In 2010 Washington D.C. embarked on a pilot project to allow voters to participate in local elections through an online voting system. In September 2010, before collecting real votes, the Board of Elections conducted a pilot test allowing any member of the general public to vote and test the security of the system. Ultimately an attack by a team of researchers from the University of Michigan caused them to cancel the online voting initiative. The researchers were able to seize control of the servers, unmask secret ballots, and alter the final election results. The following information is a summary of what the Michigan team found ( please see [9] for a copy of their paper).
The system itself used a stack consisting of Ruby on Rails, Apache, and MySQL. A front end web server receives HTTPS requests from the voters and then reverse-proxies them to the application server which hosts the software and stores the ballots. Multiple firewalls work to complicate attacks by blocking outbound TCP connections. The University of Michigan researchers noted that the intrusion detection system in front of the web server failed to decrypt the HTTPS connections carrying their attack.
To login to the system the voter needs to use a voter ID number, registered name, residence ZIP code, and 16-character hexadecimal PIN. These credentials were sent out to voters in the mail.
The ballots themselves are PDF files, filled out by the user with a PDF reader, and then uploaded to the server. To safeguard ballot secrecy, they are encrypted with a public key issued by elections officials. When the election ends they are transfered from the server to an offline machine, holding the private key, where they are decrypted and counted. Think about that -- they go through the trouble of keeping the ballot counting machine offline but allow arbitrary PDF files to be opened on it. :>
Here are a few of the attacks that the Michigan team found. They stole the public key, which despite the term public key should actually be kept secret because it allows the application server to encrypt arbitrary ballots to substitute real ballots. Once they stole the key, they indeed used it to replace all of the previously cast ballots with forged ballots that voted a ticket of their choosing. They then replaced the ballot processing function with a modified function that would replace each voted ballot with their forged ballot. This also broke the secret ballot concept, as they used the new ballot processing function to track each voter. And, an unencrypted copy of each ballot was stored in /tmp by the PaperClip Rails plugin before encryption, so they could correlate the file time to the logs and then match past ballots to voters. The database credentials were located in the bash history file.
A 937 page PDF file containing all of the voters login credentials was even located on the server, sitting in /tmp. And these were the credentials for the REAL election, not merely the pilot test. Had the real election not been canceled they could have used those to vote as actual citizens.
Of course once finished they cleaned up the logs and removed all of their files from the application server's directories.
To mark their territory after completely infiltrating the online voting system, they programmed the confirmation page to play the University of Michigan fight song when each user cast a ballot.
Despite their musical calling card, it took officials in D.C. 36 hours to detect the attack and stop the pilot (another test user asked on a mailing list what song is played for a successful vote, raising their suspicions).
Government sucks at computer stuff, that one is pretty bad from how I understood the article.
Online voting system would be nice to have, cheaper to run if done properly, and traceable. right now, no one knows who voted for what, easy to stuff ballots.
patrick.net
An Antidote to Corporate Media
1,183,597 comments by 13,785 users - NewGuy, WookieMan online now