A group of researchers from the University of Michigan has recently attacked and managed to compromise the Washington, DC Digital Vote by Mail Internet voting system, proving that its deployment should definitely be reconsidered.
“In 2010, Washington, D.C. developed an Internet voting pilot project that was intended to allow overseas absentee voters to cast their ballots using a website,” explained the researchers. “Prior to deploying the system in the general election, the District held a unique public trial: a mock election during which anyone was invited to test the system or attempt to compromise its security.”
They took on the challenge and mere 48 hours later they managed to compromise the votes and the secret ballots. What’s even worse, election officials did not detect their intrusion for nearly two days, and even then they likely only noticed it because the researchers had intentionally left a prominent clue.
“A web-based voting system needs to maintain both the integrity of the election result and the secrecy of voters’ choices, it must remain available and uncompromised on an open network, and it has to serve voters connecting from untrusted clients,” explain the researchers.
They concentrated their efforts on trying to find vulnerabilities in the voter login, ballot upload and handling, database communication, and other network activity, but say that flaws in the voter login fields, ballot contents, ballot filenames, or session cookies can also be found by fuzzing or direct code injection attacks.
After a few hours, they managed to compromise the web application server, the payloads, the public key used for encrypting ballots, to replace all of the encrypted ballot files on the server, and exfiltrate a PDF file containing the instruction letters sent to each of the registered voters, which included the real voters’ credentials for using the system.
They also managed to infiltrate the terminal server and compromise and change the passwords on the routers and switches used on the network, as well as using two unsecured webcams present on the network to see who had access to the server room.
“Our experience with the D.C. pilot system demonstrates one of the key dangers in many Internet voting designs: one small mistake in the configuration or implementation of the central voting servers or their surrounding network infrastructure can easily undermine the legitimacy of the entire election,” say the researchers.
“We expect that other fielded Internet voting systems will fall prey to such problems, especially if they are developed using standard practices for mass-produced software and websites. Even if the central servers were somehow eliminated or made impervious to external attack, Internet voting is likely to be susceptible to numerous classes of threats, including sabotage from insiders and malware placed on client machines.”
In short, they concluded that securing Internet voting in practice will require significant advances in computer security, and that until then, online voting should not be considered secure.