Experts warn e-voting systems decades away from security
-By Iain Thomson
March 1, 2012- Security experts have warned that electronic voting systems are decades away from being secure, and to prove it a team from the University of Michigan successfully got the foul-mouthed, drunken Futurama robot Bender elected to head of a school board.
In 2010 the Washington DC election board announced it had set up an e-voting system for absentee ballots and was planning to use it in an election. However, to test the system, it invited the security community and members of the public to try and hack it three weeks before the election.
"It was too good an opportunity to pass up," explained Professor Alex Halderman from the University of Michigan. "How often do you get the chance to hack a government network without the possibility of going to jail?"
With the help of two graduate students, Halderman started to examine the software. Despite it being a relatively clean Ruby on Rails build, they spotted a shell injection vulnerability within a few hours. They figured out a way of writing output to the images directory on the compromised server, and of encrypting traffic so that the front-end intrusion detection system couldn't spot them. The team also managed to guess the login details for the terminal server used by the voting system. This wasn't exactly difficult, since the user name and password were both "admin".
Once in, the team searched the government servers for additional vulnerabilities and system options. They found that the cameras installed to watch the voting systems weren't protected, and used them to work out when staff left for the day and so wouldn't spot server activity. More worrying, they also found a PDF file containing the authentication codes for every Washington DC voter in the forthcoming election.
The team altered all the ballots on the system to vote for none of the nominated candidates. They then wrote in names of fictional IT systems as candidates, including Skynet and (Halderman's personal favorite) Bender for head of the DC school board. They also set up systems so that any further ballots would come under their control.
According to the log files the team found, plenty of people were also busy trying to get into the system. They spotted attempts to get in from the Persian University, as well as India and China. Using their inside access, they blocked these attacks. Finally, they inserted the word "owned" onto the final signoff screen of the voting page, and set up the University of Michigan football fight song to play after 15 seconds.
It took two days before the authorities discovered they'd been pwned, and they were only alerted to that fact when another tester told them the system was secure, but that they should lose the music on the sign-off screen, as it was rather annoying. Halderman has now published a full account of the attack.