After the Washington D.C. election board announced a new e-voting system for absentee ballots in 2010, they invited the computer security community and general public to try hacking it, several weeks before using it in a real election. Professor Alex Halderman of the University of Michigan felt “It was too good an opportunity to pass up.” With the help of two graduate students, Halderman discovered a shell injection vulnerability in the Ruby on Rails based code and managed to encrypt traffic, avoiding an intrusion detection system running on the server. The login for the terminal server wasn’t terribly difficult to guess, as the administrator used “admin” as both the username and password. They even discovered they had unprotected access to cameras installed to watch over the voting systems. They used these to figure out when the staff left for the day, to make sure their activities on the server weren’t noticed.
Next, they were able to modify the ballots themselves, erasing all the nominated candidates and replacing them with fictional computerized substitutes, including Skynet and Futurama‘s Bender for the head of the school board. As a finishing touch, they made the voting machine play the University of Michigan fight song 15 seconds after a voter finished voting and a sign-off screen appeared that they edited to say “owned” on it.
Despite all of this, authorities didn’t realize the system was compromised for two days and only discovered something was amiss when another tester claimed the system was secure, but recommended they lose the annoying music on the final screen!
Many speakers at the RSA Security Conference 2012 warn participants of the dangers of electronic voting systems. Dr. David Jefferson of Lawrence Livermore Labs believes the problem is getting worse, not better. He claims “There are 33 states that have introduced some kind of electronic voting systems – and none of them are secure enough to resist a determined attacker.” Jeferson points out the relative ease of discovering financial hacks, because the money eventually goes somewhere and leaves a trail. Elections, by contrast, are one-time events with no follow-up after winners are decided.
The idea of electing a smart-mouthed cartoon robot as head of a school board is amusing, but the potential consequences are anything but funny. Our politicians and government leaders need to take these security issues much more seriously or risk compromising the legitimacy of all government elections.
Comments are closed.