Quantcast

Professor pulls off ‘epic hack’ of voting system

By Muriel Kane
Wednesday, October 6, 2010 13:23 EDT
google plus icon
 
  • Print Friendly and PDF
  • Email this page

The District of Columbia’s plan to use a previously untried internet voting system for absentee ballots cast overseas has been raising red flags for a while. But now the ability of a team of computer experts to easily take over the system and reprogram it to play the University of Michigan fight song whenever a vote is cast has caused the whole scheme to be called off.

As blogger Brad Friedman reported on Monday, “The very short planned pre-election test phase, in which hackers were invited to try to manipulate the system, has been abruptly aborted in the wake of a, um, disturbing (if not wholly unpredictable) development,”

By the next day, Friedman had confirmed that “J. Alex Halderman, asst. professor of electronic engineering and computer science at the [University of Michigan], was, indeed, at the heart of the hack.”

Initial accounts of the hack had passed it off lightly. The Asssociated Press story described it merely as “University of Michigan students hacked a prototype D.C. elections voting site and programmed it to play their fight song.”

But the exploit — which Boing Boing described as “Alex Halderman’s totally epic hack of the DC internet voting system pilot program” — turns out to have been far more serious and far-reaching.

As Halderman himself explains at his blog, Freedom to Tinker, “Within 36 hours of the system going live, our team had found and exploited a vulnerability that gave us almost total control of the server software, including the ability to change votes and reveal voters’ secret ballots.”

“We collected crucial secret data stored on the server, including the database username and password as well as the public key used to encrypt the ballots,” Halderman continues. “We modified all the ballots that had already been cast to contain write-in votes for candidates we selected. … We also rigged the system to replace future votes in the same way. We installed a back door that let us view any ballots that voters cast after our attack. This modification recorded the votes, in unencrypted form, together with the names of the voters who cast them, violating ballot secrecy.”

Following the hack, DC Board of Elections chief technology officer Paul Stenbjorn acknowledged that “the integrity of the system had been violated.” He went on to say that “we’ve closed the hole they opened, but we want to put it though more robust testing. … This is an abundance-of-caution sort of thing.”

Halderman, however, appeared skeptical that more robust testing was the answer. “The specific vulnerability that we exploited is simple to fix,” he noted at his blog, “but it will be vastly more difficult to make the system secure. We’ve found a number of other problems in the system, and everything we’ve seen suggests that the design is brittle: one small mistake can completely compromise its security. ”

“Sounds like this Internet Voting thing for overseas and military voters,” commented Friedman, “is as brilliantly thought out and executed as the electronic voting and concealed vote counting that nearly the entirety of the nation is currently saddled with at local polling places. Halderman, as we also noted yesterday, was also behind hacking Pac-Man onto a Sequoia touch-screen voting machine last August, as well as on the Princeton team which initially hacked Diebold’s touch screen system with a vote-flipping virus back in 2006.”

Muriel Kane
Muriel Kane
Muriel Kane is an associate editor at Raw Story. She joined Raw Story as a researcher in 2005, with a particular focus on the Jack Abramoff affair and other Bush administration scandals. She worked extensively with former investigative news managing editor Larisa Alexandrovna, with whom she has co-written numerous articles in addition to her own work. Prior to her association with Raw Story, she spent many years as an independent researcher and writer with a particular focus on history, literature, and contemporary social and political attitudes. Follow her on Twitter at @Muriel_Kane
 
 
 
 
By commenting, you agree to our terms of service
and to abide by our commenting policy.
 
Google+