Alex Halderman's totally epic hack of the DC internet voting system pilot program

The local government of the District of Columbia has been conducting a pilot project to test an internet-based voting system that would give overseas and military voters a way to download and submit absentee ballots online. Here's a PDF of the system architecture. Before using the system in a real voting process, the public was invited to evaluate its security and usability. That's where J. Alex Halderman of Freedom to Tinker comes in:

This is exactly the kind of open, public testing that many of us in the e-voting security community -- including me -- have been encouraging vendors and municipalities to conduct. So I was glad to participate, even though the test was launched with only three days' notice. I assembled a team from the University of Michigan, including my students, Eric Wustrow and Scott Wolchok, and Dawn Isabel, a member of the University of Michigan technical staff.

Within 36 hours of the system going live, our team had found and exploited a vulnerability that gave us almost total control of the server software, including the ability to change votes and reveal voters' secret ballots. In this post, I'll describe what we did, how we did it, and what it means for Internet voting.

An awful lot of meaty details follow, but here's the punchline:

Based on this experience and other results from the public tests, the D.C. Board of Elections and Ethics has announced that they will not proceed with a live deployment of electronic ballot return at this time, though they plan to continue to develop the system. Voters will still be able to download and print ballots to return by mail, which seems a lot less risky.
Oh, diva snap.

Hacking the D.C. Internet Voting Pilot (Freedom to Tinker, thanks Jake)


  1. The people who were setting up this system are going to learn one of two lessons:

    1) it was an excellent idea to open this to the public and give people the chance to try the system because it exposed serious flaws
    2) this was a horrible idea because members of the public pwnd us

    I really hope they learn lesson 1. Kudos to all involved. The researchers for being civic minded badasses, and the DC government for being wise enough to open the system to scrutiny.

  2. “…though they plan to continue to develop the system”

    For years and years and years, all the while sucking up tax dollars while bureaucrats get $150k a year to “manage” the project.

    But this is a government contract, that will never happen.

  3. I have to give them kudos for actually paying attention to the results of their test, given that in similar situations other voting officials have often ignored or tried to suppress or discredit results like this.

    (Sure, it’s arguable whether electronic voting provides any real benefit in the first place.)

  4. Yeah, diva snap. No matter that the DCBOEE did the right thing (perhaps with a shorter time period than it should have). They did their jobs right, opening up their voting machines to testing. So let’s lord it over them and point and laugh when the testing proves that there’s a problem. Doing so is *sure* to encourage further open testing, in DC and other jurisdictions.

  5. Could boingboing possibly follow this up with a petition to support the good job done by the technical staff who allowed the public testing. We should ensure that good initiatives like this get public credit, which provides coverage for the people who suggested doing this, and encourages them to repeat the process.

  6. Jumping on the ‘good job DC for running the open trial and responding to the result’ bandwagon. Save your diva snapping for people who don’t do things the right way round.

  7. Huge props to the DC government for 1. trying this 2. testing it in the open and 3. actually listening to the results. I can’t think of any state in the union that’s done that well recently. Apparently someone in DC is on the ball.

  8. …”By formatting the string in a particular way, we could cause the server to execute commands on our behalf. For example, the filename “ballot.$(sleep 10)pdf” would cause the server to pause for ten seconds (executing the “sleep 10” command) before responding.”

    Locutus would be proud.

  9. Even downloading the forms can be corrupted- by changing the names of the candidates, or selectively (via IP addresses linked to particular voting district) creating spoof files so districts unfavorable to your candidate receive invalid forms, … can tip a close election.

    A long way to go still.

  10. Kudos to the D.C. Board of Elections and Ethics for doing the right thing. If they plan on continuing to develop the system, they should consider going into a partnership with a University or a technical institute.

  11. Are there any laws or regulations that anyone is trying to push that would force e-voting applications to make their code open-source?

    Properly-reviewed open source code is, of course, many many times better at catching vulnerabilities than randomly seeing if people will find your security holes with three day’s notice.

    The lesson that the D.C. Board of Elections should have learned from this is: what if Halderman hadn’t found the security holes? Then the security holes would have been there for any hacker to exploit. They can’t rely on Halderman assembling his crack team on a moment’s notice every time. They can’t assume that a successful three-day trial means anything about the security of the code.

    The White House’s website already gets it: it’s written using open source Drupal. Why can’t some senator sponsor a law requiring that all e-voting applications — and voting machines too, but Diebold would never allow it — have open reviewable code?

  12. erm…. so reading Halderman’s post a little closer, the DC system was open source. This is how they were able to discover, and exploit, the security hole. Good! Then hopefully this project will be seen as strong, strong evidence for the need for all such systems to be open source.

  13. Get the back story on how this hack could have happened (when West Virginia is having great success with its Internet voting system):
    “Does the DC Fiasco Damn Internet Voting?”

    “Scary Stories Fail to Stop Internet Voting”

    Rather than using the results of scientific testing, and probability calculation, opponents of Internet voting have commonly resorted to telling scary stories about what might happen. In 2004 this tactic had spectacular success. The Department of Defense had already spent over $22,000,000 on an Internet voting project. It was ready to be used in the 2004 November election, but well publicized scary stories had it halted.

    Since that time, state election officials, the military, and DoD have regained their reason, and Internet voting is coming back.

    At, (free download)

Comments are closed.