Why Internet Voting is Insecure: a Case Study

advertisement
Why Internet Voting is Insecure:
a case study
Barbara Simons
“Those who cast the votes decide
nothing. Those who count the
votes decide everything.”
Joseph Stalin
Accenture chief named
head of e-government
• The Cabinet Office has announced that
Ian Watmore, the UK managing director
of IT services firm Accenture, is to
become the head of e-government. In
his new role, Watmore faces the task of
delivering efficiency savings while
improving the delivery of public services
by joining up electronic government
services around the needs of
customers.
– Network IT Week, May 25, 2004
A Fairy Tale
• 2008 US election: H. Clinton vs J. Bush
• 527 Americans hostage in Iran
– Bush wants to invade
– Clinton calls for negotiations
• Country evenly divided
• Internet voting throughout country
The Day before the Election
• Email from White House warning of
computer viruses and providing website for
downloading anti-virus software
– Millions download
– Email not from WH and contains virus
• Randomly selects small percentage of votes and
changes them to Clinton if had been for Bush
• Erases itself
Clinton wins
• Millions vote before news of virus
• Bush supporters demand new election
– No legal provisions
– Can’t determine which votes modified because of
randomness
• Iranian Govt? Democrats? Femi-Nazis?
• Teenage hackers and computer scientists suspect
• Military put on alert
How does the story end?
Is there a backup plan?
• What happens if after election it is
discovered that system may have been
compromised?
– Rerun election? On the same system???
– Ask those whose votes may have been
compromised (if you can figure out who they
are) to vote again?
– What does this do to voter confidence?
E-voting is harder than e-commerce
• Requires higher level of security
– Democracy depends on voter confidence
– Stakes exceedingly high
• Hundreds of millions of dollars spent on US
Presidency election
• Small fraction would be exceedingly large bribe
– More challenging
• May be ok for my spouse to use my credit card, but
no ok for my spouse to vote for me
E-voting hard
• Unlike e-voting, denial of service attack on
e-commerce may prevent some sales, but
does not invalidate those that succeed
• May be difficult to detect
– Anonymity (US) makes impossible to
determine if votes correctly counted
– E-commerce failure can be corrected
• Amazon sends another book
E-voting hard
• How to detect failure?
– Airplanes crash
– Books not delivered
– Outcome doesn’t match exit polls???
Secure Electronic Registration
and Voting Experiment (SERVE)
• $22M DoD project for ‘04 elections and primaries
– 7 states - 50 counties in those states
– Military and civilians living out of the country
• http://www.serveusa.gov/public/aca.as
px
www.servesecurityreport.org
David Jefferson
Avi Rubin
Barbara Simons
David Wagner
Conclusions
• SERVE contains all security vulnerabilities
of paperless touch screen voting machines
• Internet- and PC-based systems make it
vulnerable to many potentially catastrophic
well known cyber attacks
• Attacks could be large scale, launched by
anyone from anywhere, including hostile
countries
Conclusions
• Impossible to estimate probability of successful cyberattack on one election
– Easy to perpetrate
– In some cases software available on Internet
– Major elections tempting targets
• Vulnerabilities fundamental to architecture of Internet
and of PC hardware and software in use today
– Cannot be eliminated in the foreseeable future
Conclusions
• Unable to recommend alternative involving
Internet voting - all insecure
• Could appear to work flawlessly
– Lack of detected successful attacks does NOT prove
that there were none
– “Successful” trial could lead to slippery slope of larger
scale, more vulnerable systems
• Reluctantly recommend immediate shut down of
SERVE - was done by DoD
SERVE System requirements for
Voters
• Windows 95(?), 98, 2000, ….
• MS Explorer 5.5 & above or Netscape
Navigator 6.x through 7.
• Internet connection: dial-up modem, cable,
DSL, LAN, WAN, etc.
• Downloads an ActiveX component
SERVE (con’t)
• Users responsible for maintaining the
security of their computers, and
– voting allowed from public computers with
internet access (cybercafes)
• Voting planned for a national election
using proprietary software, secret testing,
insecure clients, and an insecure network
SERVE (con’t)
• What would have happened if election
appeared to go smoothly in ‘04?
Major security problems
• Software bugs (may or may not be security)
• Insider attacks
• Security vulnerabilities of client side of
voting equipment
• Denial of service attack
• Automated vote buying/selling
• Man in the middle
Software bugs
Software bugs
• Could influence outcome of election
• All software buggy
– Security holes could be exploited by hackers
• Election software is supposed to be certified
whenever modifications made
– Disincentive to fix bugs
– Hard deadline of election
– Testing and results are secret
Security Example
• Vulnerability in Microsoft Windows Server
2003 software announced July 16, 2003
– Allow hacker to size control of machine and
steal information, delete files, read email
– Was supposed to be highly reliable and secure
– Also impacts Windows 2000, NT, and XP
• Could have been used to compromise some
currently used election software
Insider attacks
Insider attacks
• Anyone with access to vendor’s software,
including programmers, executives, and
custodians, could insert malicious software
• Hacker may be able to insert malicious
software
• Malicious software, cleverly hidden, could
be very hard to detect or locate
Client side computer
vulnerabilities
Security risks of computers not
owned by voter
• Attacker may install malicious software on
computers in public locations, e.g. libraries,
malls, cybercafes, etc.
• Increased vulnerability for minorities and
economically disadvantaged
Employer owned computer
• 2001 study found 62% of major US
corporations monitor employees’ Internet
connections
• > 1/3 store and review files on employee’s
computer
• Additional risk for those without home
computers, i.e. economically disadvantaged
and minorities
Voter’s Computer may be insecure
• Computer software
– Operating systems, games, multimedia
applications, etc
– Any could have malicious code
– MS Excel 97 contained hidden flight
simulator
• Not found until after release of product
Remote attack on voter’s computer
• Exploit security vulnerability on computer
• Take control of voter’s computer via many
different programs, e.g. PC Anywhere or
BackOrifice
– Home computers tend to have poorer security
than corporate machines, and even corporate
computers have been successfully attacked
– Hackers can automate attacks to scans
thousands or even millions for vulnerabilities
Viruses and Worms
• Can install malicious code
• 2001 Code Red worm infected 360,000
computers in 14 hrs
• Sapphire/Slammer infected 90% of
vulnerable hosts on Internet within 10
minutes
– Brought down ATMs and caused flight delays
– Verisign chart
Viruses and worms (con’t)
• Virus checking software works only against
previously known viruses
• New worms and viruses spread quickly
• Easy for programmer to write crude worm modify code for known worm
• Small scale worm selectively target smaller
population could be hard to detect
How bad can worms be?
• One set of experts estimated that small team
of experienced programmers could in a few
months’ time develop worm that could
compromise majority of Internet connected
computers within a few hours
– Don’t know if would succeed on first attempt or
how long would go undetected
• Once computer infected, all bets are off
Denial of Service Attacks
Denial of Service (DoS) Attacks
• Hacker overloads system so that voter can’t
gain access
• Distributed Denial of Service (DDoS):
many machines collaborate to mount joint
attack
– “Zombies”: compromised machines
• Automated tools widely available
• Selective disenfranchisement
Examples of DDoS
• CNN, Yahoo, eBay: Feb 2000
– Lone teenager not on US soil
• Code Red worm contained code to mount
DDoS attack on White House; deflected at
last minute (2001)
• Canadian Internet election disrupted by DoS
Jan., 2003
– Mydoom?
Types of DoS Attacks
• Flood the network so that it can’t be used
• Overload web server’s computational
resources so it can’t respond to voters
– Repeated requests to initiate new SSL
connections
– Slow cryptographic protocol can be overwhelmed
by enough zombie requests
• Can’t defend against all possible DoS attacks
May not recognize DoS
• ICANN election
–
–
–
–
–
People had problems registering
Many unable to vote near end
Machine capacity issue or DoS?
Can’t infer that there were no security problems
Some individuals voted multiple times
Automated Buying and Selling
Buying and selling
• Provide credentials (passwords, etc) to purchaser who
could then vote
– Defense would be to limit number of votes from single web
address
– Not good defense, since proxy servers could make
legitimate voters appear to come from same web address;
AOL uses same IP addresses for all users
• Buyer provide seller with modified version of
ActiveX component that guarantees voter’s behavior
Man in the Middle
or
Spoofing
Man in the Middle
• Adversary interposes itself between legitimate
communicating parties and simulates each party to
the other
• Achieved by:
–
–
–
–
Controlling client machine
Controlling local network
Controlling upstream network (eg ISP or foreign gov’t)
Spoofing voting server (voter thinks is communicating
with correct server, but is not)
– Attacking Domain Name Server to reroute traffic
Man in the Middle can
compromise Privacy
• Use of SSL (an encryption technology)
cannot prevent, since man in the middle
could act as SSL gateway, forwarding
between voter and vote server unaltered
– Decrypt and re-encrypt to observe results
• Useful for
– vote buying/selling
– Selective disenfranchisement
Michigan Democratic Party’s
Primary
Internet Voting an Option
Problems with Brief of Mich
Dem Party in support of Hearing
Officer’s report
• “Internet voting is secure”
– Internet not secure - voting not secure
– Several claims cannot be supported
• No detection of successful attack doesn’t
mean it never happened. It may have
happened and been successful.
– Detecting and foiling 100 attacks doesn’t mean
that 10 or 100 haven’t been successful.
The Intrusion Detection System
• “The IDS filters out and blocks unusual
activity on the network, systems or
applications.”
• “While there have been attempted
penetrations, the system has worked as
designed, and has never been
compromised.” (underlining in document)
Problems with IDS
• IDS could potentially identify existence of known
attack with particular signature, but could do
absolutely nothing against new attack that did not
look or smell like previous attack
• IDS makes decent network monitoring devices for
observing network behavior, and useful for after
the fact forensics, but not that useful as security
devices
Problems with IDS (con’t)
• May detect attack, but not necessarily prevent or
recover
• DDoS might be detectable, but not stoppable by
commercial product, especially if massive attack
– FBI annual survey of Federal agencies 56% networks
had been successfully intruded during previous years
• If no obvious problems, will claim precautions
worked, but doesn’t prove anything
Download