In a new paper the University of Michigan ethical hackers describe how all the votes were changed/stolen in the Washington, D. C. test: Attacking the Washington, D.C. Internet Voting System <read>
The paper is a good read. Recommended especially for election officials and those that believe Internet voting is a good, safe idea. From the abstract:
This paper describes our experience participating in this trial. Within 48 hours of the system going live, we had gained near complete control of the election server. We successfully changed every vote and revealed almost every secret ballot. Election officials did not detect our intrusion for nearly two business days—and might have remained unaware for far longer had we not deliberately left a prominent clue. This case study—the first (to our knowledge) to analyze the security of a government Internet voting system from the perspective of an attacker in a realistic pre-election deployment—attempts to illuminate the practical challenges of securing online voting as practiced today by a growing number of jurisdictions.
I would add:
- It took the officials a while to detect the hack, even with the Michigan Fight song playing. Imagine if the team had only changed or added 10% or 20% of the vote and cast them for candidates actually on the ballot! What if it was a real election and the officials were not certain that several groups were likely trying to hack in!!!
- We pay significant attention to outsider attacks, but insider attacks aremuch easier, require less expertise, and are much less likely to be detected.emember online voting is about as auditable as a paperless DRE, just more globally vulnerable.
- Was the West Virginia Pilot hacked? How would anyone know? Maybe not, it was not a very valuable target since so few votes were involved.
