Why Internet Voting is Insecure: a case study Barbara Simons “Those who cast the votes decide nothing. Those who count the votes decide everything.” Joseph Stalin Accenture chief named head of e-government • The Cabinet Office has announced that Ian Watmore, the UK managing director of IT services firm Accenture, is to become the head of e-government. In his new role, Watmore faces the task of delivering efficiency savings while improving the delivery of public services by joining up electronic government services around the needs of customers. – Network IT Week, May 25, 2004 A Fairy Tale • 2008 US election: H. Clinton vs J. Bush • 527 Americans hostage in Iran – Bush wants to invade – Clinton calls for negotiations • Country evenly divided • Internet voting throughout country The Day before the Election • Email from White House warning of computer viruses and providing website for downloading anti-virus software – Millions download – Email not from WH and contains virus • Randomly selects small percentage of votes and changes them to Clinton if had been for Bush • Erases itself Clinton wins • Millions vote before news of virus • Bush supporters demand new election – No legal provisions – Can’t determine which votes modified because of randomness • Iranian Govt? Democrats? Femi-Nazis? • Teenage hackers and computer scientists suspect • Military put on alert How does the story end? Is there a backup plan? • What happens if after election it is discovered that system may have been compromised? – Rerun election? On the same system??? – Ask those whose votes may have been compromised (if you can figure out who they are) to vote again? – What does this do to voter confidence? E-voting is harder than e-commerce • Requires higher level of security – Democracy depends on voter confidence – Stakes exceedingly high • Hundreds of millions of dollars spent on US Presidency election • Small fraction would be exceedingly large bribe – More challenging • May be ok for my spouse to use my credit card, but no ok for my spouse to vote for me E-voting hard • Unlike e-voting, denial of service attack on e-commerce may prevent some sales, but does not invalidate those that succeed • May be difficult to detect – Anonymity (US) makes impossible to determine if votes correctly counted – E-commerce failure can be corrected • Amazon sends another book E-voting hard • How to detect failure? – Airplanes crash – Books not delivered – Outcome doesn’t match exit polls??? Secure Electronic Registration and Voting Experiment (SERVE) • $22M DoD project for ‘04 elections and primaries – 7 states - 50 counties in those states – Military and civilians living out of the country • http://www.serveusa.gov/public/aca.as px www.servesecurityreport.org David Jefferson Avi Rubin Barbara Simons David Wagner Conclusions • SERVE contains all security vulnerabilities of paperless touch screen voting machines • Internet- and PC-based systems make it vulnerable to many potentially catastrophic well known cyber attacks • Attacks could be large scale, launched by anyone from anywhere, including hostile countries Conclusions • Impossible to estimate probability of successful cyberattack on one election – Easy to perpetrate – In some cases software available on Internet – Major elections tempting targets • Vulnerabilities fundamental to architecture of Internet and of PC hardware and software in use today – Cannot be eliminated in the foreseeable future Conclusions • Unable to recommend alternative involving Internet voting - all insecure • Could appear to work flawlessly – Lack of detected successful attacks does NOT prove that there were none – “Successful” trial could lead to slippery slope of larger scale, more vulnerable systems • Reluctantly recommend immediate shut down of SERVE - was done by DoD SERVE System requirements for Voters • Windows 95(?), 98, 2000, …. • MS Explorer 5.5 & above or Netscape Navigator 6.x through 7. • Internet connection: dial-up modem, cable, DSL, LAN, WAN, etc. • Downloads an ActiveX component SERVE (con’t) • Users responsible for maintaining the security of their computers, and – voting allowed from public computers with internet access (cybercafes) • Voting planned for a national election using proprietary software, secret testing, insecure clients, and an insecure network SERVE (con’t) • What would have happened if election appeared to go smoothly in ‘04? Major security problems • Software bugs (may or may not be security) • Insider attacks • Security vulnerabilities of client side of voting equipment • Denial of service attack • Automated vote buying/selling • Man in the middle Software bugs Software bugs • Could influence outcome of election • All software buggy – Security holes could be exploited by hackers • Election software is supposed to be certified whenever modifications made – Disincentive to fix bugs – Hard deadline of election – Testing and results are secret Security Example • Vulnerability in Microsoft Windows Server 2003 software announced July 16, 2003 – Allow hacker to size control of machine and steal information, delete files, read email – Was supposed to be highly reliable and secure – Also impacts Windows 2000, NT, and XP • Could have been used to compromise some currently used election software Insider attacks Insider attacks • Anyone with access to vendor’s software, including programmers, executives, and custodians, could insert malicious software • Hacker may be able to insert malicious software • Malicious software, cleverly hidden, could be very hard to detect or locate Client side computer vulnerabilities Security risks of computers not owned by voter • Attacker may install malicious software on computers in public locations, e.g. libraries, malls, cybercafes, etc. • Increased vulnerability for minorities and economically disadvantaged Employer owned computer • 2001 study found 62% of major US corporations monitor employees’ Internet connections • > 1/3 store and review files on employee’s computer • Additional risk for those without home computers, i.e. economically disadvantaged and minorities Voter’s Computer may be insecure • Computer software – Operating systems, games, multimedia applications, etc – Any could have malicious code – MS Excel 97 contained hidden flight simulator • Not found until after release of product Remote attack on voter’s computer • Exploit security vulnerability on computer • Take control of voter’s computer via many different programs, e.g. PC Anywhere or BackOrifice – Home computers tend to have poorer security than corporate machines, and even corporate computers have been successfully attacked – Hackers can automate attacks to scans thousands or even millions for vulnerabilities Viruses and Worms • Can install malicious code • 2001 Code Red worm infected 360,000 computers in 14 hrs • Sapphire/Slammer infected 90% of vulnerable hosts on Internet within 10 minutes – Brought down ATMs and caused flight delays – Verisign chart Viruses and worms (con’t) • Virus checking software works only against previously known viruses • New worms and viruses spread quickly • Easy for programmer to write crude worm modify code for known worm • Small scale worm selectively target smaller population could be hard to detect How bad can worms be? • One set of experts estimated that small team of experienced programmers could in a few months’ time develop worm that could compromise majority of Internet connected computers within a few hours – Don’t know if would succeed on first attempt or how long would go undetected • Once computer infected, all bets are off Denial of Service Attacks Denial of Service (DoS) Attacks • Hacker overloads system so that voter can’t gain access • Distributed Denial of Service (DDoS): many machines collaborate to mount joint attack – “Zombies”: compromised machines • Automated tools widely available • Selective disenfranchisement Examples of DDoS • CNN, Yahoo, eBay: Feb 2000 – Lone teenager not on US soil • Code Red worm contained code to mount DDoS attack on White House; deflected at last minute (2001) • Canadian Internet election disrupted by DoS Jan., 2003 – Mydoom? Types of DoS Attacks • Flood the network so that it can’t be used • Overload web server’s computational resources so it can’t respond to voters – Repeated requests to initiate new SSL connections – Slow cryptographic protocol can be overwhelmed by enough zombie requests • Can’t defend against all possible DoS attacks May not recognize DoS • ICANN election – – – – – People had problems registering Many unable to vote near end Machine capacity issue or DoS? Can’t infer that there were no security problems Some individuals voted multiple times Automated Buying and Selling Buying and selling • Provide credentials (passwords, etc) to purchaser who could then vote – Defense would be to limit number of votes from single web address – Not good defense, since proxy servers could make legitimate voters appear to come from same web address; AOL uses same IP addresses for all users • Buyer provide seller with modified version of ActiveX component that guarantees voter’s behavior Man in the Middle or Spoofing Man in the Middle • Adversary interposes itself between legitimate communicating parties and simulates each party to the other • Achieved by: – – – – Controlling client machine Controlling local network Controlling upstream network (eg ISP or foreign gov’t) Spoofing voting server (voter thinks is communicating with correct server, but is not) – Attacking Domain Name Server to reroute traffic Man in the Middle can compromise Privacy • Use of SSL (an encryption technology) cannot prevent, since man in the middle could act as SSL gateway, forwarding between voter and vote server unaltered – Decrypt and re-encrypt to observe results • Useful for – vote buying/selling – Selective disenfranchisement Michigan Democratic Party’s Primary Internet Voting an Option Problems with Brief of Mich Dem Party in support of Hearing Officer’s report • “Internet voting is secure” – Internet not secure - voting not secure – Several claims cannot be supported • No detection of successful attack doesn’t mean it never happened. It may have happened and been successful. – Detecting and foiling 100 attacks doesn’t mean that 10 or 100 haven’t been successful. The Intrusion Detection System • “The IDS filters out and blocks unusual activity on the network, systems or applications.” • “While there have been attempted penetrations, the system has worked as designed, and has never been compromised.” (underlining in document) Problems with IDS • IDS could potentially identify existence of known attack with particular signature, but could do absolutely nothing against new attack that did not look or smell like previous attack • IDS makes decent network monitoring devices for observing network behavior, and useful for after the fact forensics, but not that useful as security devices Problems with IDS (con’t) • May detect attack, but not necessarily prevent or recover • DDoS might be detectable, but not stoppable by commercial product, especially if massive attack – FBI annual survey of Federal agencies 56% networks had been successfully intruded during previous years • If no obvious problems, will claim precautions worked, but doesn’t prove anything