Hacking the vote: Internet systems remain unsecure

Updated 9:54 AM EST, Mon November 5, 2012

Story highlights

Expert says going to online voting now would be 'insane'

Report finds that machines can be hacked for as little as $10.50 in parts

Voting machines without paper ballot backup "is not acceptable," another study finds

Within 48 hours of going live, hackers had nearly taken over D.C. test system

(CNN) —  

Hail! to the victors valiant

Hail! to the conqu’ring heroes

Hail! Hail! to Michigan,

the champions of the West!

What in the name of a Wolverine does the University of Michigan fight song have to do with why, in the second decade of the 21st century, we cannot vote online for president?

“From a security point of view, it is an insane thing to do,” David Jefferson, a computer scientist at Lawrence Livermore National Laboratories and chairman of Verified Voting, told Computerworld in March.

In this election cycle, estimates are that about 3.5 million voters in 32 states and the District of Columbia will be able to use their keyboards for at least some portion of the voting process, most of them military service members or Americans living overseas.

“The biggest concern I have about Internet voting is that we don’t know how to do it securely. It sounds wonderful but it’s an oxymoron. We don’t have Internet experts who know how to secure big pieces of the Internet from attack,” Ron Rivest, an expert in cryptology and a professor at the Massachusetts Institute of Technology, told a conference last year at Central Connecticut State University.

Meanwhile, there remain concerns about the voting machines currently in use.

“This is a national security issue. It should really be handled by the Department of Homeland Security,” said Roger Johnston and he should know.

Johnston led a team at the Argonne National Laboratory in Illinois, a research arm of the U.S. Department of Energy, in one of the most disturbing e-voting machine hacks to date, in the view of Brad Friedman, proprietor of the Brad Blog and a vocal critic on the subject of voting machine security.

How secure is your electronic vote?

Hacking on the cheap

Call it hacking on the taxpayers’ dime – and on the cheap, too. Voting machines used by as many as a quarter of American voters heading to the polls in 2012 can be hacked with just $10.50 in parts and an 8th-grade science education, Friedman reported in a review of the experiment.

“…the Argonne team’s attack required no modification, reprogramming, or even knowledge, of the voting machine’s proprietary source code. It was carried out by inserting a piece of inexpensive ‘alien electronics’ into the machine,” he wrote.

This is just one of several hacks in recent years designed to reveal vulnerabilities in voting machines, including one in which the video game Pac Man was installed on a voting machine.

If you want to know what types of equipment your state uses for voting, check out www.verifiedvoting.org.

According to the group’s website:

• One-quarter of the nation’s registered voters will use paperless electronic voting machines that provide no paper record of votes cast. In six states (Delaware, Georgia, Louisiana, Maryland, New Jersey and South Carolina) there is only paperless electronic voting. In five states (Indiana, Pennsylvania, Texas, Tennessee and Virginia), the heavy majority of ballots cast are paperless.

• Two-thirds of American voters use paper ballots. In 19 states, voters will use paper ballots statewide. In 13 states and the District of Columbia, optical scan voting will account for the majority of ballots.

• Thirty-three states plus the District of Columbia provide a paper record for every vote cast. That may be a paper ballot or a printout that the voter can view before casting a ballot on an electric machine.

Sandy has election officials scrambling

’Voting systems frequently fail’

Check out countingvotes.org for a ranking of the states based on voting equipment security. This survey – released in July by the Verified Voting Foundation, the Rutgers University Law School and Common Cause – found that more than 300 voting machine problems were reported in the 2010 midterm elections and more than 1,800 in the 2008 general election.

“Every national election since 2000 has shown us the same thing: Voting systems frequently fail,” the study said. “When they fail, votes are lost. Voters in jurisdictions without paper ballots or records for every vote cast, including military and overseas voters, do not have the same protections as states that use paper ballot systems. This is not acceptable.”

Now, back to “Hail to the Victors.”

Several weeks before the November 2010 election, University of Michigan computer science professor J. Alex Halderman and his students penetrated the District of Columbia’s pilot project of an Internet-based voting system for overseas voters.

Granted, the District did challenge experts to test its system.

“Our objective was to approach the system as real attackers would: starting from publicly available information, we looked for weaknesses that would allow us to seize control, unmask secret ballots, and alter the outcome of the mock election,” Halderman and the team wrote in a paper published earlier this year.

The Michigan team changed votes, reportedly casting one in a school board race for Bender, a robot from the animated series “Futurama,” found voters’ personal information, took control of remote cameras in the computer room and – more worryingly – found evidence of other attacks originating in Iran, China and India.

“Within 48 hours of the system going live, we had gained near complete control of the election server. We successfully changed every vote and revealed almost every secret ballot. Election officials did not detect our intrusion for nearly two business days and might have remained unaware for far longer had we not deliberately left a prominent clue,” they reported.

A telltale clue

Oh, yes, that clue: The University of Michigan fight song played when a ballot was submitted.

“Nevertheless, it took two business days for officials to become aware of the infiltration,” the paper noted.

The Michigan crew shared its findings with D.C. election officials, who opted not to use the system in November 2010.

While the D.C. officials acknowledged that, “…we learned many valuable lessons” they maintained: “Even more, voters expect that there will be a day when online voting will be as simple as paying bills or paying taxes. While there will always be citizens who choose to file their taxes on paper and there will always be voters who wish to visit their local polling place on Election Day, election officials know that voters expect, one day, to cast their ballot from their laptop.”

That day already is a reality in the North European nation of Estonia, “the envy of the digital world” and “among the most wired and technologically advanced countries in the world,” Estonia is the leader in Internet voting, CNN reported a year ago.

Critics say that the challenges of secure Internet voting in Estonia, a nation of 1.34 million people, pale in comparison with those in the United States, where roughly 100 times that number of people voted in the 2008 presidential election.

At the conference in Connecticut last year, Rivest estimated that mass online voting in the United States was at least two decades away from reality.

West Virginia leads the way

One of those who had seen the dawning of that day is West Virginia Secretary of State Natalie Tennant.

During the 2010 general election, 125 West Virginia voters, in the military and overseas, cast ballots online. In a paper published this year, Tennant wrote: “To date, no significant deficiencies or concerns have been identified with the West Virginia online voting pilot. In short, what West Virginia did worked. It was a small program that helped an admittedly small group of voters cast their ballot more conveniently. There were 125 opportunities for something to go wrong, but to our knowledge, nothing did.”

Tennant said that for members of the armed forces, particularly those stationed in war zones, being able to vote was meaningful.

Tennant made this plea to skeptics: “Instead of continuing to focus on the shortcomings of Internet voting, opponents could help strengthen it. Computer experts could lend their skills to developing encryption software that guarantees that each ballot is securely transmitted. Election officials could help voters better understand how the process works.

“Internet voting should be a safe, secure, accessible option for voters. It is time that we, as a society, agree that our voting is far too sacred to compromise – and that at some point in time this sacred right and accessible technology must intersect. I believe the time to explore that is now,” Tennant said.

Companies touting online voting are confident they are the future.

“I believe everyone will have the option of voting online, certainly within our lifetime,” Lori Steele, chief executive officer of Everyone Counts, a San Diego-based Internet voting company that provides services in several states, told The Wall Street Journal.