31C3: Internet elections can be manipulated
More and more nations count on Internet voting, despite negative experiences with voting machines and warnings by security researchers. At the 31C3 (link: www.ccc.de) these are showing that the current technology has little to fend off attackers.
At the recent CCC congress in Hamburg Alex Haldermann of the University of Michigan reported about various problems in Internet voting – including in Estonia. The hackers were faced with two challenges: First, they could not as in previous tests investigate manipulable voting machines offline – and transform them, for example, into a Pacman machine. Secondly, interventions to ongoing online elections are sensitive. “As a security researcher you can not simply hack into a server during an election,” Halderman said. Too big is the risk that you would so sabotage a democratic election result.
But during a test run of a scheduled online election in Washington, the researchers were able to take control of the entire election data center and in this way to convince the authorities of the system imperfections. Because Estonia does not perform such tests, Haldermann’s team confines itself to an external analysis of the processes at the first independent study of Internet voting.
The electoral process in the Baltic States is complex: The the voter should remain anonymous to the online voting system and at the same time have the opportunity to verify the correctness of his vote. The Estonian officials have therefore chosen a digital two-envelope solution that is similar to the classic absentee ballot: A signature ensures that the vote actually comes from an electorate. The votes are counted but only if the votes are exempt from the personal signatures. The verification works via a mobile app that allows citizens to see their voting results again and to even change them. This is to prevent votes sale, but would also allow a Trojan which was foisted to a citizen to change the vote afterwards.
Haldermann’s team found several key weaknesses in the system: for instance the counting computer is giving merely the result of the election and does not sufficiently document, how it came about. Although the responsible parties have taken many security measures to protect the counting computer, but according to Haldermann these hardly withstand a serious attack of an state aggressor.
Thus, the security researchers discovered plenty of evidence of inadequate operational safety in the YouTube channel of the election officials of Estonia. Gaps are lurking in both the clients and the servers: so the central (or key) signatures were created on an obviously privately used computer, and in the videos you can see the access codes of the wireless network of the developers, and one video even shows the key to the server room sufficiently sharp to be able create a duplicate. During a vodka-soaked night a responsible was said to even even betray a key password.
But state organizations such as NSA might also try to compromise the counting maschine – either on the way from the manufacturer or by manipulated download images for the operating system. References to such concepts Edward Snowden delivered it was said.