Feeds

All Internet voting is insecure: report

"Serious and unacceptable risk" for election fraud

  • alert
  • submit to reddit

Security for virtualized datacentres

Online voting is fundamentally insecure due to the architecture of the Internet, according to leading cyber-security experts.

Using a voting system based upon the Internet poses a "serious and unacceptable risk" for election fraud and is not secure enough for something as serious as the election of government officials, according to the four members of the Security Peer Review Group, an advisory group formed by the US Department of Defense to evaluate a new on-line voting system.

The review group's members, and the authors of the damning report, include David Wagner, Avi Rubin and David Jefferson from the University of California, Berkeley, Johns Hopkins University and the Lawrence Livermore National Laboratory, respectively, and Barbara Simons, a computer scientist and technology policy consultant.

The federally-funded Secure Electronic Registration and Voting Experiment (SERVE) system is currently slated for use in the US in this year's primary and general elections. It will allow eligible voters to register to vote at home and then to vote via the Internet from anywhere in the world. The first tryout of SERVE is early in February for South Carolina's presidential primary and its eventual goal is to provide voting services to all eligible US citizens overseas and to US military personnel and their dependents, a population estimated at six million.

After studying the prototype system the four researchers said that from anywhere in the world a hacker could disrupt an election or influence its outcome by employing any of several common types of cyber-attacks. "Attacks could occur on a large scale and could be launched by anyone from a disaffected lone individual to a well-financed enemy agency outside the reach of US law," state the three computer science professors and a former IBM researcher in the report.

A denial-of-service attack would delay or prevent a voter from casting a ballot through a Web site. A "man in the middle" or "spoofing" attack would involve the insertion of a phoney Web page between the voter and the authentic server to prevent the vote from being counted or to alter the voter's choice. What is particularly problematic, the authors say, is that victims of "spoofing" may never know that their votes were not counted.

A third type of attack involves the use a virus or other malicious software on the voter's computer to allow an outside party to monitor or modify a voter's choices. The malicious software might then erase itself and never be detected, according to the report.

While acknowledging the difficulties facing absentee voters, the authors of the security analysis conclude that Internet voting presents far too many opportunities for hackers or terrorists to interfere with fair and accurate voting, potentially in ways impossible to detect.

"The flaws are unsolvable because they are fundamental to the architecture of the Internet," said David Wagner, assistant professor of computer science at UC Berkeley. "Because the danger of successful large-scale attacks is so great, we reluctantly recommend shutting down the development of SERVE and not attempting anything like it in the future until both the Internet and the world's home computer infrastructure have been fundamentally redesigned, or some other unforeseen security breakthroughs appear, states the report. There is no way to plug the security vulnerabilities inherent in the SERVE on-line voting design, according to the report's authors.

The Internet voting plan and touchscreen equipment not linked to the Internet are part of a general move in the US toward greater use of computers, provoked in part by the problems associated with paper ballots during the 2000 presidential election. But the authors of the SERVE analysis conclude that opportunities for tampering are being overlooked in the rush to embrace new election technology.

"Voting in a national election will be conducted using proprietary software, insecure clients and an insecure network," concluded report author and former IBM researcher Barbara Simons.

The full security analysis of the SERVE system can be viewed online at servesecurityreport.org<</a>. Detailed information about the SERVE system is at < a href="serveusa.gov/public/aca.aspx/>serveusa.gov/public/aca.aspx/.

© ENN

Business security measures using SSL

More from The Register

next story
Hey, Scots. Microsoft's Bing thinks you'll vote NO to independence
World's top Google-finding website calls it for the UK
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
Apple CEO Tim Cook: TV is TERRIBLE and stuck in the 1970s
The iKing thinks telly is far too fiddly and ugly – basically, iTunes
Huawei ditches new Windows Phone mobe plans, blames poor sales
Giganto mobe firm slams door shut on Microsoft. OH DEAR
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
OECD lashes out at tax avoiding globocorps' location-flipping antics
You hear that, Amazon, Google, Microsoft et al?
Big Content Australia just blew a big hole in its credibility
AHEDA's research on average content prices did not expose methodology, so appears less than rigourous
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.