Voting System Test Hack Elects Futurama's Bender To School Board

mr crypto writes with this quote from El Reg: "In 2010 the Washington DC election board announced it had set up an e-voting system for absentee ballots and was planning to use it in an election. However, to test the system, it invited the security community and members of the public to try and hack it three weeks before the election. 'It was too good an opportunity to pass up,' explained Professor Alex Halderman from the University of Michigan. 'How often do you get the chance to hack a government network without the possibility of going to jail?' With the help of two graduate students, Halderman started to examine the software. Despite it being a relatively clean Ruby on Rails build, they spotted a shell injection vulnerability within a few hours. They figured out a way of writing output to the images directory (PDF) on the compromised server, and of encrypting traffic so that the front-end intrusion detection system couldn't spot them. The team also managed to guess the login details for the terminal server used by the voting system. ... The team altered all the ballots on the system to vote for none of the nominated candidates. They then wrote in names of fictional IT systems as candidates, including Skynet and (Halderman's personal favorite) Bender for head of the DC school board."

Bender

[rwise2112]

Bite my shiny metal ass!

"managed to guess the login details"

[chemicaldave]

If you read the article, they didn't even have to guess really. The default root password for the HTTP admin interface was left intact. They then downloaded the etc/passwd file and cracked it in only 3.5 hours because, surprise surprise, the secondary administrator password was piss poor "cisco123"

Seriously. Who hired these clowns?

Re:"managed to guess the login details"

[jeffmeden]

If you read the article, they didn't even have to guess really. The default root password for the HTTP admin interface was left intact. They then downloaded the etc/passwd file and cracked it in only 3.5 hours because, surprise surprise, the secondary administrator password was piss poor "cisco123"

Seriously. Who hired these clowns?

It gets even better. The guys attacking it decided to put in a *modicum* of security since there basically was none AT ALL... I can only hope that they actually wanted a really really really soft honeypot for this whole test, and that it wasn't just the E-voting system that they were testing. If it was, god help us all.

We realized that one of
the default logins to the terminal server (user: admin, password: admin) would
likely be guessed by the attacker in a short period of time, and therefore decided
to protect the device from further compromise that might interfere with the
voting system test. We used iptables to block the offending IP addresses and
changed the admin password to something much more difficult to guess. We later
blocked similar attacks from IP addresses in New Jersey, India, and China.

Re:Ruby on Fails? LOL

[dgatwood]

The initial problem was a string interpolation vulnerability in a modified Ruby library that executes a shell command to encrypt PDF ballots. That's a pretty basic mistake that has nothing really to do with Ruby or Rails. If you interpolate into a string (or concatenate data into a string) without sanitizing the data, and then execute it, you're asking for trouble, no matter whether it's Rails or Java or C.

Not really. In C, you'd have gotten called an idiot within a few seconds if you used system() or popen(). Properly written C code using fork() and exec() does not require you to sanitize the string in any way.

Re:Ruby on Fails? LOL

[icebraining]

A simple search reveals that Ruby has fork() and exec() too. The problem is the "properly written" part.

Re:At least

[Anonymous Coward]

The protocol for a proper paper ballot vote is not vulnerable in that way. It goes like this:

On the morning of the election day, observers of all parties and interested citizens witness the sealing of empty ballot boxes. The ballot boxes don't leave the room, and enough observers to prevent collusion must be present at all times.

The election is carried out with observers of all parties watching to confirm that only people eligible to vote put one ballot each into the ballot box.

At the end of the day, the ballots are counted under the eyes of observers of all parties. The result is signed by all observers, each observer makes a note of the result and the signed result is posted locally. The result is relayed upward, where all local results are posted again together with the aggregate result.

This protocol ensures that no single entity can change a number without other interested parties having the opportunity to notice the manipulation.

This protocol is simple enough that no expertise is necessary to memorize it, understand why it works, and verify that it is followed correctly. It is the only protocol with these important properties.

Very similar to the protocol for DRE

[davide marney]

It is the only protocol with these important properties.

That is incorrect. I am a poll worker in Virginia, and we follow a very similar protocol for our DRE voting machines. We run the machines through a double-blind test prior to the vote, under the observation of multiple parties, and then we seal them. During the vote, the machines are kept in the open and observed by multiple parties. Each hour, the total votes cast are compared to the total voters allowed into the polling place, and the results called in my phone, and independently recorded, by the Registrar. At the end of the voting day, the vote totals are printed on paper, called into the Registrar by phone, and then aggregated by the State Board of Election. We then transfer the totals in ink onto a separate report, make a backup copy of the database, seal our report and the machines, and deliver them to the Registrar. The sealed reports and backup data go to the local courthouse, where they are locked away until the vote is certified.

In order to defeat our system, you would have to do it in the open, under the (very) watchful gaze of multiple parties both partisan and neutral, and you would have to do it in a way that did not change the total number of votes cast. I'm not saying it's impossible, but it would be really, really hard.

I have been volunteering for many years, know a thing or two about machine security, and am very confident that we run a clean, fair, and open election with results that are far better than a paper ballot count. If I had a choice between a paper and a machine/electronic balloting process, I would never choose to use paper. Paper is an awful medium for counting. You may have noticed that places where counting is important -- like banks -- paper is no longer used. There's a reason for that!

Re:At least

[Anonymous Coward]

That's not the protocol. The protocol requires that the ballot boxes are always under the scrutiny of multiple observers with opposing interests, from the moment they're sealed to the time they're opened again for ballot counting. The protocol furthermore requires that the observers confirm both eligibility to vote and that only one ballot per voter is put into the ballot box. This is usually achieved by keeping a list of people who have voted (or in countries without good means of identification, keeping a voter count and marking the right hand of the voter with indelible ink). Then they're handed a ballot, they fill out the ballot and put it in the ballot box. At the end of the day, you can see if mistakes were made by checking if there are discrepancies between the voter count and the ballot count.