Small coding mistake led to big Internet voting system failure
The main security weakness that let University of Michigan researchers take control over a planned city of Washington, D.C. Internet voting system pilot for overseas voters in 2010 was "a tiny oversight in a single line of code," the researchers say in a new paper (.pdf) detailing their exploits. City officials canceled the pilot shortly before the November election after the hack was revealed.
It's evidence, say the researchers--led by Assistant Professor J. Alex Halderman--that Internet voting should be postponed until, when or if major new breakthroughs in cybersecurity occur. Mistakes like the one they exploited are all too common, hard to eradicate, and indicative of a brittleness in web applications, they say. Seemingly trivial errors can result in attackers gaining system dominance--and in the case of an internet voting system, controlling the outcome of an election.
Responding to a call by Washington, D.C., election officials for outsiders with no previous access to test system security, Halderman and his students penetrated the pilot system within 48 hours of it going online. Their successful attack went undetected for another 36 hours, they say, despite the fact that they left a calling card in the form of having the vote confirmation screen to play the University of Michigan fight song after 15 seconds. Even then, the detection didn't occur because D.C. officials spotted anomalies in intrusion detection system logs, or even stumbled on the fight song itself, but because someone on a mailing list monitored by the city asked, "does anyone know what tune they play for successful voters?"
The main exploit researchers used was a shell-injection vulnerability done by uploading a fake ballot with a command function as the file extension. The file uploader plugin D.C. election officials used preserved the file extension and the command line interpreter executed the command, the paper says.
Attackers also found that a system firewall filtered outbound network traffic, but that they could steal data by sending files to the images directory on the compromised server and retrieving it with any HTTP client.
Once inside the application server, they retrieved the public key for encrypting ballots, proceeding to replace all encrypted stored ballot files with forged votes. They also modified the system so that new ballots were sent to a subfolder in the images directory and the new originals replaced with more forgeries.
They also managed to violate the secrecy of balloting, the paper says, since before ballots were encrypted, the file uploader placed them in a temporary directory. But, the web application didn't delete the unencrypted ballots. The files did not contain a voter's identification, but did display the precinct and time of voting, letting researchers compare them to server application logs and associate them with people's identities.
In maybe the greatest oversight of city officials, researchers also found in the temporary directory a 937 page .pdf document containing real voters' credentials for using the system, meaning that attackers could have cast votes as those citizens in the real election.
"One small mistake in the configuration or implementation of the central voting servers or their surrounding network infrastructure can easily undermine the legitimacy of the entire election" they conclude.
- download the paper from J. Alex Halderman's website (.pdf)
Trash Attack reveals weakness in end-to-end verifiable election systems
Online banking not a model for Internet voting, says Elections B.C.
Internet voting pilot could launch in Canada after 2013