Hacked Voting System Stored Accessible Password, Encryption Key
- By Kim Zetter
- October 6, 2010 |
- 1:55 pm |
An internet-based voting system that was hacked last week by researchers at the University of Michigan stored its database username, password and encryption key on a server open to attack.
Alex Halderman, a computer scientist at the university, has detailed the vulnerabilities and hacking techniques his students used to completely control the system last week. The hack allowed them to change votes and program the system to play his school’s fight song “Hail to the Victors”after each voter cast their ballot.
The hack, unnoticed by election officials until researchers notified them, forced election officials to take the system offline and adopt a contingency plan for the November elections.
Washington, DC, began testing its internet voting system last Tuesday in advance of the November elections. The system, paid for in part with a $300,000 federal grant, is designed to let overseas military and civilian voters cast ballots quickly, instead of relying on the postal system to deliver their votes in a timely manner.
But within 36 hours of the system going live, Halderman’s team found and exploited a shell-injection vulnerability that “gave us almost total control of the server software, including the ability to change votes and reveal voters’ secret ballots.”
We modified all the ballots that had already been cast to contain write-in votes for candidates we selected. (Although the system encrypts voted ballots, we simply discarded the encrypted files and replaced them with different ones that we encrypted using the same key.) We also rigged the system to replace future votes in the same way.We installed a back door that let us view any ballots that voters cast after our attack. This modification recorded the votes, in unencrypted form, together with the names of the voters who cast them, violating ballot secrecy.
The hack left lots of traces that an intrusion detection system should have caught. Nonetheless, it went unnoticed for two business days until Friday afternoon when several testers directed election officials to the Michigan fight song playing on their $300,000 voting system.
See also:
TAGS: E-VOTING
_____
COMMENT:
Dear Kim Zetter:
Conditions of electronic voting machines, and refusal of the US government to initiate corrective actions, is old news by now... [1-4]
How about reporting some new news, such as conditions of the Case Management Systems (CMSs) in courts and prisons throughout the US? [5,6]
The CMSs are as essential as the voting machines for the safeguard of democratic society.
Joseph Zernik, PhD
Human Rights Alert (NGO)
LINKS:
[1] 10-08-28 Common Cause Voting Machines Report Malfunction and Malfeasance
http://www.scribd.com/doc/36565560/
[2] 10-04-19 Brennan Center for Justice Notice in Re: Unprecleared Voting Machines - violation of the voting act
http://www.scribd.com/doc/36565891/
[3] 05-00-00 Validating Voting Machine Software
http://www.scribd.com/doc/36630297/
[4] 05-05-19 MIT-Caltech: Auditing Technology for Electronic Voting
http://www.scribd.com/doc/36629558/
[5] 10-08-18 Zernik, J: Data Mining as a Civic Duty – Online Public Prisoners’ Registration Systems, International Journal on Social Media: Monitoring, Measurement, Mining 1: 84-96 (2010)
http://www.scribd.com/doc/38328591/
[6] 10-08-18 Zernik, J: Data Mining of Online Judicial Records of the Networked US Federal Courts, International Journal on Social Media: Monitoring, Measurement, Mining, 1:69-83 (2010)
http://www.scribd.com/doc/38328585/