490 likes | 642 Views
Why Internet Voting is Insecure: a case study . Barbara Simons. “Those who cast the votes decide nothing. Those who count the votes decide everything.” Joseph Stalin. Accenture chief named head of e-government.
E N D
Why Internet Voting is Insecure: a case study Barbara Simons
“Those who cast the votes decide nothing. Those who count the votes decide everything.”Joseph Stalin
Accenture chief named head of e-government • The Cabinet Office has announced that Ian Watmore, the UK managing director of IT services firm Accenture, is to become the head of e-government. In his new role, Watmore faces the task of delivering efficiency savings while improving the delivery of public services by joining up electronic government services around the needs of customers. • Network IT Week, May 25, 2004
A Fairy Tale • 2008 US election: H. Clinton vs J. Bush • 527 Americans hostage in Iran • Bush wants to invade • Clinton calls for negotiations • Country evenly divided • Internet voting throughout country
The Day before the Election • Email from White House warning of computer viruses and providing website for downloading anti-virus software • Millions download • Email not from WH and contains virus • Randomly selects small percentage of votes and changes them to Clinton if had been for Bush • Erases itself
Clinton wins • Millions vote before news of virus • Bush supporters demand new election • No legal provisions • Can’t determine which votes modified because of randomness • Iranian Govt? Democrats? Femi-Nazis? • Teenage hackers and computer scientists suspect • Military put on alert
Is there a backup plan? • What happens if after election it is discovered that system may have been compromised? • Rerun election? On the same system??? • Ask those whose votes may have been compromised (if you can figure out who they are) to vote again? • What does this do to voter confidence?
E-voting is harder than e-commerce • Requires higher level of security • Democracy depends on voter confidence • Stakes exceedingly high • Hundreds of millions of dollars spent on US Presidency election • Small fraction would be exceedingly large bribe • More challenging • May be ok for my spouse to use my credit card, but no ok for my spouse to vote for me
E-voting hard • Unlike e-voting, denial of service attack on e-commerce may prevent some sales, but does not invalidate those that succeed • May be difficult to detect • Anonymity (US) makes impossible to determine if votes correctly counted • E-commerce failure can be corrected • Amazon sends another book
E-voting hard • How to detect failure? • Airplanes crash • Books not delivered • Outcome doesn’t match exit polls???
Secure Electronic Registration and Voting Experiment (SERVE) • $22M DoD project for ‘04 elections and primaries • 7 states - 50 counties in those states • Military and civilians living out of the country • http://www.serveusa.gov/public/aca.aspx
www.servesecurityreport.orgDavid JeffersonAvi RubinBarbara SimonsDavid Wagner
Conclusions • SERVE contains all security vulnerabilities of paperless touch screen voting machines • Internet- and PC-based systems make it vulnerable to many potentially catastrophic well known cyber attacks • Attacks could be large scale, launched by anyone from anywhere, including hostile countries
Conclusions • Impossible to estimate probability of successful cyber-attack on one election • Easy to perpetrate • In some cases software available on Internet • Major elections tempting targets • Vulnerabilities fundamental to architecture of Internet and of PC hardware and software in use today • Cannot be eliminated in the foreseeable future
Conclusions • Unable to recommend alternative involving Internet voting - all insecure • Could appear to work flawlessly • Lack of detected successful attacks does NOT prove that there were none • “Successful” trial could lead to slippery slope of larger scale, more vulnerable systems • Reluctantly recommend immediate shut down of SERVE - was done by DoD
SERVE System requirements for Voters • Windows 95(?), 98, 2000, …. • MS Explorer 5.5 & above or Netscape Navigator 6.x through 7. • Internet connection: dial-up modem, cable, DSL, LAN, WAN, etc. • Downloads an ActiveX component
SERVE (con’t) • Users responsible for maintaining the security of their computers, and • voting allowed from public computers with internet access (cybercafes) • Voting planned for a national election using proprietary software, secret testing, insecure clients, and an insecure network
SERVE (con’t) • What would have happened if election appeared to go smoothly in ‘04?
Major security problems • Software bugs (may or may not be security) • Insider attacks • Security vulnerabilities of client side of voting equipment • Denial of service attack • Automated vote buying/selling • Man in the middle
Software bugs • Could influence outcome of election • All software buggy • Security holes could be exploited by hackers • Election software is supposed to be certified whenever modifications made • Disincentive to fix bugs • Hard deadline of election • Testing and results are secret
Security Example • Vulnerability in Microsoft Windows Server 2003 software announced July 16, 2003 • Allow hacker to size control of machine and steal information, delete files, read email • Was supposed to be highly reliable and secure • Also impacts Windows 2000, NT, and XP • Could have been used to compromise some currently used election software
Insider attacks • Anyone with access to vendor’s software, including programmers, executives, and custodians, could insert malicious software • Hacker may be able to insert malicious software • Malicious software, cleverly hidden, could be very hard to detect or locate
Security risks of computers not owned by voter • Attacker may install malicious software on computers in public locations, e.g. libraries, malls, cybercafes, etc. • Increased vulnerability for minorities and economically disadvantaged
Employer owned computer • 2001 study found 62% of major US corporations monitor employees’ Internet connections • > 1/3 store and review files on employee’s computer • Additional risk for those without home computers, i.e. economically disadvantaged and minorities
Voter’s Computer may be insecure • Computer software • Operating systems, games, multimedia applications, etc • Any could have malicious code • MS Excel 97 contained hidden flight simulator • Not found until after release of product
Remote attack on voter’s computer • Exploit security vulnerability on computer • Take control of voter’s computer via many different programs, e.g. PC Anywhere or BackOrifice • Home computers tend to have poorer security than corporate machines, and even corporate computers have been successfully attacked • Hackers can automate attacks to scans thousands or even millions for vulnerabilities
Viruses and Worms • Can install malicious code • 2001 Code Red worm infected 360,000 computers in 14 hrs • Sapphire/Slammer infected 90% of vulnerable hosts on Internet within 10 minutes • Brought down ATMs and caused flight delays • Verisign chart
Viruses and worms (con’t) • Virus checking software works only against previously known viruses • New worms and viruses spread quickly • Easy for programmer to write crude worm - modify code for known worm • Small scale worm selectively target smaller population could be hard to detect
How bad can worms be? • One set of experts estimated that small team of experienced programmers could in a few months’ time develop worm that could compromise majority of Internet connected computers within a few hours • Don’t know if would succeed on first attempt or how long would go undetected • Once computer infected, all bets are off
Denial of Service (DoS) Attacks • Hacker overloads system so that voter can’t gain access • Distributed Denial of Service (DDoS): many machines collaborate to mount joint attack • “Zombies”: compromised machines • Automated tools widely available • Selective disenfranchisement
Examples of DDoS • CNN, Yahoo, eBay: Feb 2000 • Lone teenager not on US soil • Code Red worm contained code to mount DDoS attack on White House; deflected at last minute (2001) • Canadian Internet election disrupted by DoS Jan., 2003 • Mydoom?
Types of DoS Attacks • Flood the network so that it can’t be used • Overload web server’s computational resources so it can’t respond to voters • Repeated requests to initiate new SSL connections • Slow cryptographic protocol can be overwhelmed by enough zombie requests • Can’t defend against all possible DoS attacks
May not recognize DoS • ICANN election • People had problems registering • Many unable to vote near end • Machine capacity issue or DoS? • Can’t infer that there were no security problems • Some individuals voted multiple times
Buying and selling • Provide credentials (passwords, etc) to purchaser who could then vote • Defense would be to limit number of votes from single web address • Not good defense, since proxy servers could make legitimate voters appear to come from same web address; AOL uses same IP addresses for all users • Buyer provide seller with modified version of ActiveX component that guarantees voter’s behavior
Man in the Middle • Adversary interposes itself between legitimate communicating parties and simulates each party to the other • Achieved by: • Controlling client machine • Controlling local network • Controlling upstream network (eg ISP or foreign gov’t) • Spoofing voting server (voter thinks is communicating with correct server, but is not) • Attacking Domain Name Server to reroute traffic
Man in the Middle can compromise Privacy • Use of SSL (an encryption technology) cannot prevent, since man in the middle could act as SSL gateway, forwarding between voter and vote server unaltered • Decrypt and re-encrypt to observe results • Useful for • vote buying/selling • Selective disenfranchisement
Michigan Democratic Party’s Primary Internet Voting an Option
Problems with Brief of Mich Dem Party in support of Hearing Officer’s report • “Internet voting is secure” • Internet not secure - voting not secure • Several claims cannot be supported • No detection of successful attack doesn’t mean it never happened. It may have happened and been successful. • Detecting and foiling 100 attacks doesn’t mean that 10 or 100 haven’t been successful.
The Intrusion Detection System • “The IDS filters out and blocks unusual activity on the network, systems or applications.” • “While there have been attempted penetrations, the system has worked as designed, and has never been compromised.” (underlining in document)
Problems with IDS • IDS could potentially identify existence of known attack with particular signature, but could do absolutely nothing against new attack that did not look or smell like previous attack • IDS makes decent network monitoring devices for observing network behavior, and useful for after the fact forensics, but not that useful as security devices
Problems with IDS (con’t) • May detect attack, but not necessarily prevent or recover • DDoS might be detectable, but not stoppable by commercial product, especially if massive attack • FBI annual survey of Federal agencies 56% networks had been successfully intruded during previous years • If no obvious problems, will claim precautions worked, but doesn’t prove anything