Feeds

Hack the Vote!

Malicious vote-bots could make hanging chads look tame

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

In the wake of the Florida vote-count controversy, simple point-and-click Internet elections would seem an attractive 21st Century alternative to traditional cardboard and paper. But before choosing a President becomes as simple as ordering a paperback from Amazon.com, security experts have to surmount an obstacle that makes butterfly ballots look like a cake walk: the potential that malicious hackers could create custom programs that target voters' PCs en masse, and steal Internet elections.

"That's the big problem that everybody's working on," says Deborah Phillips, president of the non-partisan Voting Integrity Project. "It's that scenario that's keeping people up nights."

Several state governments are already exploring Internet voting, and a handful of fiercely competitive companies have made tentative steps into the field. In January, Alaska voters were given the opportunity to participate in a Republican Party straw poll on-line, through the Bellevue, Washington-based company VoteHere. Last March, thousands of US citizens voted in Arizona's Democratic primary from home through Election.com.

Most of the security problems with Internet voting are, at least in theory, solvable: Encryption can protect voter's privacy; digital signatures can guard against tampering; and the servers that process votes can be shored up against intrusion.

But in an era where home and office computer users continue to fall prey to viruses and worms, it's harder to ensure that a vote hasn't been changed by a program that gains secret control of the voter's machine.

Such a malicious program could spread like a virus, by mailing itself around as an attachment; or in the way of Back Orifice or SubSeven, as a Trojan horse hidden within another, seemingly benign, program. Once installed, it would lie dormant until the second Tuesday in November.

On Election Day, when the victim fills out his or her electronic ballot, the vote-bot would quietly intervene -- changing the vote before it's encrypted and transmitted over the Net. "The election centre is not going to know that the ballot is corrupted," says Phillips.

"A good hack of those kinds of systems wouldn't even be visible," says Lauren Weinstein, co-founder of People For Internet Responsibility and a vocal critic of Web elections. "Basically, what you have is a situation where people's PCs are voting." Multiplied by tens of thousands of infected PCs, "you could actually manipulate elections that way," says Weinstein.

Hacker Challenge

So troubling is the vote-bot problem that some early supporters of Web-based voting are backing away from the idea of turning home PCs into voting booths. "The most important thing is that the voting machine is trusted," says Jim Adler, founder and CEO of VoteHere. "And you if you think about today's home PCs, it's hard to trust it for anything, as promiscuous as they are."

In this year's election, VoteHere ran a kiosk-based "shadow election" trial at three polling places in Arizona and California, on Internet connected PCs shorn of hard-drives and dedicated exclusively to the vote. Adler believes the future of home voting is with Internet appliances that are easier to secure than PCs, such as PDAs, interactive television devices, or web-enabled cell phones. "When Internet voting does come to the home, it probably won't be on the PC," says Adler.

Ed Gerck, CEO of California-based SafeVote, disagrees. The company showed its faith in home Internet voting by issuing a public challenge for hackers to attack SafeVote's patented voting system during a non-binding trial at a California polling place. No one, says Gerck, succeeded. "We used vanilla PCs," Gerck says. "We were on the Internet twenty-four hours a day for five days....and no attacker was successful."

Critics of Web elections argue that so-called "hacker challenges" have more PR value than technical merit, and remain unconvinced that home Internet voting will be secure in the foreseeable future, on any platform.

"The people pushing these systems say you can vote in your pyjamas," says Weinstein. "But do we really want to go down that road and have it end with something that makes Florida look like a walk in the park?"

© 2000 SecurityFocus.com. All rights reserved.

Security for virtualized datacentres

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Apple CEO Tim Cook: TV is TERRIBLE and stuck in the 1970s
The iKing thinks telly is far too fiddly and ugly – basically, iTunes
Huawei ditches new Windows Phone mobe plans, blames poor sales
Giganto mobe firm slams door shut on Microsoft. OH DEAR
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
OECD lashes out at tax avoiding globocorps' location-flipping antics
You hear that, Amazon, Google, Microsoft et al?
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.