The District of Columbia Board of Elections and Ethics has been gearing up for a Pilot Test of Digital Votes by Mail. They agreed to have the public test the value and security of there Internet voting system originally scheduled to be pilot(*) tested for the November election.
D.C. should be applauded by agreeing to this public test prior to the pilot. Some pointed out prior to the test that the testing time was too short and the notice too short – in the real world hackers would have a much longer opportunity to succeed. I point out that the test also does not show the most vulnerable part of the system – the opportunity for insiders, election officials, software vendors, hardware vendors, communications vendors, and support staff to change votes – the vulnerability where the fewest people could change the most votes.
Testers submitting votes complained of the annoying music playing on their computer after voting. In short order the music was identified, leaving testers wondering why D.C. picked the Michigan Fight Song. Now all has been revealed and the problems went well beyond the music.
Despite the time limitations, Alex Haldeman and his team from Michigan completely compromised the system <read>
We found a vulnerability in the way the system processes uploaded ballots. We confirmed the problem using our own test installation of the web application, and found that we could gain the same access privileges as the server application program itself, including read and write access to the encrypted ballots and database…
D.C. launched the public testbed server on Tuesday, September 28. On Wednesday afternoon, we began to exploit the problem we found to demonstrate a number of attacks:
- We collected crucial secret data stored on the server, including the database username and password as well as the public key used to encrypt the ballots.
- We modified all the ballots that had already been cast to contain write-in votes for candidates we selected. (Although the system encrypts voted ballots, we simply discarded the encrypted files and replaced them with different ones that we encrypted using the same key.) We also rigged the system to replace future votes in the same way.
- We installed a back door that let us view any ballots that voters cast after our attack. This modification recorded the votes, in unencrypted form, together with the names of the voters who cast them, violating ballot secrecy.
- To show that we had control of the server, we left a “calling card” on the system’s confirmation screen, which voters see after voting. After 15 seconds, the page plays the University of Michigan fight song. Here’s a demonstration…
The specific vulnerability that we exploited is simple to fix, but it will be vastly more difficult to make the system secure. We’ve found a number of other problems in the system, and everything we’ve seen suggests that the design is brittle: one small mistake can completely compromise its security. I described above how a small error in file-extension handling left the system open to exploitation. If this particular problem had not existed, I’m confident that we would have found another way to attack the system.
One more complement to D.C.: Their primary election was September 14th. On September 27th they released the results of their post-election audit and a likely unique random forensic audit of their voting equipment. They found some incorrect firmware versions! <read>
I wonder if any banks out there would dare offer a similar public test opportunity? Power utilities? Transportation?
There are several states planning Internet voting pilots under the MOVE Act. We and others have warned of the theoretical risks of Internet voting and specifically the pilot provisions of the otherwise valuable MOVE Act. Will this clear demonstration of vulnerabilities cause states and Congress to sing a different Internet voting tune? We hope so, yet we doubt it.
Update: Comments by David Jefferson at VerifiedVoting <read>
Computer security and election experts have been saying for over 10 years that the transmission of voted ballots over the Internet cannot be made safe with any currently envisioned technology. We have been arguing mostly in vain that:
1) Attacks can be remote: Internet voting systems can be attacked remotely by any government, any criminal syndicate, or any self aggrandizing individual in the world.
2) Effective defense virtually impossible: There are innumerable modes of attack, from very easy to very sophisticated, and if anyone competent seriously tried to attack an Internet election the election officials would have essentially no chance at successfully defending. The election would be compromised
3) Attackers may change votes arbitrarily: An attack need not just prevent people from voting (bad as that would be), but could actually change large numbers of votes, allowing the attackers to determine the winner.
4) Attacks may be undetected: An attack might go completely undetected. The wrong people could be elected and no one would ever know.
Prof. Halderman demonstrated all of these points
Update: Unfortunately amid our appreciation for the D.C. testing and auditing, they seem to demonstrate what I call a Miraculous Blind Faith In Science in their response: <read>
With all due respect to Mr. Jefferson, the lesson learned is not to be more timid, but more aggressive about solving the problem in exactly the way that we have chosen. Our task is to continue pursuing a robust, secure digital means for overseas voters to cast their ballot rather than resorting to e-mail or fax. As Thomas Edison famously said, “Nearly every man who develops an idea works at it up to the point where it looks impossible, and then gets discouraged. That’s not the place to become discouraged.”
The burden of proof will always rest with the election officials to ensure integrity and transparency of all voting systems, but the computer science community has a heavy burden as well. The computer science community needs to understand that this toothpaste is already out of the tube and no volume of warnings can put it back. Voters are currently casting ballots by e-mail and fax. We need to work together to find a better alternative.
Even more, voters expect that there will be a day when online voting will be as simple as paying bills or paying taxes. While there will always be citizens who choose to file their taxes on paper and there will always be voters who wish to visit their local polling place on Election Day, election officials know that voters expect, one day, to cast their ballot from their laptop.
With all due respect, science and technology have their limitations. We have yet to cure the common cold, make Reagan ‘s Star Wars vision a reality, or produce gold from sea water. As we have pointed out before: Damn the science; Damn the integrity; If it feels good do it!
Update: Discussion D.C. Official vs. Pam Smith of Verified Voting <video>
*) Do not confuse Pilot testing with other for forms of testing such as demonstrations or prototype tests. Pilot testing implies using a system for actual use, but on a limited basis. An election pilot test would involve real ballots, real voters, in an actual election, counting those votes to determine the declared winner of the election and the course of democracy. We note D.C. seems also to be using the phrase testing of the Pilot for its public test, hopefully not to be confused with the Pilot itself, originally scheduled for November.
