Feeds

Hack the Vote!

Malicious vote-bots could make hanging chads look tame

  • alert
  • submit to reddit

The essential guide to IT transformation

In the wake of the Florida vote-count controversy, simple point-and-click Internet elections would seem an attractive 21st Century alternative to traditional cardboard and paper. But before choosing a President becomes as simple as ordering a paperback from Amazon.com, security experts have to surmount an obstacle that makes butterfly ballots look like a cake walk: the potential that malicious hackers could create custom programs that target voters' PCs en masse, and steal Internet elections.

"That's the big problem that everybody's working on," says Deborah Phillips, president of the non-partisan Voting Integrity Project. "It's that scenario that's keeping people up nights."

Several state governments are already exploring Internet voting, and a handful of fiercely competitive companies have made tentative steps into the field. In January, Alaska voters were given the opportunity to participate in a Republican Party straw poll on-line, through the Bellevue, Washington-based company VoteHere. Last March, thousands of US citizens voted in Arizona's Democratic primary from home through Election.com.

Most of the security problems with Internet voting are, at least in theory, solvable: Encryption can protect voter's privacy; digital signatures can guard against tampering; and the servers that process votes can be shored up against intrusion.

But in an era where home and office computer users continue to fall prey to viruses and worms, it's harder to ensure that a vote hasn't been changed by a program that gains secret control of the voter's machine.

Such a malicious program could spread like a virus, by mailing itself around as an attachment; or in the way of Back Orifice or SubSeven, as a Trojan horse hidden within another, seemingly benign, program. Once installed, it would lie dormant until the second Tuesday in November.

On Election Day, when the victim fills out his or her electronic ballot, the vote-bot would quietly intervene -- changing the vote before it's encrypted and transmitted over the Net. "The election centre is not going to know that the ballot is corrupted," says Phillips.

"A good hack of those kinds of systems wouldn't even be visible," says Lauren Weinstein, co-founder of People For Internet Responsibility and a vocal critic of Web elections. "Basically, what you have is a situation where people's PCs are voting." Multiplied by tens of thousands of infected PCs, "you could actually manipulate elections that way," says Weinstein.

Hacker Challenge

So troubling is the vote-bot problem that some early supporters of Web-based voting are backing away from the idea of turning home PCs into voting booths. "The most important thing is that the voting machine is trusted," says Jim Adler, founder and CEO of VoteHere. "And you if you think about today's home PCs, it's hard to trust it for anything, as promiscuous as they are."

In this year's election, VoteHere ran a kiosk-based "shadow election" trial at three polling places in Arizona and California, on Internet connected PCs shorn of hard-drives and dedicated exclusively to the vote. Adler believes the future of home voting is with Internet appliances that are easier to secure than PCs, such as PDAs, interactive television devices, or web-enabled cell phones. "When Internet voting does come to the home, it probably won't be on the PC," says Adler.

Ed Gerck, CEO of California-based SafeVote, disagrees. The company showed its faith in home Internet voting by issuing a public challenge for hackers to attack SafeVote's patented voting system during a non-binding trial at a California polling place. No one, says Gerck, succeeded. "We used vanilla PCs," Gerck says. "We were on the Internet twenty-four hours a day for five days....and no attacker was successful."

Critics of Web elections argue that so-called "hacker challenges" have more PR value than technical merit, and remain unconvinced that home Internet voting will be secure in the foreseeable future, on any platform.

"The people pushing these systems say you can vote in your pyjamas," says Weinstein. "But do we really want to go down that road and have it end with something that makes Florida look like a walk in the park?"

© 2000 SecurityFocus.com. All rights reserved.

5 things you didn’t know about cloud backup

More from The Register

next story
True fact: 1 in 4 Brits are now TERRORISTS
YouGov poll reveals terrible truth about the enemy within
Microsoft exits climate denier lobby group
ALEC will have to do without Redmond, it seems
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
Barnes & Noble: Swallow a Samsung Nook tablet, please ... pretty please
Novelslab finally on sale with ($199 - $20) price tag
Ballmer leaves Microsoft board to spend more time with his b-balls
From Clippy to Clippers: Hi, I see you're running an NBA team now ...
Video of US journalist 'beheading' pulled from social media
Yanked footage featured British-accented attacker and US journo James Foley
Primetime precrime? Minority Report TV series 'being developed'
I have to know. I have to find out what happened to my life
Assange™: Hey world, I'M STILL HERE, ignore that Snowden guy
Press conference: ME ME ME ME ME ME ME (cont'd pg 94)
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?