First published: 02nd March 2012
In 2010, Professor Alex Halderman from the University of Michigan took up an open invitation from the Washington DC election board to hack their new e-voting system for absentee ballots. Halderman and his team quickly found multiple vulnerabilities that they used to stuff the ballot and modify the system, including causing the site to play the University of Michigan football fight song after user logout.
The successful attack went undiscovered for two days, when another tester reported that the system was secure, but that the annoying music on the sign-off screen should be removed.
Halderman has now published a full account. The details include initial access by a shell injection vulnerability and use of username "admin", password "admin" for a terminal server account. They also used the voting system monitoring cameras to check when staff had gone home so that their server activity would go unnoticed. They added fictional characters to the candidate list, and elected Futurama character Bender as head of a school board. They could change all past and future ballots on the system.
The attack highlights the technical difficulties in developing secure electronic voting systems. Another concern with e-voting is that permitting voters the convenience of voting anywhere greatly reduces the protection against vote buying and voter intimidation that a secure voting booth provides.