Computer science researchers from U-M have successfully hacked into a test bed of a new Internet-based absentee voting system in Washington, D.C.
The researchers rigged the system to play “The Victors” after each new ballot was cast. And they changed all the votes to write-ins for famous robots and computers such as Johnny 5 (from the movie “Short Circuit”), HAL 9000 (from “2001: A Space Odyssey”), and Deep Thought (from “A Hitchhiker’s Guide to the Galaxy”).
Officials from the District of Columbia Board of Elections and Ethics had asked for this, or something like it. They held a mock election to test the security of a proposed new system that would give the city’s 2,000 overseas and military voters a better way than e-mail and fax to turn in their ballots.
They published the system’s source code and held a test period for the public and computer science researchers to evaluate its security and ease of use.
“Within 36 hours of the system going live, our team had found and exploited a vulnerability that gave us almost total control of the server software, including the ability to change votes and reveal voters’ secret ballots,” writes computer security researcher J. Alex Halderman in a blog post. Halderman, an assistant professor of computer science and engineering, assembled a team of students and staff as soon as he heard about the test.
Halderman’s team found a weakness in how the system processed uploaded, completed ballots. He gives the details at Freedom to Tinker, an information technology policy blog to which he often contributes.
“(We) found that we could gain the same access privileges as the server application program itself, including read and write access to the encrypted ballots and database,” he wrote.
In addition to changing the votes and leaving their fight song calling card, the researchers “installed a back door” that let them view all the incoming votes and who cast them, violating ballot secrecy.
D.C. voting officials knew there might be openings in the upload procedure, says Paul E. Stenbjorn, director of information services at the D.C. Board of Elections and Ethics.
“It was disappointing that it was as easy as it was for them, and that we hadn’t been more proactive about closing down these known issues,” he says.
In the end, Stenbjorn considers the experiment a success. “This was why we had the public examination period,” he says. “Obviously, we would have liked a smooth, noncontroversial deployment of our new system, but this was a known potential outcome.”
He stresses that no actual votes were cast in this trial, and that this was a completely segregated test of a proposed new system.
Halderman says he expected the system to be fairly easy to compromise.
“Web security is a very difficult problem,” he says. “Major web sites like Facebook and Twitter regularly suffer from vulnerabilities, and banks lose millions of dollars to online fraud every year. These high-profile sites have greater resources and far more security experience than the municipalities that run elections, and yet they are still constantly having problems.
“It may someday be possible to build a secure method for voting over the Internet, but in the meantime, such systems should be presumed to be vulnerable based on the limitations of today’s security technology.”
D.C. officials are not giving up. In the November elections, voters abroad will be able to download their ballots, but they won’t be able to send them back through a city-sanctioned system, in light of the Halderman team’s hack. The board will go back to the drawing board and at some point hold another test.
“Election officials know that voters expect, one day, to cast their ballot from their laptop,” Stenbjorn writes in the board’s official response to the attack.
Its unofficial response, at least to the fight song signature: “Our executive director is a huge Buckeye fan,” Stenbjorn said. “He asked me to remind everyone that it’s been 2,510 days since Michigan beat Ohio State.”