As we posited in our coverage yesterday of D.C.'s Internet Voting scheme which was hacked with the University of Michigan fight song, J. Alex Halderman, asst. professor of electronic engineering and computer science at the university, was, indeed, at the heart of the hack.
He details tonight that he and a small team of students were happy to participate in the test that D.C. election officials had announced, with just three days notice, inviting hackers to try and penetrate the system they planned to use this November, as developed with the Open Source Digital Voting Foundation.
Halderman writes in his explanation of how they did it:
Within 36 hours of the system going live, our team had found and exploited a vulnerability that gave us almost total control of the server software, including the ability to change votes and reveal voters’ secret ballots.
And if you think that's chilling, Halderman goes on to note that all cast ballots on the system were modified and overwritten with write-in votes, all passwords taken --- including the encryption key, which e-voting supporters constantly suggest will keep such systems safe --- before they went on to install a back door to let them view any votes cast later, after their attack, along with the names of voters and whom they voted for...
- We collected crucial secret data stored on the server, including the database username and password as well as the public key used to encrypt the ballots.
- We modified all the ballots that had already been cast to contain write-in votes for candidates we selected. (Although the system encrypts voted ballots, we simply discarded the encrypted files and replaced them with different ones that we encrypted using the same key.) We also rigged the system to replace future votes in the same way.
- We installed a back door that let us view any ballots that voters cast after our attack. This modification recorded the votes, in unencrypted form, together with the names of the voters who cast them, violating ballot secrecy.
- To show that we had control of the server, we left a “calling card” on the system's confirmation screen, which voters see after voting. After 15 seconds, the page plays the University of Michigan fight song. Here's a demonstration.
Halderman also notes what many of us have been trying to tell Internet Voting proponents for so many years: it's incredibly difficult, if not impossible, to make the system secure...
The specific vulnerability that we exploited is simple to fix, but it will be vastly more difficult to make the system secure. We've found a number of other problems in the system, and everything we've seen suggests that the design is brittle: one small mistake can completely compromise its security. I described above how a small error in file-extension handling left the system open to exploitation. If this particular problem had not existed, I'm confident that we would have found another way to attack the system.
Sounds like this Internet Voting thing for overseas and military voters, which has now been called off in D.C. as of last week's hack, is as brilliantly thought out and executed as the electronic voting and concealed vote counting that nearly the entirety of the nation is currently saddled with at local polling places.
Halderman, as we also noted yesterday, was also behind hacking Pac-Man onto a Sequoia touch-screen voting machine last August, as well as on the Princeton team which initially hacked Diebold's touch screen system with a vote-flipping virus back in 2006