Feeds

Hack the Vote!

Malicious vote-bots could make hanging chads look tame

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

In the wake of the Florida vote-count controversy, simple point-and-click Internet elections would seem an attractive 21st Century alternative to traditional cardboard and paper. But before choosing a President becomes as simple as ordering a paperback from Amazon.com, security experts have to surmount an obstacle that makes butterfly ballots look like a cake walk: the potential that malicious hackers could create custom programs that target voters' PCs en masse, and steal Internet elections.

"That's the big problem that everybody's working on," says Deborah Phillips, president of the non-partisan Voting Integrity Project. "It's that scenario that's keeping people up nights."

Several state governments are already exploring Internet voting, and a handful of fiercely competitive companies have made tentative steps into the field. In January, Alaska voters were given the opportunity to participate in a Republican Party straw poll on-line, through the Bellevue, Washington-based company VoteHere. Last March, thousands of US citizens voted in Arizona's Democratic primary from home through Election.com.

Most of the security problems with Internet voting are, at least in theory, solvable: Encryption can protect voter's privacy; digital signatures can guard against tampering; and the servers that process votes can be shored up against intrusion.

But in an era where home and office computer users continue to fall prey to viruses and worms, it's harder to ensure that a vote hasn't been changed by a program that gains secret control of the voter's machine.

Such a malicious program could spread like a virus, by mailing itself around as an attachment; or in the way of Back Orifice or SubSeven, as a Trojan horse hidden within another, seemingly benign, program. Once installed, it would lie dormant until the second Tuesday in November.

On Election Day, when the victim fills out his or her electronic ballot, the vote-bot would quietly intervene -- changing the vote before it's encrypted and transmitted over the Net. "The election centre is not going to know that the ballot is corrupted," says Phillips.

"A good hack of those kinds of systems wouldn't even be visible," says Lauren Weinstein, co-founder of People For Internet Responsibility and a vocal critic of Web elections. "Basically, what you have is a situation where people's PCs are voting." Multiplied by tens of thousands of infected PCs, "you could actually manipulate elections that way," says Weinstein.

Hacker Challenge

So troubling is the vote-bot problem that some early supporters of Web-based voting are backing away from the idea of turning home PCs into voting booths. "The most important thing is that the voting machine is trusted," says Jim Adler, founder and CEO of VoteHere. "And you if you think about today's home PCs, it's hard to trust it for anything, as promiscuous as they are."

In this year's election, VoteHere ran a kiosk-based "shadow election" trial at three polling places in Arizona and California, on Internet connected PCs shorn of hard-drives and dedicated exclusively to the vote. Adler believes the future of home voting is with Internet appliances that are easier to secure than PCs, such as PDAs, interactive television devices, or web-enabled cell phones. "When Internet voting does come to the home, it probably won't be on the PC," says Adler.

Ed Gerck, CEO of California-based SafeVote, disagrees. The company showed its faith in home Internet voting by issuing a public challenge for hackers to attack SafeVote's patented voting system during a non-binding trial at a California polling place. No one, says Gerck, succeeded. "We used vanilla PCs," Gerck says. "We were on the Internet twenty-four hours a day for five days....and no attacker was successful."

Critics of Web elections argue that so-called "hacker challenges" have more PR value than technical merit, and remain unconvinced that home Internet voting will be secure in the foreseeable future, on any platform.

"The people pushing these systems say you can vote in your pyjamas," says Weinstein. "But do we really want to go down that road and have it end with something that makes Florida look like a walk in the park?"

© 2000 SecurityFocus.com. All rights reserved.

Choosing a cloud hosting partner with confidence

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
YARR! Pirates walk the plank: DMCA magnets sink in Google results
Spaffing copyrighted stuff over the web? No search ranking for you
In the next four weeks, 100 people will decide the future of the web
While America tucks into Thanksgiving turkey, the world will be taking over the net
Microsoft EU warns: If you have ties to the US, Feds can get your data
European corps can't afford to get complacent while American Big Biz battles Uncle Sam
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.