Feeds

Hack the Vote!

Malicious vote-bots could make hanging chads look tame

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

In the wake of the Florida vote-count controversy, simple point-and-click Internet elections would seem an attractive 21st Century alternative to traditional cardboard and paper. But before choosing a President becomes as simple as ordering a paperback from Amazon.com, security experts have to surmount an obstacle that makes butterfly ballots look like a cake walk: the potential that malicious hackers could create custom programs that target voters' PCs en masse, and steal Internet elections.

"That's the big problem that everybody's working on," says Deborah Phillips, president of the non-partisan Voting Integrity Project. "It's that scenario that's keeping people up nights."

Several state governments are already exploring Internet voting, and a handful of fiercely competitive companies have made tentative steps into the field. In January, Alaska voters were given the opportunity to participate in a Republican Party straw poll on-line, through the Bellevue, Washington-based company VoteHere. Last March, thousands of US citizens voted in Arizona's Democratic primary from home through Election.com.

Most of the security problems with Internet voting are, at least in theory, solvable: Encryption can protect voter's privacy; digital signatures can guard against tampering; and the servers that process votes can be shored up against intrusion.

But in an era where home and office computer users continue to fall prey to viruses and worms, it's harder to ensure that a vote hasn't been changed by a program that gains secret control of the voter's machine.

Such a malicious program could spread like a virus, by mailing itself around as an attachment; or in the way of Back Orifice or SubSeven, as a Trojan horse hidden within another, seemingly benign, program. Once installed, it would lie dormant until the second Tuesday in November.

On Election Day, when the victim fills out his or her electronic ballot, the vote-bot would quietly intervene -- changing the vote before it's encrypted and transmitted over the Net. "The election centre is not going to know that the ballot is corrupted," says Phillips.

"A good hack of those kinds of systems wouldn't even be visible," says Lauren Weinstein, co-founder of People For Internet Responsibility and a vocal critic of Web elections. "Basically, what you have is a situation where people's PCs are voting." Multiplied by tens of thousands of infected PCs, "you could actually manipulate elections that way," says Weinstein.

Hacker Challenge

So troubling is the vote-bot problem that some early supporters of Web-based voting are backing away from the idea of turning home PCs into voting booths. "The most important thing is that the voting machine is trusted," says Jim Adler, founder and CEO of VoteHere. "And you if you think about today's home PCs, it's hard to trust it for anything, as promiscuous as they are."

In this year's election, VoteHere ran a kiosk-based "shadow election" trial at three polling places in Arizona and California, on Internet connected PCs shorn of hard-drives and dedicated exclusively to the vote. Adler believes the future of home voting is with Internet appliances that are easier to secure than PCs, such as PDAs, interactive television devices, or web-enabled cell phones. "When Internet voting does come to the home, it probably won't be on the PC," says Adler.

Ed Gerck, CEO of California-based SafeVote, disagrees. The company showed its faith in home Internet voting by issuing a public challenge for hackers to attack SafeVote's patented voting system during a non-binding trial at a California polling place. No one, says Gerck, succeeded. "We used vanilla PCs," Gerck says. "We were on the Internet twenty-four hours a day for five days....and no attacker was successful."

Critics of Web elections argue that so-called "hacker challenges" have more PR value than technical merit, and remain unconvinced that home Internet voting will be secure in the foreseeable future, on any platform.

"The people pushing these systems say you can vote in your pyjamas," says Weinstein. "But do we really want to go down that road and have it end with something that makes Florida look like a walk in the park?"

© 2000 SecurityFocus.com. All rights reserved.

Choosing a cloud hosting partner with confidence

More from The Register

next story
Musicians sue UK.gov over 'zero pay' copyright fix
Everyone else in Europe compensates us - why can't you?
Bladerunner sequel might actually be good. Harrison Ford is in it
Go ahead, you're all clear, kid... Sorry, wrong film
I'll be back (and forward): Hollywood's time travel tribulations
Quick, call the Time Cops to sort out this paradox!
Megaupload overlord Kim Dotcom: The US HAS RADICALISED ME!
Now my lawyers have bailed 'cos I'm 'OFFICIALLY' BROKE
Forget Hillary, HP's ex CARLY FIORINA 'wants to be next US Prez'
Former CEO has political ambitions again, according to Washington DC sources
Euro Parliament VOTES to BREAK UP GOOGLE. Er, OK then
It CANNA do it, captain.They DON'T have the POWER!
prev story

Whitepapers

Free virtual appliance for wire data analytics
The ExtraHop Discovery Edition is a free virtual appliance will help you to discover the performance of your applications across the network, web, VDI, database, and storage tiers.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.