Alex Halderman's totally epic hack of the DC internet voting system pilot program

The local government of the District of Columbia has been conducting a pilot project to test an internet-based voting system that would give overseas and military voters a way to download and submit absentee ballots online. Here's a PDF of the system architecture. Before using the system in a real voting process, the public was invited to evaluate its security and usability. That's where J. Alex Halderman of Freedom to Tinker comes in:

This is exactly the kind of open, public testing that many of us in the e-voting security community -- including me -- have been encouraging vendors and municipalities to conduct. So I was glad to participate, even though the test was launched with only three days' notice. I assembled a team from the University of Michigan, including my students, Eric Wustrow and Scott Wolchok, and Dawn Isabel, a member of the University of Michigan technical staff.
Within 36 hours of the system going live, our team had found and exploited a vulnerability that gave us almost total control of the server software, including the ability to change votes and reveal voters' secret ballots. In this post, I'll describe what we did, how we did it, and what it means for Internet voting.

An awful lot of meaty details follow, but here's the punchline:

Based on this experience and other results from the public tests, the D.C. Board of Elections and Ethics has announced that they will not proceed with a live deployment of electronic ballot return at this time, though they plan to continue to develop the system. Voters will still be able to download and print ballots to return by mail, which seems a lot less risky.

Oh, diva snap.

Hacking the D.C. Internet Voting Pilot (Freedom to Tinker, thanks Jake)

Boing Boing editor/partner and tech culture journalist Xeni Jardin hosts and produces Boing Boing's in-flight TV channel on Virgin America airlines (#10 on the dial), and writes about living with breast cancer. Diagnosed in 2011. @xeni on Twitter. email: xeni@boingboing.net.

MORE: politics • security

More at Boing Boing

The technology that links taxonomy and Star Trek

Hackers prepare for first "national holiday" in their honor

Anonymous

I have to give them kudos for actually paying attention to the results of their test, given that in similar situations other voting officials have often ignored or tried to suppress or discredit results like this.

(Sure, it’s arguable whether electronic voting provides any real benefit in the first place.)
johnpaxton

Yeah, diva snap. No matter that the DCBOEE did the right thing (perhaps with a shorter time period than it should have). They did their jobs right, opening up their voting machines to testing. So let’s lord it over them and point and laugh when the testing proves that there’s a problem. Doing so is *sure* to encourage further open testing, in DC and other jurisdictions.
Anonymous

Could boingboing possibly follow this up with a petition to support the good job done by the technical staff who allowed the public testing. We should ensure that good initiatives like this get public credit, which provides coverage for the people who suggested doing this, and encourages them to repeat the process.
adwkiwi

Jumping on the ‘good job DC for running the open trial and responding to the result’ bandwagon. Save your diva snapping for people who don’t do things the right way round.
DrWJK

Get the back story on how this hack could have happened (when West Virginia is having great success with its Internet voting system):
â€œDoes the DC Fiasco Damn Internet Voting?â€
http://www.opednews.com/articles/Does-the-DC-Fiasco-Damn-In-by-William-J-Kellehe-101015-957.html

â€œScary Stories Fail to Stop Internet Votingâ€

Abstract:
Rather than using the results of scientific testing, and probability calculation, opponents of Internet voting have commonly resorted to telling scary stories about what might happen. In 2004 this tactic had spectacular success. The Department of Defense had already spent over $22,000,000 on an Internet voting project. It was ready to be used in the 2004 November election, but well publicized scary stories had it halted.

Since that time, state election officials, the military, and DoD have regained their reason, and Internet voting is coming back.

At, http://ssrn.com/author=1053589 (free download)
Anonymous

Huge props to the DC government for 1. trying this 2. testing it in the open and 3. actually listening to the results. I can’t think of any state in the union that’s done that well recently. Apparently someone in DC is on the ball.
cjp

…”By formatting the string in a particular way, we could cause the server to execute commands on our behalf. For example, the filename â€œballot.$(sleep 10)pdfâ€ would cause the server to pause for ten seconds (executing the â€œsleep 10â€ command) before responding.”

Locutus would be proud.
SamSam

Are there any laws or regulations that anyone is trying to push that would force e-voting applications to make their code open-source?

Properly-reviewed open source code is, of course, many many times better at catching vulnerabilities than randomly seeing if people will find your security holes with three day’s notice.

The lesson that the D.C. Board of Elections should have learned from this is: what if Halderman hadn’t found the security holes? Then the security holes would have been there for any hacker to exploit. They can’t rely on Halderman assembling his crack team on a moment’s notice every time. They can’t assume that a successful three-day trial means anything about the security of the code.

The White House’s website already gets it: it’s written using open source Drupal. Why can’t some senator sponsor a law requiring that all e-voting applications — and voting machines too, but Diebold would never allow it — have open reviewable code?
SamSam

erm…. so reading Halderman’s post a little closer, the DC system was open source. This is how they were able to discover, and exploit, the security hole. Good! Then hopefully this project will be seen as strong, strong evidence for the need for all such systems to be open source.
Camp Freddie

Wow, someone should get the DC sysadmin to read XKCD:
http://xkcd.com/327/
sic transit gloria C.F.A.

No. Not diva snap. DCBOE did exactly the right thing and should be applauded.
gregb

Even downloading the forms can be corrupted- by changing the names of the candidates, or selectively (via IP addresses linked to particular voting district) creating spoof files so districts unfavorable to your candidate receive invalid forms, … can tip a close election.

A long way to go still.
Anonymous

Kudos to the D.C. Board of Elections and Ethics for doing the right thing. If they plan on continuing to develop the system, they should consider going into a partnership with a University or a technical institute.
TooGoodToCheck

The people who were setting up this system are going to learn one of two lessons:

1) it was an excellent idea to open this to the public and give people the chance to try the system because it exposed serious flaws
or
2) this was a horrible idea because members of the public pwnd us

I really hope they learn lesson 1. Kudos to all involved. The researchers for being civic minded badasses, and the DC government for being wise enough to open the system to scrutiny.
bardfinn

SCRUB YOUR INPUTS! regexES AND FUZZ TESTING ARE YOUR FRIENDS!
CatherineCC

“…though they plan to continue to develop the system”

For years and years and years, all the while sucking up tax dollars while bureaucrats get $150k a year to “manage” the project.

But this is a government contract, that will never happen.