« prev   random   next »

1
0

Internet voting test gone badly wrong

By Patrick following x   2019 Apr 8, 8:18pm 199 views   1 comments   watch   nsfw   quote     share    


http://www.phrack.org/issues/69/11.html#article

In 2010 Washington D.C. embarked on a pilot project to allow voters to
participate in local elections through an online voting system. In
September 2010, before collecting real votes, the Board of Elections
conducted a pilot test allowing any member of the general public to vote
and test the security of the system. Ultimately an attack by a team of
researchers from the University of Michigan caused them to cancel the
online voting initiative. The researchers were able to seize control of
the servers, unmask secret ballots, and alter the final election results.
The following information is a summary of what the Michigan team found (
please see [9] for a copy of their paper).

The system itself used a stack consisting of Ruby on Rails, Apache, and
MySQL. A front end web server receives HTTPS requests from the voters and
then reverse-proxies them to the application server which hosts the
software and stores the ballots. Multiple firewalls work to complicate
attacks by blocking outbound TCP connections. The University of Michigan
researchers noted that the intrusion detection system in front of the web
server failed to decrypt the HTTPS connections carrying their attack.

To login to the system the voter needs to use a voter ID number,
registered name, residence ZIP code, and 16-character hexadecimal PIN.
These credentials were sent out to voters in the mail.

The ballots themselves are PDF files, filled out by the user with a PDF
reader, and then uploaded to the server. To safeguard ballot secrecy, they
are encrypted with a public key issued by elections officials. When the
election ends they are transfered from the server to an offline machine,
holding the private key, where they are decrypted and counted. Think about
that -- they go through the trouble of keeping the ballot counting machine
offline but allow arbitrary PDF files to be opened on it. :>

Here are a few of the attacks that the Michigan team found. They stole the
public key, which despite the term public key should actually be kept
secret because it allows the application server to encrypt arbitrary
ballots to substitute real ballots. Once they stole the key, they indeed
used it to replace all of the previously cast ballots with forged ballots
that voted a ticket of their choosing. They then replaced the ballot
processing function with a modified function that would replace each
voted ballot with their forged ballot. This also broke the secret ballot
concept, as they used the new ballot processing function to track each
voter. And, an unencrypted copy of each ballot was stored in /tmp by the
PaperClip Rails plugin before encryption, so they could correlate the
file time to the logs and then match past ballots to voters. The database
credentials were located in the bash history file.

A 937 page PDF file containing all of the voters login credentials was
even located on the server, sitting in /tmp. And these were the
credentials for the REAL election, not merely the pilot test. Had the
real election not been canceled they could have used those to vote as
actual citizens.

Of course once finished they cleaned up the logs and removed all of their
files from the application server's directories.

To mark their territory after completely infiltrating the online voting
system, they programmed the confirmation page to play the University of
Michigan fight song when each user cast a ballot.

Despite their musical calling card, it took officials in D.C. 36 hours to
detect the attack and stop the pilot (another test user asked on a mailing
list what song is played for a successful vote, raising their suspicions).
1   FortWayneIndiana   ignore (4)   2019 Apr 8, 8:38pm   ↑ like (0)   ↓ dislike (0)   quote   flag        

Government sucks at computer stuff, that one is pretty bad from how I understood the article.

Online voting system would be nice to have, cheaper to run if done properly, and traceable. right now, no one knows who voted for what, easy to stuff ballots.

about   best comments   contact   one year ago   suggestions