University of Michigan researchers have claimed in an 18-page paper that they have broken through the security walls of a flagship online voting project in Washington, D.C.
Shortly after the system went live (within 2 days), the researchers claimed to have gained full control of the election server – adding further that they had successfully changed every vote and revealed virtually every secret ballot. Despite the hackers having left a visible trail of their activities, the breach was only discovered two ‘business’ days later.
A couple of years ago, developers of a municipal e-voting system (that enabled voters living abroad to cast their vote via the web), invited security experts to run some tests. The project was initiated in cooperation with the Open Source Digital Voting Foundation. The university researchers asserted that while the system’s transparency warranted praise, the “architecture” had fundamental security shortcomings and was not able to resist even the most common hacking techniques (such as a shell injection).
The security authorities examined common vulnerable points such as virtual ballot content, session cookies and login fields – finding several exploitable weaknesses. In addition, the hackers were also able to utilize the PDFs generated by the system to get around the encryption mechanism, while unsecured cams provided insights into the infrastructure. The open source nature of the code would have undoubtedly made the job of hacking into the servers easier; however, the university believes that even if the system had been proprietary, gaining access would not have proven difficult.
The university researchers concluded that building a secure online voting system is extremely difficult. They further added that even one small error or oversight compromises on the entire voting process. Even without the utilization of the central server, several other points of attack still exist. Fundamental advances still need to be made in security, they say, before e-voting will truly be safe.