Feeds

Hack the Vote!

Malicious vote-bots could make hanging chads look tame

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

In the wake of the Florida vote-count controversy, simple point-and-click Internet elections would seem an attractive 21st Century alternative to traditional cardboard and paper. But before choosing a President becomes as simple as ordering a paperback from Amazon.com, security experts have to surmount an obstacle that makes butterfly ballots look like a cake walk: the potential that malicious hackers could create custom programs that target voters' PCs en masse, and steal Internet elections.

"That's the big problem that everybody's working on," says Deborah Phillips, president of the non-partisan Voting Integrity Project. "It's that scenario that's keeping people up nights."

Several state governments are already exploring Internet voting, and a handful of fiercely competitive companies have made tentative steps into the field. In January, Alaska voters were given the opportunity to participate in a Republican Party straw poll on-line, through the Bellevue, Washington-based company VoteHere. Last March, thousands of US citizens voted in Arizona's Democratic primary from home through Election.com.

Most of the security problems with Internet voting are, at least in theory, solvable: Encryption can protect voter's privacy; digital signatures can guard against tampering; and the servers that process votes can be shored up against intrusion.

But in an era where home and office computer users continue to fall prey to viruses and worms, it's harder to ensure that a vote hasn't been changed by a program that gains secret control of the voter's machine.

Such a malicious program could spread like a virus, by mailing itself around as an attachment; or in the way of Back Orifice or SubSeven, as a Trojan horse hidden within another, seemingly benign, program. Once installed, it would lie dormant until the second Tuesday in November.

On Election Day, when the victim fills out his or her electronic ballot, the vote-bot would quietly intervene -- changing the vote before it's encrypted and transmitted over the Net. "The election centre is not going to know that the ballot is corrupted," says Phillips.

"A good hack of those kinds of systems wouldn't even be visible," says Lauren Weinstein, co-founder of People For Internet Responsibility and a vocal critic of Web elections. "Basically, what you have is a situation where people's PCs are voting." Multiplied by tens of thousands of infected PCs, "you could actually manipulate elections that way," says Weinstein.

Hacker Challenge

So troubling is the vote-bot problem that some early supporters of Web-based voting are backing away from the idea of turning home PCs into voting booths. "The most important thing is that the voting machine is trusted," says Jim Adler, founder and CEO of VoteHere. "And you if you think about today's home PCs, it's hard to trust it for anything, as promiscuous as they are."

In this year's election, VoteHere ran a kiosk-based "shadow election" trial at three polling places in Arizona and California, on Internet connected PCs shorn of hard-drives and dedicated exclusively to the vote. Adler believes the future of home voting is with Internet appliances that are easier to secure than PCs, such as PDAs, interactive television devices, or web-enabled cell phones. "When Internet voting does come to the home, it probably won't be on the PC," says Adler.

Ed Gerck, CEO of California-based SafeVote, disagrees. The company showed its faith in home Internet voting by issuing a public challenge for hackers to attack SafeVote's patented voting system during a non-binding trial at a California polling place. No one, says Gerck, succeeded. "We used vanilla PCs," Gerck says. "We were on the Internet twenty-four hours a day for five days....and no attacker was successful."

Critics of Web elections argue that so-called "hacker challenges" have more PR value than technical merit, and remain unconvinced that home Internet voting will be secure in the foreseeable future, on any platform.

"The people pushing these systems say you can vote in your pyjamas," says Weinstein. "But do we really want to go down that road and have it end with something that makes Florida look like a walk in the park?"

© 2000 SecurityFocus.com. All rights reserved.

Security for virtualized datacentres

More from The Register

next story
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
Spies, avert eyes! Tim Berners-Lee demands a UK digital bill of rights
Lobbies tetchy MPs 'to end indiscriminate online surveillance'
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
How the FLAC do I tell MP3s from lossless audio?
Can you hear the difference? Can anyone?
4chan outraged by Emma Watson nudie photo leak SCAM
In the immortal words of Shaggy, it wasn't me us ... amirite?
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.