Let's start by thinking about a
simple model of how an internet voting system might work. The voter on her
home PC, visits a website provided by the election officials that lets her
view the ballot, mark her choices, and then over the internet, submit the
ballot. The ballot travels over the internet to a server operated by the
election officials. This is what is providing the website for the voter
and what's collecting the votes. The server tallies up the results, and
then at the end of the election, the election officials are able to get it
to produce a count of the votes for each candidate. This is a very simple
model you can imagine more complicated arrangements, but this will be fine
for our risk evaluation purposes. Now, we can divide the threats here
into, into different components. And for purposes of this lecture,
we're going to assume that the transport from the client to the server is
over a secure encrypted channel. That will leave us with two categories
of threats. Threats on the client side, and threats on the server
side. We'll talk about threats on the client side in this segment. So, one
threat that can happen on the client side, that is, on the voter's, to the
voter working on her own PC is the threat of coercion. So, think about the
possibilities of coercion that internet voting opens up. They're at least
as bad as those of vote by mail. So, one possibility is coercion in
the workplace. If you're voting over the internet and you're doing it
from a PC at work, your employer probably already reserves the right to
monitor your use of that PC. That means, your boss gets to find out
how you voted. An employer could even ask people deliberately to come
in and vote at work so that they could monitor them, or so that they could
coerce them in other ways. Another problem is spousal coercion or coercion
by other people in the home which is something that we already talked
about in the context of vote-by-mail, but which is a well documented
threat. Finally, there's the threat of coercion by friends and other
associates. People could have parties to all vote together, that kind of
thing. So, all of these concerns arise because an internet voting system,
as we've described, provides very, very weak protection for the secret
ballot. Anyone who can see what's on your computer screen will know how
you voted. This enables other possibilities like a, like selling your
vote, so those are concerns as well. There are some proposals that, that
have been made for how to make, uh, internet voting more resistance to
this. For instance, you could allow someone to vote multiple times over a
period of days where only the last of those times will actually
count. I'm not sure whether this increases or decreases the threat of coercion
though, because someone who wanted to coerce you might just demand that
you vote in front of them at the last possible minute. And, they could
even get you to change your vote if they suspected or found out that you
had earlier voted in a way they didn't like. The next client-side threat
is the idea of theft of credentials. So, in order to log in to the
voting system and cast your vote, you need some way of proving to the
election server that you're an authorized voter. Maybe this is with an
identity card as in Estonia, or maybe it's with a username and password
you've been sent by the election authorities. Someone who wanted to
disenfranchise you or to, or someone who wanted to buy your vote could,
could get you to give them your credentials. So, if you wanted to, if, for
instance, turning over your password or just lending them or giving them
your identity card until the voting period was over. Credential theft is a
bigger problem online though, than in, in other potential applications of
voting technology because it's a widely, widely seen threat in, in other
kinds of sites, like, like e-commerce. So, if you've ever gotten an e-mail
that looks like this, that's asking you to go to a certain site and, and
say verify your account or update your password, otherwise your service is
going to be cut off, this sort of message is most often part of a commonly
practiced scam, something called a phishing attack. Wherein some criminals
will forge a message coming from, say, your bank and get you to go to a
site that they operate instead of the bank's real site. When you go to
that site and enter your username and password, that is just giving away
your credentials, your authentication information, to the scammers.
They'll then go back later and empty out your account. So, these attacks,
phishing attacks are a huge concern online, and could be practiced just as
easily against voting systems. When you receive a message from
the election authorities telling you that you need to go and log into this
other site to update your voting information. Well, that could just as
easily be a scam. A related attack has to do with making impostor websites
and getting people to visit them. This page shows some search results
for trying to download the Adobe Flash Player. These top few ones are advertisements. But
notice that they're directing you to sites that aren't the real Adobe
website. These are asking you to go to sites operated by other people that
may or may not be giving you the real Flash Player
software. Similarly, in an election context, voters might receive mail or
be told by, by people they trust to go to a site other than the real site
in order to cast their ballots. Perhaps, you, you receive a message
saying the, the election has moved to the name of the site that looks very
much like the real one but is not. Scam sites like these if, if the
voter were to visit them might do two things. First, they might, they
would convince the voter, they would make the voter believe they had voted
when in fact they had used the site that wasn't the real election. And
second if the voter logged into them with their real credentials, that
could give the scammers a way as in a phishing attack, as a phishing
attack to go and cast the vote in the voter's stead.
Imposter
sites like this, where you download a program are also frequently a way
that people's home computers get infected with Malware, which is the
next kind of threat I wanna talk about. Malware is malicious
software. It's software that runs on your computer, but does something
that you didn't intend and wouldn't like, usually some kind of criminal
behavior. Frequently encountered kinds of Malware do things like spying on
you, stealing personal information, or using your computer to, to attack
other people. Malware is a huge concern. In, in every day
computing. There's a, a, an extremely high rate of, of personal computers
infected with, with different kinds of Malware of which there are, are
tens of thousands of varieties. This is an example, what you see on the
screen, it looks like it's a program that is running on your computer
that's identified that you're infected with a particular kind of Malware.
Actually, this particular example is a piece of Malware running on your
system that's impersonating an Anti-Malware program. This is a kind of scam,
they're going to try to take your money while claiming that your computer
is infected with other things. When we think about Malware in the
context of voting, there are other possibilities for what that Malware
could do. So, I'd like to stop for a second and let you think about what
Malware running on your computer could do if you were voting in an online
election. What could go wrong? So, there are a few problems with
voting online if you have Malware on your computer, and a huge fraction of
those in the audience for this course almost certainly have some Malware
running on their PCs. One problem is that if this Malware is stealing
personal information, some of the information it could steal might be,
say, your username and password for logging in and voting. That could
then be used by scammers somewhere else to, to cast a vote on your behalf
or to change your vote if the internet voting system allows that. Another
threat, though, is that the Malware might actually actively change your
vote as you are trying to cast it. So, let me give you one way that
this could work, and, and an attack like this was, was demonstrated in the
recent past by, by researchers in the context of internet voting system
called Helios. So, the way this kind of attack might work is, let's say,
the voter has Malware running on her PC that's been designed to steal
votes. She logs into the election website as, as she normally would, fills
out her choices, and hits the cast vote feature to send the vote to the
election server. In the background, integrated into the website in a way
the, the user just can't see, in an invisible way, the Malware could
change that vote on the fly so that it was a vote for another candidate.
It could be changed before it even goes out to the server, so whatever
encryption or protection they're applying on that link between the two
computers would just be bypassed. The election server would see nothing
wrong. It would just see a valid vote for the candidate the voter didn't
intend to vote for. But, let's say, the election server
is user-friendly. It sends back a confirmation or a review screen,
something like that. It's going to tell the voter, it looks like you're
trying to vote for candidate B. Malware on the voter's computer can just change
that message coming back as well, but in the opposite direction so that
the confirmation the voter sees on the screen says she's trying to vote
for A, the candidate she really tried to vote for. Meanwhile, the election
server still thinks the voter was trying to cast the vote for candidate B,
the Malware's preferred candidate. So, this kind of attack hiding in the
background on the PC between the browser interface and the actual message
being transmitted is something that's well within the reach of Malware
available today, there are already scams that try to do things like this
for online banking. So, how would this kind of hypothetical vote stealing
Malware get onto voter's PCs in the first place? We mentioned one way that
Malware can be installed, which is, if voters download an impostor
program, this is what we call a Trojan Horse style of attack. But, there
are other ways. An attacker who wanted to infect voters computers on a
large scale would have a much easier option. And, that is to take advantage
of something called a Botnet which probably has already infected many of
the computers of people watching this course. So here's the idea behind a
botnet. A, a botnet is a kind of malicious distributed computing service,
we might say. There's an attacker, called the bot master, who spends most
of his time going out and trying to infect as many computers as he can
with some Malware he's written that's called a bot client. He maintains a
large army of computers that are infected with this bot client, and can send
instructions out to all of them to do his bidding. It's like they're under
remote control. He can install software, he can instruct them to perform
commands. But all of these computers are now under central criminal
control. What happens then is that the botnet is rented out to other
criminals to actually do their malicious behavior. It's as if you can just
buy access to all of these pre-infected computers on the black
market. Botnets are a thing used for criminal activity like sending spam,
or infecting other computers to make an even bigger botnet. But all
it takes is to go to the right criminal hangout on the internet and
offer some money in order to buy access to these hijacked
computers. So, in the context of voting, we worry about this because there
are already pre-existing very large botnets. There, there are many of,
many different botnets and some of the largest ones, the bot master
controls tens of millions of PCs. Since criminals can just rent time
on these pre-existing botnets rather than infecting computers themselves,
it would be much easier and well within the, the realm of plausibility to,
to infect, to infect vote-stealing software onto millions of voters
machines. Botnets can be rented sometimes for, for pennies per PC, and
many of them include the ability to target just computers in certain
countries. All of this makes the possibility of vote stealing software
being installed on voter's PCs, by a botnet, perhaps just right before the
election, a serious cause for concern. And once installed, especially if the software,
the, the vote-stealing software were shipped just days before voting
were supposed to start, it might be very difficult to detect even a
fairly wide-scale infection. And even more difficult to remove it
in time for the election
There's some equally worrisome
problems that can happen on the server. The, the web server that the
voting officials maintain in order to provide that web site and to accept
the ballots that voters submit. Now the sad state of internet security is
that both client side and server side threats are extremely widespread
problems in other kinds of online applications. And, and, and both very
hard to defend against. But I want to talk about some of the most
important server side threats for voting today. So one threat and one of
the easiest kinds of attacks to carry out is something called the denial-of-service
attack. A denial-of-service attack just tries to knock the server offline,
so that real users can't get to it. Or to make it so slow that real users
go away. Remember those botnets we talked about at the end of the
last segment? Well botnets can be used to commit a massive form of
denial-of-service called the distributed denial-of-service or DDoS attack.
This is where potentially thousands of infected computers on the internet
just try to access the server at the same time, overwhelming it with
traffic. These servers might try to reload that webpage as many times as
they can, all the time, as long as the denial of service attack is going
on. This kind of attack has become a popular form of hacktivism. And there
tools like this. Something called the Low Orbit Ion Cannon. That are
available to people to voluntarily take part in a denial-of-service
attack, and use their home computer as part of a, a massive mob of
machines attacking a particular site that has invoked the ire of the
protesters. This kind of tool was used recently to attack websites of
major credit card operations after those credit card operators stop doing
business with the website Wikileaks. We've also seen examples of denial of
service against elections online. One example from 2012 involved a party
election in Canada. Where the National Democratic Party held an election
that was partly interrupted by denial of service. Another kind of threat
against the server side, is the threat of insider attacks. An insider attack
is attacks by trusted people. Are as much or more of a threat
in Internet voting as they are in other electronic voting systems like DRE
voting. So, if the insiders include people who develop the, the Internet
voting system. People who are running the systems for the elections. The
election authority people who make other pieces of software,
commercial off-the-shelf software for instance that's running on those
machines. Insider attacks are particularly severe, particularly severe
possibility with online voting because its not simply enough to set the
system for election and, and then go away. Any online service has to be
able to respond to attacks as they happen and so people have to be logging
into these servers to monitor them, potentially to update things if new
kinds of problem are discovered. All the time, there are new
software glitches, vulnerabilities discovered in different kinds of server
software. And so we have to update that software as soon as possible in
order to prevent the attack from happening. With a, an online voting
system we're faced with two possibilities. If an attack is discovered
shortly before the election, we can either update the software and install
new software that potentially hasn't been tested, hasn't been vetted for,
kinds of flaws or, or, or, insider attacks embedded in it. Or we can, we
can wait and not update the software, but then, we're running an election
on something that's already known to be vulnerable. So we're, we're face
with the we're face with an extremely difficult, perhaps impossible choice
there. Since an online voting system has to count votes in secret like any
other kind of voting system. This just further complicates
defenses against insider attacks, since we can't be constantly monitoring
the results as things are going on. From the voter's perspective with
the simple online voting system of the, the model that, that we described
at the earlier in this lecture there's just voters have to take the, the
word of election authorities and the people who develop the server software
that their votes are actually being counted. Another kind of threat is
remote intrusion, and this is the sort of thing that is enabled by bugs,
glitches, vulnerabilities as we called them in online server
software. If there certain kinds of flaws in the software that's, that's
serving the website then remote parties can get in. Attackers can access
the servers. Potentially run software on them. Potentially change data on
them. Steal data etcetera. In the context of voting this is really, really
scary since the server is maintaining what is usually the only copy of the
votes. Now, a particularly dangerous kind of server side intrusion is the
result of something we call an advanced persistent threat, or APT. And
what an advanced persistent threat is, is this is an attacker who is who
is specifically targeting a particular a particular server or host. Now,
to explain the distinction many attacks online are, are just the result of
criminals looking for any vulnerable systems that they can find. They
don't care if it's a server at, at a business or a machine in someone's
home. They just want to infect a machine in order to enlist yet another
member of their bot net army. An advanced persistent threat involves an
attacker who's expending all of its resources to attack you. Now this kind
of attack, if the attacker is well resourced can be extremely difficult to
defend against.
some evidence from recent years for
this is that Google, the Pentagon, even the RSA, security company that
makes those secure authentication tokens that you probably use at work.
All of these have been compromised by advanced persistent threats and had
valuable data stolen. So if companies like this, and organizations like
the Pentagon, that have incredible security resources, and so much at
stake, can't defend against advanced persistent threats, then what are the
odds that an election authority can? I don't think they're very good. Some
advanced persistent threats in recent years have are believed to have
originated from foreign governments. And state sponsored attacks, are
probably the scariest threat against internet voting systems. To give you
one example. This is probably the best known state- sponsored
attack. A piece of malware, that researchers discovered and named
Stuxnet. Was found spreading around on the internet. But when
researchers looked at it, they found that it was vastly more complex
than almost any other piece of malware they had discovered to
date. Furthermore, when they tried to figure out where in the world
computers were infected, plotted it on a map like this, they found that
the, the majority of the infections were located in computers in
Iran. We later learned from, from leaks from the White House that Stuxnet
was developed as a partnership between intelligence services in the
U.S. And in Israel. And its purpose was to target and sabotage the
Iranian nuclear program. This is one of the, the best documented instances
we have to date of state-sponsored malware being used essentially for
cyber warfare purposes. But you can imagine if the resources of the state
could be directed to, to interfere with a national program like Iran's
nuclear program then a covert operation sponsored by, by
foreign governments to interfere with an election to change votes and
influence national policies is well within the realm of
possibility. And we just don't know how to defend against well-resourced
advanced persistent threats in state sponsored attacks like this. The
state of computer security is not developed to the point where we can reliably
defend against them. So with all these threats, the, I, I think we need to
put them in context a little bit, and, and look at a couple
of comparisons. The first comparison I want to discuss is between
internet voting and postal voting. How do the, the threat scenarios
differ? If we vote by mail, is internet voting really that much more
dangerous? Well, both of them suffer from some of the same
problems. The same risks of coercion or vote buying that they create,
because they provide such weak ballot secrecy protections. But internet
voting has some aspects where it's, it's much more dangerous. Because
attackers could target the centralized server that's collecting all of the
votes. That's one point that they could get into. And, and change
everything in the election. With the postal system possibly a
large conspiracy within the postal office could open ballots and change
votes. But this would be much more difficult to do without getting
caught. Another distinction has to do with denial of service. With an
internet voting system, it would be relatively easy to attack the
servers and knock them offline for the period of voting. With the
post office, and postal voting, it's very, very hard to make all of
the ballot papers not be delivered without anybody noticing.
Another distinction that I want to
draw is between internet voting and online banking. Something I hear all
the time is, I can bank online, why can't I vote online, this is the
twenty-first century. Well, it turns out that voting and, and e-commerce
are radically different problems, and in many ways, voting is a much more
difficult security problem to solve. And that comes from that tension I,
I talked about in the beginning, between integrity and the secret
ballot. So with online banking we have a lot of protections involved that
involve disclosing what it was you bought or how much money you spent or
earned. These are things like receipts that might be sent to you saying
what you bought. Credit card statement at the end of the month. A, a,
a bank statement showing how much money is in your account. In addition to
this on and back at the bank they're doing double ledger accounting with
carefully controlled audits. They're keeping track of every dollar at all
times. So, with voting. These protections just can't be implemented,
because the election authorities aren't allowed to just have a list of
every person and how they voted. We can't give you a receipt because
that would just make vote a vote selling and vote buying that much easier. We
can't we can't have the election authorities monitoring every
transaction on the, the granularity of the, the votes on the
ballot. Because that could be tied to the identity. So those kinds of
protections just can't be implemented in voting because of the secret ballot.
Another difference is, with online banking if there's fraud then odds are
extremely good that you are going to notice. If someone's stolen your
money, at, at, at some point, you'll go to buy something and there wont be
any money left in your account. If the transaction won't go through. With
internet voting, if someone has shifted votes from one column to another,
we may never notice.
So, for
all of these reasons Internet voting is, is a much harder problem
than online banking. But, guess what? Banks suffer many, many
millions of dollars of fraud online every year. But, its just part of the
cost of doing business to accept that these attacks take place. I don't
know how much voting fraud is an acceptable, is acceptable in order to allow
people to vote online. But I don't think most voters would think it was a
very high amount.
So, all of the problems we just
talked about are things that can go wrong on the voter's PC. They're
client side threats. There's some equally worrisome problems that can
happen on the server. The, the web server that the voting officials
maintain in order to provide that web site and to accept the ballots that
voters submit. Now the sad state of internet security is that both client
side and server side threats are extremely widespread problems in other
kinds of online applications. And, and, and both very hard to defend
against. But I want to talk about some of the most important server side
threats for voting today. So one threat and one of the easiest
kinds of attacks to carry out is something called the denial-of-service
attack. A denial-of-service attack just tries to knock the server offline,
so that real users can't get to it. Or to make it so slow that real users
go away. Remember those botnets we talked about at the end of the
last segment? Well botnets can be used to commit a massive form of
denial-of-service called the distributed denial-of-service or DDoS attack.
This is where potentially thousands of infected computers on the internet
just try to access the server at the same time, overwhelming it with traffic.
These servers might try to reload that webpage as many times as they can,
all the time, as long as the denial of service attack is going on. This
kind of attack has become a popular form of hacktivism. And there tools
like this. Something called the Low Orbit Ion Cannon. That are available
to people to voluntarily take part in a denial-of-service attack, and use
their home computer as part of a, a massive mob of machines attacking a
particular site that has invoked the ire of the protesters. This kind of
tool was used recently to attack websites of major credit card operations
after those credit card operators stop doing business with the website
Wikileaks. We've also seen examples of denial of service against elections
online. One example from 2012 involved a party election in
Canada. Where the National Democratic Party held an election that was
partly interrupted by denial of service. Another kind of threat against
the server side, is the threat of insider attacks. An insider attack is
attacks by trusted people. Are as much or more of a threat
in Internet voting as they are in other electronic voting systems like DRE
voting. So, if the insiders include people who develop the, the Internet
voting system. People who are running the systems for the elections. The
election authority people who make other pieces of software,
commercial off-the-shelf software for instance that's running on those
machines. Insider attacks are particularly severe, particularly severe
possibility with online voting because its not simply enough to set the
system for election and, and then go away. Any online service has to be
able to respond to attacks as they happen and so people have to be logging
into these servers to monitor them, potentially to update things if new
kinds of problem are discovered. All the time, there are new
software glitches, vulnerabilities discovered in different kinds of server
software. And so we have to update that software as soon as possible in
order to prevent the attack from happening. With a, an online voting
system we're faced with two possibilities. If an attack is discovered
shortly before the election, we can either update the software and install
new software that potentially hasn't been tested, hasn't been vetted for,
kinds of flaws or, or, or, insider attacks embedded in it. Or we can, we
can wait and not update the software, but then, we're running an election
on something that's already known to be vulnerable. So we're, we're face
with the we're face with an extremely difficult, perhaps impossible choice
there. Since an online voting system has to count votes in secret like any
other kind of voting system. This just further complicates
defenses against insider attacks, since we can't be constantly monitoring
the results as things are going on. From the voter's perspective with
the simple online voting system of the, the model that, that we described
at the earlier in this lecture there's just voters have to take the, the
word of election authorities and the people who develop the server software
that their votes are actually being counted. Another kind of threat is
remote intrusion, and this is the sort of thing that is enabled by bugs,
glitches, vulnerabilities as we called them in online server
software. If there certain kinds of flaws in the software that's, that's
serving the website then remote parties can get in. Attackers can access
the servers. Potentially run software on them. Potentially change data on
them. Steal data etcetera. In the context of voting this is really, really
scary since the server is maintaining what is usually the only copy of the
votes. Now, a particularly dangerous kind of server side intrusion is the
result of something we call an advanced persistent threat, or APT. And
what an advanced persistent threat is, is this is an attacker who is who
is specifically targeting a particular a particular server or host. Now,
to explain the distinction many attacks online are, are just the result of
criminals looking for any vulnerable systems that they can find. They
don't care if it's a server at, at a business or a machine in someone's
home. They just want to infect a machine in order to enlist yet another
member of their bot net army. An advanced persistent threat involves an
attacker who's expending all of its resources to attack you. Now this kind
of attack, if the attacker is well resourced can be extremely difficult to
defend against.
some evidence from recent years for
this is that Google, the Pentagon, even the RSA, security company that
makes those secure authentication tokens that you probably use at work.
All of these have been compromised by advanced persistent threats and had
valuable data stolen. So if companies like this, and organizations like
the Pentagon, that have incredible security resources, and so much at stake,
can't defend against advanced persistent threats, then what are the odds
that an election authority can? I don't think they're very good. Some
advanced persistent threats in recent years have are believed to have
originated from foreign governments. And state sponsored attacks, are
probably the scariest threat against internet voting systems. To give you
one example. This is probably the best known state- sponsored
attack. A piece of malware, that researchers discovered and named
Stuxnet. Was found spreading around on the internet. But when
researchers looked at it, they found that it was vastly more complex
than almost any other piece of malware they had discovered to
date. Furthermore, when they tried to figure out where in the world
computers were infected, plotted it on a map like this, they found that
the, the majority of the infections were located in computers in
Iran. We later learned from, from leaks from the White House that Stuxnet
was developed as a partnership between intelligence services in the
U.S. And in Israel. And its purpose was to target and sabotage the
Iranian nuclear program. This is one of the, the best documented instances
we have to date of state-sponsored malware being used essentially for
cyber warfare purposes. But you can imagine if the resources of the state
could be directed to, to interfere with a national program like Iran's
nuclear program then a covert operation sponsored by, by
foreign governments to interfere with an election to change votes and influence
national policies is well within the realm of possibility. And we
just don't know how to defend against well-resourced advanced
persistent threats in state sponsored attacks like this. The state of
computer security is not developed to the point where we can reliably
defend against them. So with all these threats, the, I, I think we need to
put them in context a little bit, and, and look at a couple
of comparisons. The first comparison I want to discuss is between
internet voting and postal voting. How do the, the threat scenarios
differ? If we vote by mail, is internet voting really that much more
dangerous? Well, both of them suffer from some of the same
problems. The same risks of coercion or vote buying that they create,
because they provide such weak ballot secrecy protections. But internet
voting has some aspects where it's, it's much more dangerous. Because
attackers could target the centralized server that's collecting all of the
votes. That's one point that they could get into. And, and change
everything in the election. With the postal system possibly a
large conspiracy within the postal office could open ballots and change
votes. But this would be much more difficult to do without getting
caught. Another distinction has to do with denial of service. With an
internet voting system, it would be relatively easy to attack the
servers and knock them offline for the period of voting. With the
post office, and postal voting, it's very, very hard to make all of
the ballot papers not be delivered without anybody noticing.
Another distinction that I want to
draw is between internet voting and online banking. Something I hear all
the time is, I can bank online, why can't I vote online, this is the
twenty-first century. Well, it turns out that voting and, and e-commerce are
radically different problems, and in many ways, voting is a much more
difficult security problem to solve. And that comes from that tension I,
I talked about in the beginning, between integrity and the secret
ballot. So with online banking we have a lot of protections involved that
involve disclosing what it was you bought or how much money you spent or
earned. These are things like receipts that might be sent to you saying
what you bought. Credit card statement at the end of the month. A, a,
a bank statement showing how much money is in your account. In addition to
this on and back at the bank they're doing double ledger accounting with
carefully controlled audits. They're keeping track of every dollar at all
times. So, with voting. These protections just can't be implemented,
because the election authorities aren't allowed to just have a list of
every person and how they voted. We can't give you a receipt because
that would just make vote a vote selling and vote buying that much easier. We
can't we can't have the election authorities monitoring every
transaction on the, the granularity of the, the votes on the
ballot. Because that could be tied to the identity. So those kinds of
protections just can't be implemented in voting because of the secret
ballot. Another difference is, with online banking if there's fraud then
odds are extremely good that you are going to notice. If someone's stolen
your money, at, at, at some point, you'll go to buy something and there
wont be any money left in your account. If the transaction won't go
through. With internet voting, if someone has shifted votes from one
column to another, we may never notice.
So, for
all of these reasons Internet voting is, is a much harder problem
than online banking. But, guess what? Banks suffer many, many
millions of dollars of fraud online every year. But, its just part of the
cost of doing business to accept that these attacks take place. I don't
know how much voting fraud is an acceptable, is acceptable in order to
allow people to vote online. But I don't think most voters would think it
was a very high amount.
We've just heard about a large
number of threats that internet voting systems would have to deal with.
Most of these are problems that, other kinds of online systems are
subjected to all the time. But with experience with real internet voting
systems. The few that have been deployed in practice. We, we seldom
hear about attacks against them, and this could just be because attackers,
who really do break into a system, very rarely will admit in public that
they've broken the law and successfully stolen votes. What I am about to
tell you, is, is going to be, the best experience we have with the
security of a real deployed Internet voting system, from people who hacked into it
and are able to tell about it. And, what I am about to tell you is
the story of how I hacked into the Washington D.C. Internet Voting
System. In 2010, the District of Colombia, essentially, the city
government of Washington, D.C., announced that they were going to implement
a new pilot system for allowing absentee voters living overseas to cast
their ballots over the internet. Now, when D.C., announced this, they
did some things right. One thing they did was they went to
the research community and ask people who study electronic voting how they
should build their internet voting system. And what most researchers told
them was, was, was the same. They said no, no don't do, do internet
voting. The technology is not mature enough. There are going to be too
many risks. But the D.C. officials decided to go forward with their pilot
system anyway. And they scheduled it for use in the 2010 general
election. One thing they did that was, perhaps a compromise with the
research community, was the D.C. officials announced that they were gonna
hold a public trial where anyone interested would be allowed to try to
hack into the system during a mock election that would be held just before
the real election and prove, that there were problems with it. So in
general, this kind of pilot study and this kind of adversarial test, has a
few problems. First, the, these pilot studies, usually have very unclear
goals and criteria, and as a result, the people who run them almost always
declare that they're successful when they're done. Second, they usually
have unrealistic ground rules for testing. Limitations that a real
attacker wouldn't face. Very limited time to prepare for
instance, limited access to the system. All of these things make, make it,
harder to demonstrate flaws as a researcher without making the system any
more secure against real attackers. Finally, if no problem is found,
that doesn't necessarily mean there are no problems. It could just
mean that no one was interested in testing it. Or that the people who were
testing it weren't very good or weren't very lucky. A real attacker, we
always want to assume in security, is going to be luckier,
more resourceful, and smarter than we are. Despite these problems, the
D.C. offer was, of a public test was just too good to pass up. Its
not every day that you are invited to hack into government computers
without going to jail, and anyway this was going to be, one of the best
chances we'd have as a research community, to see how, election officials,
might respond in the event of a successful attack if we were to get
in. There were still some big problems with the way the DC test was set
up. There were only, a few, a few days' notice given before the mock
election was going to start. And it stopped, just a few days
before real voters had to use the system. Not nearly enough time to fix
any problems that would, that might be found. Furthermore, we could only
test the server side of the system. The client, in demonstrating attacks
like adding malware to people's PCs would be off limits, since we couldn't
actually break into other people's home computers to test that
out. Still, as I say, this was too good an opportunity to, to, to pass
up. And so, my research, team at Michigan and I took part in the DC
trial. So, let me start by telling you a little bit about how their system
was designed. It had a lot of very nice security features. This
system ran on a series of servers in Washington that were well isolated
from each other. There was a firewall in front of a web server and
another firewall in front of an application server that ran the
actual vote counting software. That software was written in a
programming system called Ruby on Rails that is really widely used for
developing other kinds of online services. It was developed by a team of
volunteers who were experienced web developers, and they even made the
software open-source so that other people could, could evaluate its
quality. So, let me walk you through the DC system as a voter would use
it. The voter would first go to the home page of the election and declare
that they wanted to vote a digital ballot. The system also had a way to,
just download a blank ballot, fill it out, pencil and paper and mail it
back. But the path we're concerned with is the digital voting, where you
send your vote back over the Internet. So, the voter would then see this
user friendly screen outlining the process and then they'd authenticate to
the system. They'd fill in their name and voter ID number as well as a
long alphanumeric PIN number. This would be a PIN sent to the voter
in the mail along with their instructions. And by the time the mock
election took place, all the real voters who were going to use this system
had already received instructions and PINs. At this point, the voter
confirms their identity, and then they're given the option to download a
ballot. Now, the ballots in this system were PDF files. And part of
the reason for this was that the election officials at the end of
the process were going to print out these completed ballots and count them
along with other, vote-by-mail ballots. So, the voter uses their PDF
reader to, mark their preferred candidates and saves the PDF file and goes
back to the website uploads the saved file. That's it. The ballot is
cast. The voter sees a thank you screen on which they can then tell
everyone they voted on Facebook and Twitter.
So, now you've seen how this works.
Why don't you think a little bit like an attacker, and try to figure out,
what mechanisms you might use to try to attack the election server in the
D.C. System. Then I'll tell you what we came up with at Michigan when we
come back.
Let me tell you about my approach to
attacking the D.C. System. In looking at the system I tried to as,
as closely as I could play the role of a real attacker and try to do the,
the, the things a real attacker would. The first thing I did was I
recruited a really good team of technical people to help me out. And
these included my students Scott Wolchok and Eric Wustrow as well as
Dawn Isabel, a member of the university's technical staff, who holds the
most awsome job title in the world of Ethical Hacker. Her job is to help
the university with its own internal security testing. So, with this team
assembled, we started looking at, at the DC system, from the, the safety
of our laboratory. Not wanting to let on that we were attempting to
penetrate it or that, that we were even interested. So, we downloaded a
copy of the source code. And, DC did a great thing by making
this open source, because for one thing, it made the test much more realistic.
In a closed source system, where the
code isn't available, resourceful attackers, are probably going to be able
to find it anyway. How could they do this? They could bribe or coerce some
of the developers involved. They can break into some of the developers'
computers. One of the attacks against Google I mentioned in the last
segment was an attempt to steal some of Google's source code. All of these
things would be off limits in a, a penetration test like this. So, making
the code available to the attackers at the beginning, just helped to make
it a realistic simulation. So, when we looked at the code, we spent, we
spent probably, probably four, five hours reading through it. And I tried
to apply the security mindset and think like an attacker as much as
possible in this process. So, we concentrated our efforts on places in the
code, that are on what's called the attack surface. That is, things that,
an attacker might be able to, might be able to cause to run, things that,
process data that could be controlled by an attacker and so forth. These
are going to be the most, the easiest parts to exploit if there is any
kind of mistake the programmers have made. So after a few hours of looking
at the code, we finally, honed in, honed in on this procedure. And
probably most of you aren't going to know what's going on, but some people
who understand Ruby on Rails will get a sense for it. The yellow line
there caught my eye. What's happening here is that this is part of the
code that processes ballot files after voters upload them. And the server
is programmed to store the uploaded ballot in a temporary file. And then
run a command to encrypt that uploaded ballot. The ballots would be
encrypted with a public key, the corresponding private key to which was
stored offline. This was meant as a way to help boost ballot secrecy so
that anyone who did access the server wouldn't be able to read the
ballots. They could only later be read after being moved to another
computer. But in the process of doing this, the programmers made a
mistake. So, if you look at this line, this is the, the line that's
causing the ballots to be encrypted. There's one subtle
glitch. They've used double quotation marks in a place where they should
have been using single quotation marks. This turned out to be enough to
completely compromise the system and steal all the votes. So, let me
explain what's happening here a little bit better. When I upload a ballot,
it gets stored into a temporary file. If the ballot is named ballot.pdf,
the temporary file is going to be some random name.pdf. But we noticed,
that because of a glitch in the code, if I named the ballot ballot.xyz,
the temporary file would also be named something.xyz. That piece of the
file that's called the file extension that normally tells you what type of
file it is, ended up being used without any changes on the server. Now,
the problem is, that this kind of processing that the server was doing to
encrypt the file, was essentially just something that would be executed on
the Linux command line on the server. It was forming a longer command,
involving the file name and then telling the computer to run that command.
So if we took another command, let's say a command that says "sleep
5" which tells the computer to just pause for five seconds and put
that in a certain formatted way into the name of the ballot file. That
would appear verbatim on the server and be executed as part of the command
that the server ran to encrypt the file. Because they used double
quotation marks in a place they should have used single quotation marks,
the server doesn't just treat whatever is uploaded as a name. It will
treat it as a name that might have other commands embedded in it.
So, this little glitch, a small
punctuation error, coupled with a problem of not sanitizing that file
extension was enough to take over the server. Even though we thought we'd
have a way into this system thanks to this vulnerability. We didn't know
for sure whether this would actually work on the real elections server the
way it was really configured. So, far we just was speculating about it in
the lab from reading the code. And so, we spent a lot of time, doing other
surveillance on the network. Scanning the, the set of network addresses
that the, DC officials announced were part of the test, to see what else
was plugged in and whether there would be any other avenues for an attack
if we needed a plan B. So, we mapped out the network and how, how
everything seemed to be connected. And we found one very interesting device
plugged in. This was something called a terminal server. This is a
device that network administrators use to gain remote access and, do setup
and configuration tasks on other pieces of network plumbing. So this is
all happening much lower in the network. In the, in the pipes, so to
speak. What we found when we looked at the terminal server was it, it told
us what model it was when we connected. And we were able to Google and
find the, the owner's manual on the manufacturer's website. It told us
that these devices shipped with a certain default password installed. So
we thought, let's try that. Turns out, the people who set up this device
never bothered to change the default password. It's an easy mistake to
make. But what it let us do was take over the terminal server and, change
its programming to add, a certain kind of backdoor, that would let us see
in real time, as the network administrators logged in to and configured
the other pieces of their network plumbing. Including some very high-end
routers and switches that were going to be used elsewhere on the DC
network. We were able to get all of their passwords when they logged into
these devices to watch what programming changes they made, and,
potentially that would have given us a way to program those devices in the
real election. But there was one other thing we noticed when we were
hacking into to the, the terminal server. And that's that we weren't the
only people trying to attack it. The other attack attempts, I'm
convinced were not at all part of the, the, the authorized DC
trial. Instead, they were intrusion attempts coming from real attackers in
Iran and in China. Now, I don't think that these attackers were
actually targeting the Washington, D, D.C. Voting system. I think they had
no idea what they were trying to hack into. These are, were probably
automated attacks that are an everyday phenomenon all across the
internet. They were attackers who were just trying to hack into whatever
computers are vulnerable, in order to add them to their botnets or use
them for other criminal purposes. However, we didn't want that to
interfere with the D.C. trial. And it would have been very easy for
them to eventually guess these default, the default password on this
device. So, we did D.C. a favor, , and we changed the password to
something stronger to lock out those, those real attackers. Even though
they weren't, they probably weren't targeting the election. It's an
important reminder of the kinds of global hacking threats that an internet
voting system has to overcome.
So at this point, we had real-time
views into the configuration that was being done on the network by the
real sysadmins. We also found something else really revealing on the
network. And that was a series of network cameras that had no password
whatsoever, but were broadcasting real-time views of the server room. We
got to, see the server hardware where the election was, going to take
place, and we got to watch people coming in and out of the data center.
So, we could see if they were making any system changes for instance. We
could also see some of their security procedures. Here's the night
watchman who can't tell that we've hacked into the systems. Also,
this gave us an incredible amount of perspective into whether our
other attacking attempts had been caught. We could tell by the change in
the attitude and, and look of the system administrators between before and
after they eventually learned of our intrusion. So, before they were quite
calm. Afterwards, they seemed pretty upset. At this point, our preparations
were complete. It was time to try out our attack against the real
server. We decided to wait until after five o'clock, because we could tell
from the security cameras that that's when the people monitoring the
system usually went home for the night. So, after five, we, logged into
the web server and tried to upload a ballot containing malicious commands
that would exploit the vulnerability we had found in the software. To our
surprise it didn't work . There was a glitch. It turned out that we hadn't
anticipated one part of the configuration. So, we had to do some more
engineering, back in the, back at the drawing board back in the
lab. After some heroic effort by my students, by nine p.m., we finally
were in. We had complete control of the server. Now, I want to pause for a
second and let you think about what you would do in this
situation. So, you're playing the role of an attacker. What are you
going to do to the server now that you have control? So, here's what we
did after we had broken into the DC internet voting server. The first
thing, like a real attacker would probably do, is we stole everything we
could. That is, we collected the, database passwords, keys, log files. Any
data that might possibly be useful for us to break back into the server,
in case the election officials caught on midway, and tried to kick us off.
The next thing was we launched the main payload of the attack. We changed
all the existing votes to be votes for our own slate of candidates. And
here's the ballot we voted. Every race has a write-in candidate for an
evil robot or AI from science fiction or the movies. Notice Bender from
Futurama for school board. So, the votes were encrypted until it
was going to be time to count them. And because of this, there'd be no way
for the election officials to notice that we had changed the votes until
after the election was over. The encryption, however, didn't
present any obstacle to us because the votes were being encrypted with a
public key that was on the same computer. Next, we rig the system to
replace any subsequent votes with our slate of evil robots. This
involved changing the software running on the machine to make
it dishonest. After that, we added a back door, something that would
compromise ballot secrecy, and allow us to figure out how everyone
intended to vote. Even though their candidates were being replaced with
our candidates. We would still know what their original intent was,
violating the secret ballot. Like a real attacker, the last thing we did
was we cleared the logs, and tried to erase all the evidence that we had
broken into the system. But still, part of our exercise was to try to
test how well election officials would respond. Would they be able to
detect the attack and, and recover from it? So, we decided to give the election
officials, a, a little bit of a leg up, and we left a kind of calling card
for them. What we did was we changed the code on the thank you page that
appears every time a voter completes the process. We added these
lines. After a delay of a few seconds. The voter's PC will start playing
The Victors, the University of Michigan football fight song. Even
though we had added the fight song to the page every voter would see. It
still took two days before election officials noticed. And even then, it
was only because another person testing the system, wrote an email to the
D.C. Officials saying, everything looks pretty good. But I don't like the
music that plays at the end. It's too distracting. There was one more
thing that we found in the system, and, this was probably the most
disturbing thing of all. In the directory where, the uploaded ballots were
stored, there was another glitch in system that prevented the, the
temporary ballot files from being erased when they would done. And we
noticed that there were a bunch of files left over that people had
uploaded in testing the system even before the, the public trial
began. Someone, an insider at the election office, had been testing it and
had been making sure it rejected files that weren't proper ballots. It
looks like this person just uploaded files that were lying around on his PC
at the election office. The installation files for a
software program, for example. But one of the files was much larger
than the others that had been used in testing. This file was a 937 page
PDF document. When I opened it up I couldn't believe what I was looking
at. Every page looked like this. This file was the actual mail merge
for the letters sent to the real voters including the secret PIN for every
real voter invited to participate in the system. These letters had
already been sent out. There wasn't time before the election to send out
another round and the officials had through very, very sloppy
testing given away the passwords for all the real voters on a server they
invited the world to hack into. There was no way that the real
election could be ran, could, could be securely performed, now that these
credentials had been given away. So, in the wake of our attack,
Washington, D.C. Officials evaluated again whether they wanted to use
the system. And, in my opinion, very correctly decided not to use it with
real voters in the actual election. Instead, they did something that is
very sensible. They made the path to let voters download and print a
ballot and mail it back available to, to all the real overseas
voters. This provides far fewer, security risks than actually collecting
the votes on a server that could be hacked into. So, there are a number of
lessons that I draw from the DC experience. One is that web applications
tend to be brittle. Small mistakes like those, those, double quotes
instead of single quotes, can have huge consequences like all the votes
being stolen. This is an inherent problem with the way web
applications are developed today. The technology just is not secure
or mature enough for applications like voting.
Another
problem is that officials are just not very well equipped to detect
and respond to server-side intrusion. It's hard enough for Google, the
Pentagon, security companies. Election officials at jurisdictions around
the world have far fewer resources. One of the biggest problems with
internet voting is that a lot of the threats that stand in it's way are
some of the biggest challenges in computer security today. Problems like
phishing. Problems like people breaking into servers. Problems like
malware on clients. These are things that everyone wants to solve for
every other online application, and it's extremely unlikely that
we'll find a way to make all of those problems go away just for voting
without years and years of research to try to improve the state of
computer security across the rest of the Internet. For this reason, my
conclusion is that it's going to be decades, if ever, before we're able to
vote online securely.
