US Electronic Voting System Hijacked In Less Than 48 Hours

A team of researchers from the University of Michigan hacked an American pilot project for online voting and changed all of the ballots in less than 48 hours in February.

Election officials did not detect the intrusion for nearly two business days—and might have remained unaware for far longer if the team hadn’t deliberately left a prominent clue. The findings were presented at the 16th Conference on Financial Cryptography & Data Security, held on Carribean Island of Bonaire this month.

Foundations of democracy

In 2010, Washington, D.C. developed an Internet voting pilot project that was intended to allow overseas absentee voters to cast their ballots using a website. Prior to deploying the system in the general election, the District held a unique public trial: a mock election during which anyone was invited to test the system or attempt to compromise its security.

Within 48 hours of the system going live, the team from the University of Michigan had gained nearly complete control of the election server. They successfully changed every vote and revealed almost every secret ballot.

“We used the stolen public key to replace all of the encrypted ballot files on the server at the time of our intrusion with a forged ballot of our choosing. In addition, we modified the ballot-processing function to append any subsequently voted ballots to a .tar file in the publicly accessible images directory (where we could later retrieve them) and replace the originals with our forged ballot,” reads the report entitled “Attacking the Washington, D.C. Internet Voting System“.

“Recovery from this attack is difficult; there is little hope for protecting future ballots from this level of compromise, since the code that processes the ballots is itself suspect.”

Unsecured network surveillance cameras gave researchers a real-time view into the network operations center. They could observe whether administrators made physical changes to the servers running the voting system and even monitor the frequency of patrols by security guards.

As many as 25 percent of Americans are expected to use paperless electronic voting machines in the upcoming November elections, according to the Verified Voting Foundation, but confidence has been eroded by incidents showing vulnerabilities.

Last September, researchers led by Roger Johnston at the Argonne lab were able to change votes on the a ballot machine using about $25 worth of equipment, by inserting a device to manipulate touch screens by remote control, reports the AFP.

A month later, Microsoft Research released a paper describing a so-called “trash attack” which it said could be “effective against the majority of fully verifiable election systems.” Microsoft also offered a technical fix for this weakness.

How well do you know Internet security? Try our quiz and find out!

Max Smolaks

Max 'Beast from the East' Smolaks covers open source, public sector, startups and technology of the future at TechWeekEurope. If you find him looking lost on the streets of London, feed him coffee and sugar.

Recent Posts

US Approves SpaceX Starlink For Planes, Trains And … Ships

US FCC regulator gives its official approval for SpaceX to use its Starlink satellite internet…

5 hours ago

Bitcoin Falls Below $19,000, But Recovers Slightly Friday

Ominous sign for crypto markets? The value of Bitcoin dropped over 6 percent to below…

7 hours ago

Meta Slashes Hiring As It Braces For Downturn – Report

CEO Mark Zuckerberg tells staff to brace for a deep economic downturn, as Meta cuts…

8 hours ago

Silicon In Focus Podcast: Connected Business

Is the definition of a ‘connected business’ very different today than it was just two…

10 hours ago

BT Disappointed As CWU Votes To Strike, Despite 5 To 8 Percent Pay Rise

First strike in 35 years after BT staff with the e Communications Workers Union vote…

1 day ago