Is online voting a security risk?

The world is moving online and so too now is politics. But as online, electronic voting (e-voting) increasingly becomes a reality, are we opening ourselves up to vote rigging by power-hungry politicians or fame-seeking hackers?

Voting has traditionally been a pen and paper exercise; a slip filled-in and placed into a sealed ballot, with results counted and recorded by independent volunteers.

Of course, this doesn’t mean that the result can’t be swayed, unintentionally or otherwise. There have been some notorious examples of foul play – Slobodan Milošević  was accused of rigging elections in 1996 and 2000 in Yugoslavia – while errors can also occur, as best illustrated by the 2000 US presidential election, when a fault with Florida’s ballot paper led some people to vote for the wrong candidate.

In 2006, the Dutch Minister of Interior withdrew the license of over 1,000 voting machines from manufacturer SDU NV after intelligence agencies found it was possible to eavesdrop from up to 40 meters away.

In fact, criminals have had numerous opportunities to exploit the tried and tested paper method, such as inserting malicious code into the software of voting machines, tampering with the hardware in order to adjust totals, and even abusing the administrative rights on machines used by election officials to vote multiple times.

Open to attack

These risks are only magnified when voting systems are pushed online. Brazil, Belgium and Estonia are just a few examples of the countries to have taken to e-voting, and while they have seen the benefits from the improved speed, accessibility and legibility (no more illegible ticks or crosses), they could be more open to attack.

For instance, data sent over the internet on any one of these machines could be targeted by man-in-the-middle attacks in the browser used, while hackers could also look to compromise users by sending fake registration confirmation emails. In addition, brute force attacks could be launched against passwords, while ‘hacktivists’ may look to carry out a DDoS attack, flooding the web server with traffic and knocking the voting system offline altogether.

These issues are not just hearsay – there have been recent examples too; The ‘iVote’ internet system used by the New South Wales state election in Australia was last month found to be vulnerable to an array of flaws, including the FREAK SSL vulnerability.

Meanwhile, in Virginia, US, AVS WinVote touchscreen voting machines were similarly vulnerable, and had been using simple passwords like ‘abcde’ and ‘admin’ from 2002 to 2014 – making it relatively easy for hackers to create and execute malicious code.

“[The] bottom line is that if no Virginia elections were ever hacked (and we have no way of knowing if it happened), it’s because no one with even a modicum of skill tried,” wrote Jeremy Epstein, of non-profit SRI International, in a blog post. He worked on Virginia state legislative commission investigating the voting machines in 2008 and has been trying to get them decertified ever since.

Do mobile apps have a future?

At the same time, the proliferation of mobile apps could be used in future although there’s a cautionary tale there too; earlier this year; a Swedish talent show using an app for viewer voting claimed that it had been hacked, with votes lost.

The smartphone app for the Swedish song contest ‘Melodifestivalen’ let viewers make ‘heartvotes’ during the performance of their chosen artist. Every user was able to use this system to make up to five such votes for each song, but votes went off the charts during one artist performance and some votes were lost, leading to the strong possibility that the service was hit by a DDoS attack.

“We are investigating an attack. The servers are configured for a very heavy load, but this was abnormal and extreme,” said event manager Christel Tholse Willers at the time.

According to ESET security researcher Stephen Cobb, any politician or government official considering electronic voting should first read this paper: If I Can Shop and Bank Online, Why Can’t I Vote Online? Cobb says, “Better than anything else I’ve read, this article by David Jefferson, a computer scientist at Lawrence Livermore National Laboratory, explains the ways in which voting differs from other activities that have moved online.”

This isn’t to say that all is lost for e-voting, especially as researchers at the University of Birmingham recently demonstrated a new form of online voting which would allow a voter to vote securely even if their machine was infected with a virus. However, it does go to show that with new opportunities come new risks too.

Author , ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.