the encrypted files and replaced them with different ones that we encrypted using the same key.) We also rigged the system to replace future votes in the same way.
• We installed a back door that let us view any ballots that voters cast after our attack. This modification recorded the votes, in unencrypted form, together with the names of the voters who cast them, violating ballot secrecy.
• To show that we had control of the server, we left a “calling card” on the system’s confirmation screen, which voters see after voting. After 15 seconds, the page plays the University of Michigan fight song. Here’s a demonstration.

The testers plan to submit a paper based on their findings, but they do offer some conclusions based on their interactions with the online voting system.

“Based on this experience and other results from the public tests, the D.C. Board of Elections and Ethics has announced that they will not proceed with a live deployment of electronic ballot return at this time, though they plan to continue to develop the system. Voters will still be able to download and print ballots to return by mail, which seems a lot less risky.

D.C. officials brought the testbed server back up today (Tuesday) with the electronic ballot return mechanism disabled. The public test period will continue until Friday, October 8…

It may someday be possible to build a secure method for submitting ballots over the Internet, but in the meantime, such systems should be presumed to be vulnerable based on the limitations of today’s security technology.”

Here is the bland response from DC election officials:

“The program originally allowed voters to digitally return their ballot but that option has been removed and voters will have to either e-mail or fax their ballots.

‘The Board determined, with the assistance of the public examination community, that the current iteration of the ballot return feature did not meet our security and file integrity standards,’ the board said in a statement.”

Thank goodness this test was done now and the system was not allowed to compromise the November elections. As with all laws concerning voting or voter registration, citizens must be wary of such online voting systems, especially if one of the testers or designers is dishonest and chooses not to report found security lapses in the system. Such holes in the software security have the potential of allowing the integrity of the system to be compromised.

While our servicemen and women have trouble ensuring that their votes are counted, we must be diligent and not be fooled by alternatives that only sound safe and fair.