Feeds

All Internet voting is insecure: report

"Serious and unacceptable risk" for election fraud

  • alert
  • submit to reddit

Security for virtualized datacentres

Online voting is fundamentally insecure due to the architecture of the Internet, according to leading cyber-security experts.

Using a voting system based upon the Internet poses a "serious and unacceptable risk" for election fraud and is not secure enough for something as serious as the election of government officials, according to the four members of the Security Peer Review Group, an advisory group formed by the US Department of Defense to evaluate a new on-line voting system.

The review group's members, and the authors of the damning report, include David Wagner, Avi Rubin and David Jefferson from the University of California, Berkeley, Johns Hopkins University and the Lawrence Livermore National Laboratory, respectively, and Barbara Simons, a computer scientist and technology policy consultant.

The federally-funded Secure Electronic Registration and Voting Experiment (SERVE) system is currently slated for use in the US in this year's primary and general elections. It will allow eligible voters to register to vote at home and then to vote via the Internet from anywhere in the world. The first tryout of SERVE is early in February for South Carolina's presidential primary and its eventual goal is to provide voting services to all eligible US citizens overseas and to US military personnel and their dependents, a population estimated at six million.

After studying the prototype system the four researchers said that from anywhere in the world a hacker could disrupt an election or influence its outcome by employing any of several common types of cyber-attacks. "Attacks could occur on a large scale and could be launched by anyone from a disaffected lone individual to a well-financed enemy agency outside the reach of US law," state the three computer science professors and a former IBM researcher in the report.

A denial-of-service attack would delay or prevent a voter from casting a ballot through a Web site. A "man in the middle" or "spoofing" attack would involve the insertion of a phoney Web page between the voter and the authentic server to prevent the vote from being counted or to alter the voter's choice. What is particularly problematic, the authors say, is that victims of "spoofing" may never know that their votes were not counted.

A third type of attack involves the use a virus or other malicious software on the voter's computer to allow an outside party to monitor or modify a voter's choices. The malicious software might then erase itself and never be detected, according to the report.

While acknowledging the difficulties facing absentee voters, the authors of the security analysis conclude that Internet voting presents far too many opportunities for hackers or terrorists to interfere with fair and accurate voting, potentially in ways impossible to detect.

"The flaws are unsolvable because they are fundamental to the architecture of the Internet," said David Wagner, assistant professor of computer science at UC Berkeley. "Because the danger of successful large-scale attacks is so great, we reluctantly recommend shutting down the development of SERVE and not attempting anything like it in the future until both the Internet and the world's home computer infrastructure have been fundamentally redesigned, or some other unforeseen security breakthroughs appear, states the report. There is no way to plug the security vulnerabilities inherent in the SERVE on-line voting design, according to the report's authors.

The Internet voting plan and touchscreen equipment not linked to the Internet are part of a general move in the US toward greater use of computers, provoked in part by the problems associated with paper ballots during the 2000 presidential election. But the authors of the SERVE analysis conclude that opportunities for tampering are being overlooked in the rush to embrace new election technology.

"Voting in a national election will be conducted using proprietary software, insecure clients and an insecure network," concluded report author and former IBM researcher Barbara Simons.

The full security analysis of the SERVE system can be viewed online at servesecurityreport.org<</a>. Detailed information about the SERVE system is at < a href="serveusa.gov/public/aca.aspx/>serveusa.gov/public/aca.aspx/.

© ENN

Beginner's guide to SSL certificates

More from The Register

next story
Bono apologises for iTunes album dump
Megalomania, generosity and FEAR of irrelevance drove group to Apple deal
HBO shocks US pay TV world: We're down with OTT. Netflix says, 'Gee'
This affects every broadcaster, every cable guy
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
SCREW YOU, EU: BBC rolls out Right To Remember as Google deletes links
Not even Google can withstand the power of Auntie
Arab States make play for greater government control of the internet
Nerds told to get lost in last-minute power grab bid at UN meeting
Apple SILENCES Bose, YANKS headphones from stores
The, er, Beats go on after noise-cancelling spat
Zippy one-liners, broken promises: Doctor Who on the Orient Express
Series finally hits stride, but Clara's U-turn is baffling
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
America's super-secret X-37B plane returns to Earth after nearly TWO YEARS aloft
674 days in space for US Air Force's mystery orbital vehicle
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.