Hacking the Polls: Vulnerability in Electronic Voting Systems

image
Author: Damon Eris
Published: 05 Mar, 2012
Updated: 13 Oct, 2022
4 min read

Among those who advocate for the “modernization” of our voting systems, internet-based electronic voting and registration platforms are often offered as an ideal solution to the problems inherent in our current registration and voting processes. A newly published paper describes the ease with which a small group of researchers was able to hack a Washington D.C. based internet voting pilot project, demonstrating that these new systems are not ready for take-off.

In 2010, the Washington D.C. Board of Elections and Ethics announced that it would offer a “Digital Vote-by-Mail Service” that would have allowed overseas voters registered in the District to cast their votes over the internet. The federally-funded project ran a mock election allowing for public testing of its functionality and security ahead of the November

election. A research team from the University of Michigan at Ann Arbor reports that it was able to gain “near complete control of the election server” in under two days time. Even more disturbingly, the hackers state that elections officials were effectively incapable of discerning that their system had been compromised.

“We successfully changed every vote and revealed almost every secret ballot. Election officials did not detect our intrusion for nearly two business days – and might have remained unaware for far longer had we not deliberately left a prominent clue,” wrote Scott Wolchok, Eric Wustrow, Dawn Isabel and J. Alex Halderman.

The paper, entitled “Attacking the Washington D.C. Internet Voting System,” was published in the Proceedings of the 16th Conference on Financial Cryptography and Data Security last month. The flaws revealed by the security breach resulted in the discontinuation of the internet-based voting service by the D.C. Board of Elections and Ethics.

Within hours, the research team was able to discover serious vulnerabilities that allowed them to compromise the system's server. Among other things, they were able to retrieve the key code used for encrypting individual ballots, which allowed them to change every single vote to reflect a “forged ballot of our choosing,” as well as ensure that all ballots processed from then on would reflect the election outcome they desired. The hackers opted to have all ballots indicate a vote cast for Bender, the robot character from the television show Futurama.

The team decided to “hide their tracks” and reportedly did so with moderate success, but they also left a calling card. “We uploaded a recording of “The Victors” (the University of Michagan fight song) and modified the confirmation page to play this recording,” reads the paper.

Even more embarrassingly, the U of M computer scientists were also able to attack and compromise the pilot program's network infrastructure in addition to its application server. The group was able to infiltrate the program's terminal server “using a default password (dbps) obtained from an online copy of the user manual.” Once inside the system, they created backup admin accounts to ensure they retained access even if their attack was discovered. Upon inspection of the terminal server logs, it was noticed that other individuals and/or groups were attempting to gain access to the system.

“We realized that one of the default logins to the terminal server (user: admin, password: admin) would likely be guessed by the attacker in a short period of time and there fore decided to protect the device from further compromise,” they write. Such attacks were detected from IP addresses in Iran, New Jersey, India and China.

In addition, the team was able to gain access to surveillance webcams of the room in which the pilot's server was located. “These webcams may have been intended to increase security by allowing remote surveillance of the server room, but in practice, since they were unsecured, they had the potential to leak information that would be extremely useful to attackers,” they write.

IVP Donate

The paper reports that elections officials were effectively incapable of detecting the nature and character of the attack, despite their calling card.

“They confirmed that they were unable to see our attacks in their intrusion detection system logs, that they were unable to detect our presence in the network equipment until after the trial, and they they did not discover the attack until they noticed our intentional calling card.”

In conclusion, the researchers argue against any adoption of electronic and internet based voting systems at present.

“Secure internet voting in practice will require significant fundamental advances in computer security, and we urge Internet voting proponents to reconsider deployment until and unless major breakthroughs are achieved.”

Latest articles

CA capitol building dome with flags.
Why is CA Senator Mike McGuire Trying to Kill the Legal Cannabis Industry?
California’s legal cannabis industry is under mounting pressure, and in early June, state lawmakers and the governor appeared poised to help. A bill to freeze the state’s cannabis excise tax at 15% sailed through the State Assembly with a unanimous 74-0 vote. The governor’s office backed the plan. And legal cannabis businesses, still struggling to compete with unregulated sellers and mounting operating costs, saw a glimmer of hope....
03 Jul, 2025
-
7 min read
I voted buttons
After First RCV Election, Charlottesville Voters Back the Reform: 'They Get It, They Like It, They Want to Do It Again'
A new survey out of Charlottesville, Virginia, shows overwhelming support for ranked choice voting (RCV) following the city’s first use of the system in its June Democratic primary for City Council. Conducted one week after the election, the results found that nearly 90% of respondents support continued use of RCV....
03 Jul, 2025
-
3 min read
Crowd in Time Square.
NYC Exit Survey: 96% of Voters Understood Their Ranked Choice Ballots
An exit poll conducted by SurveyUSA on behalf of the nonprofit better elections group FairVote finds that ranked choice voting (RCV) continues to be supported by a vast majority of voters who find it simple, fair, and easy to use. The findings come in the wake of the city’s third use of RCV in its June 2025 primary elections....
01 Jul, 2025
-
6 min read