Data Security | News

Researchers Break DC Voting System and Leave School Fight Song Behind

• By Dian Schaffhauser
• 10/12/10

An experiment in digital voting by Washington, DC not only gave the developers behind the project a taste of the challenges they face in creating a secure voting application, but it gave researchers at the University of Michigan a chance to broadcast their school's fight song every time somebody cast a vote.

Beginning in the last week of September, the District of Columbia Board of Elections & Ethics launched a public test of a new next generation election system that would provide military and other overseas voters a simplified method of receiving and returning their ballots. As laid out by Paul Stenbjorn, director of information services at the district, the goal was to publish the source code and offer a public examination period "in which users would be given unfettered access to the system to determine its strength or weakness, assess its usability, and generally kick the tires."

Captivated by the challenge, U Michigan's J. Alex Halderman, an assistant professor of computer science and engineering, rapidly assembled a team of students and staff with the goal of hacking into the system as quickly as possible.

The voting application works like this: Absentee voters receive letters by snail mail directing them to a Web site, where they can log in with a unique PIN. From there they can download a PDF version of the ballot and either return it by mail or fill it out electronically and upload the completed ballot as a PDF to the server. The server encrypts these uploaded ballots, and election staff members transfer them to a standalone PC after the election, where the ballots are decrypted and printed out for tallying, just as a mailed-in ballot would be.

The application being tested is written as open source in a Ruby on Rails framework running on top of the Apache Web server and MySQL database, according to a blog post by Halderman that describes the exploit. Within 36 hours of starting the exercise, his team found a weakness in the way the program processed those uploaded ballots.

"[We] found that we could gain the same access privileges as the server application program itself, including read and write access to the encrypted ballots and database," he wrote.

Not only were the researchers able to read all of the ballot contents, but they were able to modify votes (to write-ins for famous robots and computers, including HAL 9000 from 2001: A Space Odyssey) and reprogram the server with a few new features. For example, they rigged the system to play "The Victors," U Michigan's fight song, 15 seconds after each new ballot was cast.

The research team also installed a "back door" that let them view all the incoming votes and who cast them, thereby violating ballot secrecy.

DC's Stenbjorn said he sees the results of the experiment as an opportunity to become more aggressive about tackling the security challenges inherent in electronic voting. "When Alex Halderman and his students successfully hacked the system, we learned many valuable lessons about the security issues with the file upload mechanisms used in this software," he wrote in an open letter posted on the election site. "More importantly, however, we achieved a collaborative engagement with the computer science community that was working with elections officials in the early stages of developing a better model for future deployment."

For now DC will allow overseas voters to download their PDF ballot. But they'll be required to return the completed ballot by paper mail. Stenbjorn said in the meantime he looks forward to continuing the collaboration. "We all know that this does not represent the end of digital ballot transport but a step toward a solution that will be less partisan in its Big 10 affiliations."