By Brad Friedman, The Brad Blog
A University of Michigan computer scientist and his team were not the only ones attempting to hack the Internet Vote scheme that Washington D.C. had planned to roll out for actual use with military and overseas voters in this Novemberâ€™s mid-term election.
According to testimony given to a D.C. City Council committee last Friday by J. Alex Halderman, asst. professor of electrical engineering and computer science at University of Michigan, hackers from Iran and China were also attempting to access the very same network infrastructure, even as his own team of students had successfully done so, taking over the entirety of the Internet Voting system which had been opened for a first-of-its-kind live test.
[See our report last week on details of what had already been disclosed about Haldermanâ€™s startling hack prior to last Fridayâ€™s hearing.]
â€œWhile we were in control of these systems we observed other attack attempts originating from computers in Iran and China,â€ Halderman testified. â€œThese attackers were attempting to guess the same master password that we did. And since it was only four letters long, they would likely have soon succeeded.â€
In his stunning public testimony — before a single member of the D.C. Board of Ethics and Elections (BoEE), and a nearly empty chamber — Halderman explained how the team had, by the time they discovered their fellow intruders, already gained complete control of the system, itâ€™s encryption key and its passwords. The system was developed as part of an Internet Voting pilot program with the Open Source Digital Voting Foundation.
As The BRAD BLOG reported last week, Haldermanâ€™s team was able to take over the system within 36 hours after it had gone live for testing. After having â€œfound and exploited a vulnerability that gave [them] almost total control of the server software,â€ his team was able to steal the encryption key needed to decode â€œsecretâ€ ballots; overwrite every single ballot cast on the test system; change the votes on those ballots to write-in candidates; discover who had already been voted for and the identities of the voters; install a script that would automatically change all votes cast in the future on the same system; install a backdoor to allow them to come back later; and then leave a â€œcalling cardâ€ — the University of Michigan fight song — which was programmed to play in the voterâ€™s browser 15 seconds after each Internet ballot had been cast.
But the new disclosures offered before the committee on Friday, including the hack attempts by computers in China and Iran, may have been as explosive, if not more so, than the previous revelations. They certainly illustrate and underscore a grave national security threat present in electronic voting systems such as the one D.C. had planned to use, as Lawrence Livermore National Laboratories computer scientist and cyber-security expert Dr. David Jefferson told me during an interview last Friday night on the nationally syndicated Mike Malloy Show which I was guest hosting last week.
The hack of the system forced the D.C. election administrators to shut down their plans for the pilot program which was to have gone live in days, as encouraged and partially funded by the federal Military and Overseas Voter Empowerment (MOVE) Act, which allocated millions of dollars for such Internet Voting pilot programs.
The revelations of the intrusion attempts from China and Iran, however, would not be the only new, previously unreported bombshells Halderman offered during his Friday testimony…
Defending the Network…
â€œWe gained access to this equipment because the network administrators who set it up left a default master password unchanged,â€ Halderman explained to Councilwoman Mary Cheh. â€œThis password we were able to look up in the ownerâ€™s manual for the piece of equipment. And once we did, we found it was only a four-letter password.â€
The University of Michigan team made short order of hacking that simple password, aided in no small part by the team having also taken over the security camera apparatus inside the election boardâ€™s actual data center where the servers were located.
â€œOnce we gained control of this equipment, we could watch in real time on my desktop in Michigan as the network operators configured and tested the equipment,â€ he told the committee. â€œWe could also watch them on camera because we found a pair of security cameras in the data center were on the same network as the pilot system and were publicly accessible with no password at all.â€
When theyâ€™d discovered the foreign intrusions from Iran and China, the â€œwhite hatâ€ hackers from the U.S. actually took measure to protect the D.C. system.
â€œWe decided to defend the network by blocking them out, by adding rules to the firewall, and by changing the password to a more secure one,â€ he explained during his testimony to a stunned Cheh.
â€œYou changed the password of the BoEE system?â€ she interrupted him to ask.
â€œOf the pilot system, yes,â€ Halderman responded.
â€œYou changed it?!â€ Cheh asked incredulously.
â€œWe did, yeah, to something so that the Chinese and Iranian attackers wouldnâ€™t get it,â€ he said.
As if Thatâ€™s Not All Bad Enough…
Halderman also made another dramatic disclosure during his testimony. As his team was looking through the BoEE Internet Voting server, they made another alarming discovery which he revealed rather dramatically by pulling out some 937 pages printed out from a file the team had found and downloaded from the system.
The team had discovered that the local election administrators appeared to have conducted their own tests at some point by sending files to the system that were either longer or shorter than the PDF-formatted ballots that the system would have been expecting, in order to see if those incorrect files were properly rejected in the event that a voter had sent the wrong file instead of their ballot.
Those rejected test files remained on the server, however, where the Michigan team of â€œhackersâ€ were able to rifle through them.
â€œSome of the files were just a page with one sentence, â€˜This is a blank ballot.â€™ Others were much bigger. … But one of the files, which I have here,â€ Halderman explained as he pulled out hundreds of pages to place on the table, â€œone of the files was a 937-page PDF document.â€
â€œIt appears to be the 937 invitation letters that BoEE sent to registered voters. Each page contains the name and voter ID number of a real voter along with the 16-character PIN that is the only password a voter needs in order to use the system in the real election.â€
â€œWe found the document on the test bed server, a system that BoEE invited the world to break into, and that we showed could be broken into very easily,â€ he continued. â€œWe have no way of knowing who else has access to this. The PINs in this document are the most critical secret to protecting the whole voting system.â€
Livermore Labsâ€™ Jefferson, who has advised the last five CA Secretaries of State on voting system security and represents VerifiedVoting.org as one of their Internet Voting experts, explained the importance of this revelation during my interview with him on Friday night.
â€œThis was stunning,â€ he told me. â€œThis file is, in a sense, the holy grail of voter security in the general election if this system were to be used in the general election. Of course, itâ€™s now not going to be. But had an adversary had a copy of that file, they would have been able to cast votes for the legitimate voters, and if theyâ€™d cast them ahead [of the actual voters], their votes would be accepted as legitimate and the actual legitimate voters, when they tried to vote, would be denied because of course you canâ€™t vote twice.â€
Halderman believes the use of that particular file as part of the BoEEâ€™s testing procedures suggests that the administrators of the system are not up to the task of securing such an important system. That same concern has been expressed by critics of e-voting for years, given that local elections supervisors, many of them with no computer science or security experience at all, are often enabled with the task of keeping complicated, sensitive, easily manipulated computer systems secure from both outsider and insider attacks.
â€œIâ€™m just deeply concerned that BoEE does not take security seriously and that it fails to appreciate the security challenges that are faced by any Internet voting system,â€ Halderman said at the conclusion of his prepared testimony.
â€œAll the Votes Had Disappeared…â€
Jefferson found yet another very serious flaw in the D.C. Internet Voting system on his own — one that had not yet been publicly reported until my live interview with him on the Malloy Show Friday night.
He participated in the same open test the week before last, by casting his own vote using D.C.â€™s test-bed system and closely following the instructions he was given. After viewing and filling in the PDF version of the ballot he was offered during the voting process, he saved the file to his system, and sent it back in to the election server — cast his â€œvoteâ€ over the Internet — as directed by the system.
Later, however, he made a startling discovery:
â€œAfter submitting the vote back, the ballot was still on my desktop as a file so I opened it. And I discovered that all the votes had disappeared. I had a blank ballot. Which means that I had sent a blank ballot back to the District of Columbia, not the choices that I had made.â€
â€œI investigated further and discovered that anyone who used certain combinations of browsers and what we call PDF plug-ins would have the same problem,â€ he told me on air. â€œIn fact, unless you used a [stand-alone] Adobe Reader — which many people are familiar with and many people use, but many donâ€™t — unless you used that [versus the web browserâ€™s internal PDF plug-in], you were pretty much guaranteed that your votes would be erased the moment you saved them and you would be disenfranchised.â€
â€œIt was a very serious problem because I actually did follow directions. I did not do anything wrong, and many voters would have had this same problem,â€ Jefferson explained. â€œa large proportion of them would have cast, unknowingly cast, blank ballots. And once you do that thereâ€™s no recovery because you canâ€™t vote twice and the election officials are not supposed to be able to find your ballot and fix it.â€
Had the system actually gone live, under the circumstances, hundreds of ballots (the pilot program was to be done with the participation of some 900 overseas and military voters from D.C.) would likely have been returned over the Internet completely blank to the BoEE for this Novemberâ€™s mid-term election.
That is, of course, presuming the Iranians, Chinese, or anybody else who might have had an interest in the election, not changed all of the ballots to anything they wanted, or kept all of the voters from being able to cast their ballots at all by using the PIN numbers the BoEE had left on the server.
A Matter of US National Security…
â€œMany of us have been arguing that election security is a matter of U.S. national security,â€ Jefferson, who has worked for more than a decade on this issue, told me. He has done so as an adviser to both Republican and Democratic Secretaries of State in California, testified to countless official bodies about his concerns, and most recently worked on CA Sec. of State Debra Bowenâ€™s landmark, 2007 â€œTop-to-Bottom Reviewâ€ of all of the stateâ€™s electronic voting systems (all of which were found to have been easily penetrated and quickly manipulated during the first-of-its-kind public hack testing by an official state commission).
â€œOftentimes the difference between one or another candidate for United States Senator, say, you know, is only a few hundred votes. So itâ€™s really important that it not be possible for foreign governments or crazy self-aggrandizing hackers in other countries — or in our own — to be able to modify votes and get away with it.â€
â€œBut usually this warning that I have given many times, that this is a national security issue, goes, well, people are somewhat skeptical about it. It goes under-appreciated,â€ Jefferson explained diplomatically during our conversation.
â€œSo here we have a case where not even a real election, just a test election, but announced as open to all comers to try to hack, Alex Halderman finds that not one but two teams from national rivals of the United States, Iran and China, are already trying to probe around inside it,â€ he warned.
During his testimony, Halderman explained that he didnâ€™t â€œbelieveâ€ the Iranian and Chinese â€œattackers were specifically targeting the D.C. voting system,â€ but, he added, â€œthis is a large part of why Internet voting is so dangerous. The servers are going to face attacks from powerful adversaries anywhere in the world.â€
A number of election and computer experts had warned the D.C. BoEE against going live with their Internet Voting scheme in the days just prior to the hack. The open tests proceeded nonetheless until administrators finally discovered the University of Michigan fight song was playing on web browsers after ballots had been cast.
Even though the system had been violated almost as soon as it had gone up, â€œthe attack was not detected by the officials for several days, despite the fact that they were looking for such attacks (having invited all comers to try) and despite the fact that the attackers left a â€˜signatureâ€™ by playing the Michigan Fight song after every vote was cast!â€ wrote Jefferson in a blog item at Verified Voting last week, just after Halderman publicly revealed in his own blog item that he and his team had been the â€œculprits.â€
â€œLet there be no mistake about it,â€ Jefferson wrote, â€œthis is a major achievement, and supports in every detail the warnings that the security community have been giving about Internet voting for over a decade now.â€
â€œAfter this there can be no doubt that the burden of proof in the argument over the security of Internet voting systems has definitely shifted to those who claim that the systems can be made secure. … This successful demonstration of the danger of Internet voting is the real deal,â€ he said.
â€œThis Isnâ€™t a Solvable Problemâ€…
During his testimony last Friday, Halderman, and the others who testified with him, made the same point as Jefferson, very clearly arguing that existing computer technology and security safeguards simply do not allow Internet Voting to be carried out securely at this time. They testified that it could possibly revisited in the future, but not for a decadeâ€™s time.
Unlike banking on the Internet or via ATM, they explained, a process which is open to oversight before, during, and after by all involved parties, the secret ballot system used in U.S. elections — where itâ€™s impossible to verify the accuracy of the â€œtransactionâ€ after itâ€™s been made and the identity of the voter must be kept forever a secret — cannot be done safely at this time on the Internet.
â€œThe scientific consensus is that Internet Voting is just too dangerous today based on the limits of todayâ€™s security technology,â€ Halderman testified. â€œIndeed, it will probably be decades, if ever, before the technology is at a level where we can perform voting safely, purely over the Internet.â€
Jeremy Epstein, a computer security and voting systems expert working with Verified Voting who also testified on the same panel with Halderman, said the history of computer security illustrates the problem faced in devising a system that is secure enough for the task of Internet Voting. He testified that he hopes the BoEE takes the right lesson from what happened during this landmark event.
â€œWhat we found in forty years of experience is you can penetrate and patch, and then you penetrate again and you patch again, and you penetrate again and you patch again and you penetrate again and you patch again and it never ends. If it ended, Microsoft would have succeeded. We wouldnâ€™t all be having to reboot our computer and install patches once a month for the past ten years. This is not something that we can just say â€˜Please, BoEE, fix the problems and then we can do it.â€™ This isnâ€™t a solvable problem that way.â€
Indeed, even local, precinct-based computerized voting and vote counting offers a storied history of disasters and meltdowns (scores of them documented in thousands of pages over the years here at The BRAD BLOG), including a number of infamous hacks of both paper-based and touch-screen e-voting systems, some of which were bullet-pointed in our initial article on the D.C. Internet Vote hack, in which we had speculated Halderman was likely behind it. Just weeks earlier, in late August of this year, Halderman succeeded in implanting Pac-Man onto a touch-screen voting system made by Sequoia without disturbing the machines â€œtamper-evidentâ€ seals. And even D.C. elections have had their own share of precinct-based e-voting disasters, such as their 2008 primary election when thousands of â€œphantom votesâ€ for write-in candidates were produced on their paper-based optical-scan voting systems made by Sequoia Voting Systems.
Epstein lauded the D.C. BoEE for allowing this extraordinary test to happen. An open invitation of this type, inviting hackers to try and access an electronic voting system in the U.S., has never been done before. He â€œsalutedâ€ the Council on their â€œexperiment.â€
â€œFor the first time, what computer scientists have been warning could happen in an election, we know that, in fact, it really could happen. It isnâ€™t just a theoretical problem. Itâ€™s a practical problem. So nobody has ever assessed an Internet Voting election before this one. So thatâ€™s why itâ€™s wonderful what you did. And now weâ€™ve learned it. So letâ€™s move on and come back in ten years.â€
â€œLet me ask you this, from a legislative perspective,â€ Cheh asked of each of the panelists as the hearing was winding down, â€œshould the Council, by legislation, just shut this down?â€
The answer from each one of those testifying was an unambiguous â€œYes.â€