Internet voting systems too insecure, researcher warns
But Halderman, along with a team of researchers, easily broke into the system, and showed how they could modify and replace marked ballots in the system. The researchers even tweaked the system so that voters would be greeted with the University of Michigan fight song when they landed on the vote confirmation page.
The election officials in charge of such systems do not have the technical expertise or the resources needed to detect or protect their systems against such attacks, Jefferson said. "The kind of attack that Halderman did can be repeated anywhere at any time," with little response, he said.
In addition, Web-based voting systems are vulnerable to the same security threats that face other websites. These threats include DNS routing attacks, man-in-the middle attacks and denial-of-service attacks and can prevent voters from casting their ballots. The client systems that eligible voters use to cast their ballots are equally vulnerable, Jefferson said, noting the possibility of numerous attacks where a voter might cast a ballot and have no way of knowing whether the ballot was intercepted, modified or cast at all.
Electronic voting systems of the sort proposed for use in this year's general elections do not provide anywhere near the auditability provided by paper votes, he said. While there are mechanisms to ensure that the same voter does not cast multiple ballots, there is nothing to prove that a ballot was cast in the manner that the voter intended, he said.
"Once you put ink on paper, you can't change it without that change being easily detectable," Jefferson said. "Paper is indelible. People can see it, track it and read it." He noted that the only country with an Internet voting system comparable to the U.S. is Estonia. Other countries have tried e-voting technology and have either gone back to paper voting or are reconsidering it, he said.
"What we are asking every state, every jurisdiction to do is not use Internet voting," Jefferson said. "It is OK to transmit blank ballots over the Internet" to overseas and absentee voters, he said, but not ballots that have been filled in.
Susannah Goodman, director of the election reform project at the watchdog group Common Cause, said states that are moving ahead with Internet voting plans would do well to look at states such as New York and California, which have said they will not adopt such measures because of security concerns.
"Knowing what we know, it is not a verifiable form of voting. It is not a safe form of voting," she said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His email address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts