(Feel free to forward in full with attribution to David Jefferson of Verified Voting.)
University of Michigan Prof. Alex Halderman has now released some details about his successful attack on the District of Columbia's proposed Internet voting system which has been under test for the last week. (See www.freedom-to-tinker.com.) It is now clear that Halderman and his team were able to completely subvert the entire DC Internet voting system remotely, gaining complete control over it and substituting fake votes of their choice for the votes that were actually cast by the test voters. What is worse, they did so without the officials even noticing for several days.
Let there be no mistake about it: this is a major achievement, and supports in every detail the warnings that security community have been giving about Internet voting for over a decade now. After this there can be no doubt that the burden of proof in the argument over the security of Internet voting systems has definitely shifted to those who claim that the systems can be made secure.
Computer security and election experts have been saying for over 10 years that the transmission of voted ballots over the Internet cannot be made safe with any currently envisioned technology. We have been arguing mostly in vain that:
1) Remote attack: Internet voting systems can be attacked remotely by any government, any criminal syndicate, or any self aggrandizing individual in the world.
2) Effective defense virtually impossible: There are innumerable modes of attack, from very easy to very sophisticated, and if anyone seriously tried to attack an Internet election the election officials would have essentially no chance at successfully defending. The election would be compromised
3) Attackers may change votes arbitrarily: An attack need not just prevent people from voting (bad as that would be), but could actually change large numbers of votes, allowing the attackers to determine the winner.
4) Attacks may be undetected: An attack might go completely undetected. The wrong people could be elected and no one would ever know.
Prof. Halderman demonstrated all of these points:
1) Remote attack: His team of four conducted their attack remotely, from Michigan, via the Internet, without ever getting near Washington, D.C.
2) Effective defense virtually impossible: Although they were restricted from most modes of attack (which would be illegal even in this test situation), they still succeeded in completely owning (controlling) the voting system within about 36 hours after it was brought up, even though they had only 3 days of notice of when it would start. They happened to use one particular small vulnerability that they identified, but they are quite confident that they could have penetrated in other ways as well. Most likely they were the only team to even attempt to attack the system seriously; yet in a real election with something important at stake multiple teams might attack. The fact that the only team that even tried succeeded so quickly is a demonstration lots of other groups from around the world could also have done it.
3) Attackers may change votes arbitrarily:They not only changed some of the votes, they changed them all, both those cast before they took control of the system and those cast afterward. There is no way that officials can restore the original votes without the attackers' help.
4) Attacks may be undetected:The attack was not detected by the officials for several days, despite the fact that they were looking for such attacks (having invited all comers to try) and despite the fact that the attackers left a "signature" by playing the Michigan Fight song after every vote was cast!
This successful demonstration of the danger of Internet voting is the real deal. It doesn't get any better than this, people.
Alex Halderman, his graduate students Eric Wustrow and Scott Wolchok, and their colleague Dawn Isabel, all deserve enormous credit, congratulations, and thanks.
