Feeds

Hackers hijack internet voting system in Washington DC

All your votes are belong to us

The essential guide to IT transformation

An internet voting system designed to allow District of Columbia residents to cast absentee ballots has been put on hold after computer scientists exploited vulnerabilities that would have allowed them to rig elections and view secret data.

The system, which was paid for in part by a $300,000 federal grant, was hijacked just 36 hours after Washington DC elections officials began testing it ahead of live elections scheduled for next month. Scientists from the University of Michigan pulled off the hack to demonstrate the inherent insecurity of net-based voting.

“None of this will come as a surprise to internet security experts, who are familiar with the many kinds of attacks that major websites suffer from on a daily basis,” one of the scientists, J. Alex Halderman, wrote on Tuesday on the Freedom to Tinker blog. “It may someday be possible to build a secure method for submitting ballots over the internet, but in the meantime, such systems should be presumed to be vulnerable based on the limitations of today's security technology.”

The pilot system, which was built on open-source software, was deployed a week ago Tuesday, and just 36 hours later, the team was able to take full control of it. Even though their attack caused computers that were used to cast votes to play their alma mater's fight song, it took elections officials until Friday to suspend the site.

It has since been reinstated, but residents can use it only to download ballots that they can print and return by postal mail. Internet voting has been suspended.

The voting application was written on the Ruby on Rails framework and ran on top of the Apache web server and the MySQL database. The scientists were able to hijack the system after they discovered that they could upload ballots with almost any string they wanted. By inserting Unix commands into the file names, they were able to take “almost total control of the server software, including the ability to change votes and reveal voters' secret ballots,” Halderman said.

A file named “ballot.$(sleep 10)pdf,” for instance, caused the server to pause for 10 seconds. They used similar techniques to install a backdoor on the system that allowed them almost unfettered system access.

DC officials deployed the system even after Common Cause and a group of computer scientists and election-law experts warned city officials that the trial posed an unacceptable security risk that "imperils the overall accuracy of every election on the ballot,” The Washington Post reported. Among other shockers in Halderman's post is the revelation that highly secret data, including the database username and password, were stored on the server. ®

Bootnote

No, we never said the gaping holes that were exploited stemmed from the open-source software. FOSS fanbois can now stand down.

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?