Re: [EL] Halderman on "Hacking the D.C. Internet Voting Pilot"

Subject: Re: [EL] Halderman on "Hacking the D.C. Internet Voting Pilot"

From: Candice Hoke

Date: 10/6/2010, 7:09 AM

To: "election-law@mailman.lls.edu" <election-law@mailman.lls.edu>

National security computer scientist explains the import of this successful hack:

The meaning of Alex Halderman's successful attack on the DC Internet voting system

Dr. David Jefferson
Computer Scientist, Lawrence Livermore National Laboratory;* Board Chairman, Verified Voting

University of Michigan Prof. Alex Halderman has now released some details about his successful attack on the District of Columbia's proposed Internet voting system which has been under test for the last week. (See www.freedom-to-tinker.com.) It is now clear that Halderman and his team were able to completely subvert the entire DC Internet voting system remotely, gaining complete control over it and substituting fake votes of their choice for the votes that were actually cast by the test voters. What is worse, they did so without the officials even noticing for several days.

Let there be no mistake about it: this is a major achievement, and supports in every detail the warnings that security community have been giving about Internet voting for over a decade now. After this there can be no doubt that the burden of proof in the argument over the security of Internet voting systems has definitely shifted to those who claim that the systems can be made secure.

Computer security and election experts have been saying for over 10 years that the transmission of voted ballots over the Internet cannot be made safe with any currently envisioned technology. We have been arguing mostly in vain that:

1) Attacks can be remote: Internet voting systems can be successfully attacked remotely by any government, any criminal syndicate, or any self aggrandizing individual in the world.

2) Effective defense virtually impossible: There are innumerable modes of attack, from very easy to very sophisticated, and if anyone competent seriously tried to attack an Internet election the election officials would have essentially no chance at successfully defending. The election would be compromised

3) Attackers may change votes arbitrarily: An attack need not just prevent people from voting (bad as that would be), but could actually change large numbers of votes, allowing the attackers to determine the winner.

4) Attacks may be undetected: An attack might go completely undetected. The wrong people could be elected and no one would ever know.

Prof. Halderman demonstrated all of these points:

1) Attacks can be remote:   His team of four conducted their attack remotely, from Michigan, via the Internet, without ever getting near Washington, D.C.

2) Effective defense virtually impossible:   Although they were restricted from most modes of attack (which would be illegal even in this test situation), they still succeeded in completely owning (controlling) the voting system within about 36 hours after it was brought up, even though they had only 3 days of notice of when it would start. They happened to use one particular small vulnerability that they identified, but they are quite confident that they could have penetrated in other ways as well. Most likely they were the only team to even attempt to attack the system seriously; yet in a real election with something important at stake multiple teams might attack. The fact that the only team that even tried succeeded so quickly is a demonstration lots of other groups from around the world could also have done it.

3) Attackers may change votes arbitrarily: They not only changed some of the votes, they changed them all, both those cast before they took control of the system and those cast afterward. There is no way that officials can restore the original votes without the attackers' help.

4) Attacks may be undetected:   The attack was not detected by the officials for several days, despite the fact that they were looking for such attacks (having invited all comers to try) and despite the fact that the attackers left a "signature" by playing the Michigan Fight song after every vote was cast!

This successful demonstration of the danger of Internet voting is the real deal.

Prof. Alex Halderman, his graduate students Eric Wustrow and Scott Wolchok, and their colleague Dawn Isabel, all deserve enormous credit, congratulations, and thanks.

_________
* For identification only. This statement is from Dr. Jefferson alone and does not purport to represent LLNLaboratory.

Contacting Dr. Jefferson: Jefferson David <d_jefferson@yahoo.com>

On 10/5/10 10:05 PM, Joseph Lorenzo Hall wrote:

(links in the original)

http://www.freedom-to-tinker.com/blog/jhalderm/hacking-dc-internet-voting-pilot

# Hacking the D.C. Internet Voting Pilot

By J. Alex Halderman - Posted on October 5th, 2010 at 9:07 pm

The District of Columbia is conducting a pilot project to allow
overseas and military voters to download and return absentee ballots
over the Internet. Before opening the system to real voters, D.C. has
been holding a test period in which they've invited the public to
evaluate the system's security and usability.

This is exactly the kind of open, public testing that many of us in
the e-voting security community � including me � have been encouraging
vendors and municipalities to conduct. So I was glad to participate,
even though the test was launched with only three days' notice. I
assembled a team from the University of Michigan, including my PhD
students, Eric Wustrow and Scott Wolchok, and Dawn Isabel, a member of
the University of Michigan technical staff.

Within 36 hours of the system going live, our team had found and
exploited a vulnerability that gave us almost total control of the
server software, including the ability to change votes and reveal
voters� secret ballots. In this post, I�ll describe what we did, how
we did it, and what it means for Internet voting.

[...]

*Professor J. Alex Halderman is a computer scientist at the University
of Michigan.*

Professor Candice Hoke
Cleveland-Marshall College of Law
Cleveland State University
216.687.2313

Director, Center for Election Excellence
216.798.4643