It could take the U.S. at least another decade to perfect systems that would allow voters to securely cast their ballots on the Internet, a Washington, D.C., official has concluded after disturbing vulnerabilities were revealed in an Internet voting test bed launched last month by the district.
Even though Washington, D.C.’s experimental system that would allow overseas voters to upload their ballot online was successfully hijacked by a University of Michigan team of computer scientists, Washington, D.C., elections executive director Rokey Suleman testified at a district council meeting on Oct. 8 that he is happy with the experiment and that research on the system should continue.
“This is an important project for moving the nation forward on this idea,” Suleman said.
But perfecting the cyber-security for such a system could take another 10 years and much more research and development, Suleman said. Washington, D.C.’s pilot system for online-only voting isn’t ready for a real election, he added. The system’s functionality that allows overseas voters to print their ballot via a PDF and return it through ground mail does work, he said.
Suleman’s comments came hours after University of Michigan assistant professor J. Alex Halderman told a City Council committee how last month his research team effectively took control of the experimental system, only 36 hours after the Washington, D.C. Board of Elections and Ethics invited the public to try to exploit the system.
A “shell injection” vulnerability in effect allowed the researchers to remotely log in as a privileged user to the Digital Vote by Mail system, through which they were able to change the results of votes that were cast. The team changed the votes to fictitious candidates that were “mostly evil science fiction robots,” Halderman said, and also left a calling card on the vote confirmation page that played the University of Michigan fight song after 15 seconds. That vulnerability went undetected for two days, he said.
“A real attack might be completely invisible and might have gone on much, much longer,” Halderman said.
At least one intrusion by his team went undetected, Halderman said. They found a default password that was unchanged on the election board’s pilot network, a four-letter word that was printed in the owner’s manual for the equipment. The exploit allowed Halderman’s team to control routers and switches on the network. They were able to watch in real time on a desktop computer located at the university as the board’s network administrators tested and configured the system. They also gained access to two video cameras located in the data center because they were running on that same vulnerable network, Halderman said.
The disclosure of these vulnerabilities comes as governments try to comply with the new Military and Overseas Voter Empowerment (MOVE) Act passed in 2009, which mandates that state and local governments to put measures in place no later than the November 2010 elections that will make voting more accessible and reliable for U.S. military and overseas citizens. Under the act, paper ballots must be mailed to overseas citizens no later than 45 days prior to an election. Several states, such as Delaware, West Virginia, Tennessee, Arkansas and Idaho, have begun implementing technology that will digitally deliver the ballot to them and allow them to mail it back through the postal service.
Halderman said there is no plausible way to secure Internet voting at this time, although delivering paper ballots digitally is much more realistic and secure. His opinion was backed by privacy and voting watchdogs who accompanied to the committee meeting.
A subject matter expert from Esri told the City Council that Washington, D.C.’s experimental voting system was designed much better than many other voting systems, yet it still remained vulnerable to cyber-intrusion.
D.C. Council member Mary Cheh told Suleman she believes the experimentation on online voting should be discontinued and the money and resources be spent elsewhere. Halderman said online voting should only be used in extreme cases where a person cannot return the ballot by postal mail.