2019 Apr 8, 8:18pm
373 views 1 comments
In 2010 Washington D.C. embarked on a pilot project to allow voters toparticipate in local elections through an online voting system. InSeptember 2010, before collecting real votes, the Board of Electionsconducted a pilot test allowing any member of the general public to voteand test the security of the system. Ultimately an attack by a team ofresearchers from the University of Michigan caused them to cancel theonline voting initiative. The researchers were able to seize control ofthe servers, unmask secret ballots, and alter the final election results.The following information is a summary of what the Michigan team found (please see  for a copy of their paper).The system itself used a stack consisting of Ruby on Rails, Apache, andMySQL. A front end web server receives HTTPS requests from the voters andthen reverse-proxies them to the application server which hosts thesoftware and stores the ballots. Multiple firewalls work to complicateattacks by blocking outbound TCP connections. The University of Michiganresearchers noted that the intrusion detection system in front of the webserver failed to decrypt the HTTPS connections carrying their attack.To login to the system the voter needs to use a voter ID number,registered name, residence ZIP code, and 16-character hexadecimal PIN.These credentials were sent out to voters in the mail.The ballots themselves are PDF files, filled out by the user with a PDFreader, and then uploaded to the server. To safeguard ballot secrecy, theyare encrypted with a public key issued by elections officials. When theelection ends they are transfered from the server to an offline machine,holding the private key, where they are decrypted and counted. Think aboutthat -- they go through the trouble of keeping the ballot counting machineoffline but allow arbitrary PDF files to be opened on it. :>Here are a few of the attacks that the Michigan team found. They stole thepublic key, which despite the term public key should actually be keptsecret because it allows the application server to encrypt arbitraryballots to substitute real ballots. Once they stole the key, they indeedused it to replace all of the previously cast ballots with forged ballotsthat voted a ticket of their choosing. They then replaced the ballotprocessing function with a modified function that would replace eachvoted ballot with their forged ballot. This also broke the secret ballotconcept, as they used the new ballot processing function to track eachvoter. And, an unencrypted copy of each ballot was stored in /tmp by thePaperClip Rails plugin before encryption, so they could correlate thefile time to the logs and then match past ballots to voters. The databasecredentials were located in the bash history file.A 937 page PDF file containing all of the voters login credentials waseven located on the server, sitting in /tmp. And these were thecredentials for the REAL election, not merely the pilot test. Had thereal election not been canceled they could have used those to vote asactual citizens.Of course once finished they cleaned up the logs and removed all of theirfiles from the application server's directories.To mark their territory after completely infiltrating the online votingsystem, they programmed the confirmation page to play the University ofMichigan fight song when each user cast a ballot.Despite their musical calling card, it took officials in D.C. 36 hours todetect the attack and stop the pilot (another test user asked on a mailinglist what song is played for a successful vote, raising their suspicions).