Why Internet Voting is Insecure a case study

Why Internet Voting is Insecure: a case study Barbara Simons

“Those who cast the votes decide nothing. Those who count the votes decide everything. ” Joseph Stalin

Accenture chief named head of e-government • The Cabinet Office has announced that Ian Watmore, the UK managing director of IT services firm Accenture, is to become the head of e-government. In his new role, Watmore faces the task of delivering efficiency savings while improving the delivery of public services by joining up electronic government services around the needs of customers. – Network IT Week, May 25, 2004

A Fairy Tale • 2008 US election: H. Clinton vs J. Bush • 527 Americans hostage in Iran – Bush wants to invade – Clinton calls for negotiations • Country evenly divided • Internet voting throughout country

The Day before the Election • Email from White House warning of computer viruses and providing website for downloading anti-virus software – Millions download – Email not from WH and contains virus • Randomly selects small percentage of votes and changes them to Clinton if had been for Bush • Erases itself

Clinton wins • Millions vote before news of virus • Bush supporters demand new election – No legal provisions – Can’t determine which votes modified because of randomness • Iranian Govt? Democrats? Femi-Nazis? • Teenage hackers and computer scientists suspect • Military put on alert

How does the story end?

Is there a backup plan? • What happens if after election it is discovered that system may have been compromised? – Rerun election? On the same system? ? ? – Ask those whose votes may have been compromised (if you can figure out who they are) to vote again? – What does this do to voter confidence?

E-voting is harder than e-commerce • Requires higher level of security – Democracy depends on voter confidence – Stakes exceedingly high • Hundreds of millions of dollars spent on US Presidency election • Small fraction would be exceedingly large bribe – More challenging • May be ok for my spouse to use my credit card, but no ok for my spouse to vote for me

E-voting hard • Unlike e-voting, denial of service attack on e-commerce may prevent some sales, but does not invalidate those that succeed • May be difficult to detect – Anonymity (US) makes impossible to determine if votes correctly counted – E-commerce failure can be corrected • Amazon sends another book

E-voting hard • How to detect failure? – Airplanes crash – Books not delivered – Outcome doesn’t match exit polls? ? ?

Secure Electronic Registration and Voting Experiment (SERVE) • $22 M Do. D project for ‘ 04 elections and primaries – 7 states - 50 counties in those states – Military and civilians living out of the country • http: //www. serveusa. gov/public/aca. as px

www. servesecurityreport. org David Jefferson Avi Rubin Barbara Simons David Wagner

Conclusions • SERVE contains all security vulnerabilities of paperless touch screen voting machines • Internet- and PC-based systems make it vulnerable to many potentially catastrophic well known cyber attacks • Attacks could be large scale, launched by anyone from anywhere, including hostile countries

Conclusions • Impossible to estimate probability of successful cyberattack on one election – Easy to perpetrate – In some cases software available on Internet – Major elections tempting targets • Vulnerabilities fundamental to architecture of Internet and of PC hardware and software in use today – Cannot be eliminated in the foreseeable future

Conclusions • Unable to recommend alternative involving Internet voting - all insecure • Could appear to work flawlessly – Lack of detected successful attacks does NOT prove that there were none – “Successful” trial could lead to slippery slope of larger scale, more vulnerable systems • Reluctantly recommend immediate shut down of SERVE - was done by Do. D

SERVE System requirements for Voters • Windows 95(? ), 98, 2000, …. • MS Explorer 5. 5 & above or Netscape Navigator 6. x through 7. • Internet connection: dial-up modem, cable, DSL, LAN, WAN, etc. • Downloads an Active. X component

SERVE (con’t) • Users responsible for maintaining the security of their computers, and – voting allowed from public computers with internet access (cybercafes) • Voting planned for a national election using proprietary software, secret testing, insecure clients, and an insecure network

SERVE (con’t) • What would have happened if election appeared to go smoothly in ‘ 04?

Major security problems • Software bugs (may or may not be security) • Insider attacks • Security vulnerabilities of client side of voting equipment • Denial of service attack • Automated vote buying/selling • Man in the middle

Software bugs

Software bugs • Could influence outcome of election • All software buggy – Security holes could be exploited by hackers • Election software is supposed to be certified whenever modifications made – Disincentive to fix bugs – Hard deadline of election – Testing and results are secret

Security Example • Vulnerability in Microsoft Windows Server 2003 software announced July 16, 2003 – Allow hacker to size control of machine and steal information, delete files, read email – Was supposed to be highly reliable and secure – Also impacts Windows 2000, NT, and XP • Could have been used to compromise some currently used election software

Insider attacks

Insider attacks • Anyone with access to vendor’s software, including programmers, executives, and custodians, could insert malicious software • Hacker may be able to insert malicious software • Malicious software, cleverly hidden, could be very hard to detect or locate

Client side computer vulnerabilities

Security risks of computers not owned by voter • Attacker may install malicious software on computers in public locations, e. g. libraries, malls, cybercafes, etc. • Increased vulnerability for minorities and economically disadvantaged

Employer owned computer • 2001 study found 62% of major US corporations monitor employees’ Internet connections • > 1/3 store and review files on employee’s computer • Additional risk for those without home computers, i. e. economically disadvantaged and minorities

Voter’s Computer may be insecure • Computer software – Operating systems, games, multimedia applications, etc – Any could have malicious code – MS Excel 97 contained hidden flight simulator • Not found until after release of product

Remote attack on voter’s computer • Exploit security vulnerability on computer • Take control of voter’s computer via many different programs, e. g. PC Anywhere or Back. Orifice – Home computers tend to have poorer security than corporate machines, and even corporate computers have been successfully attacked – Hackers can automate attacks to scans thousands or even millions for vulnerabilities

Viruses and Worms • Can install malicious code • 2001 Code Red worm infected 360, 000 computers in 14 hrs • Sapphire/Slammer infected 90% of vulnerable hosts on Internet within 10 minutes – Brought down ATMs and caused flight delays – Verisign chart

Viruses and worms (con’t) • Virus checking software works only against previously known viruses • New worms and viruses spread quickly • Easy for programmer to write crude worm modify code for known worm • Small scale worm selectively target smaller population could be hard to detect

How bad can worms be? • One set of experts estimated that small team of experienced programmers could in a few months’ time develop worm that could compromise majority of Internet connected computers within a few hours – Don’t know if would succeed on first attempt or how long would go undetected • Once computer infected, all bets are off

Denial of Service Attacks

Denial of Service (Do. S) Attacks • Hacker overloads system so that voter can’t gain access • Distributed Denial of Service (DDo. S): many machines collaborate to mount joint attack – “Zombies”: compromised machines • Automated tools widely available • Selective disenfranchisement

Examples of DDo. S • CNN, Yahoo, e. Bay: Feb 2000 – Lone teenager not on US soil • Code Red worm contained code to mount DDo. S attack on White House; deflected at last minute (2001) • Canadian Internet election disrupted by Do. S Jan. , 2003 – Mydoom?

Types of Do. S Attacks • Flood the network so that it can’t be used • Overload web server’s computational resources so it can’t respond to voters – Repeated requests to initiate new SSL connections – Slow cryptographic protocol can be overwhelmed by enough zombie requests • Can’t defend against all possible Do. S attacks

May not recognize Do. S • ICANN election – People had problems registering – Many unable to vote near end – Machine capacity issue or Do. S? – Can’t infer that there were no security problems – Some individuals voted multiple times

Automated Buying and Selling

Buying and selling • Provide credentials (passwords, etc) to purchaser who could then vote – Defense would be to limit number of votes from single web address – Not good defense, since proxy servers could make legitimate voters appear to come from same web address; AOL uses same IP addresses for all users • Buyer provide seller with modified version of Active. X component that guarantees voter’s behavior

Man in the Middle or Spoofing

Man in the Middle • Adversary interposes itself between legitimate communicating parties and simulates each party to the other • Achieved by: – – Controlling client machine Controlling local network Controlling upstream network (eg ISP or foreign gov’t) Spoofing voting server (voter thinks is communicating with correct server, but is not) – Attacking Domain Name Server to reroute traffic

Man in the Middle can compromise Privacy • Use of SSL (an encryption technology) cannot prevent, since man in the middle could act as SSL gateway, forwarding between voter and vote server unaltered – Decrypt and re-encrypt to observe results • Useful for – vote buying/selling – Selective disenfranchisement

Michigan Democratic Party’s Primary Internet Voting an Option

Problems with Brief of Mich Dem Party in support of Hearing Officer’s report • “Internet voting is secure” – Internet not secure - voting not secure – Several claims cannot be supported • No detection of successful attack doesn’t mean it never happened. It may have happened and been successful. – Detecting and foiling 100 attacks doesn’t mean that 10 or 100 haven’t been successful.

The Intrusion Detection System • “The IDS filters out and blocks unusual activity on the network, systems or applications. ” • “While there have been attempted penetrations, the system has worked as designed, and has never been compromised. ” (underlining in document)

Problems with IDS • IDS could potentially identify existence of known attack with particular signature, but could do absolutely nothing against new attack that did not look or smell like previous attack • IDS makes decent network monitoring devices for observing network behavior, and useful for after the fact forensics, but not that useful as security devices

Problems with IDS (con’t) • May detect attack, but not necessarily prevent or recover • DDo. S might be detectable, but not stoppable by commercial product, especially if massive attack – FBI annual survey of Federal agencies 56% networks had been successfully intruded during previous years • If no obvious problems, will claim precautions worked, but doesn’t prove anything