Internet voting systems too insecure, researcher warns
But Halderman, along with a team of researchers, easily broke into the system, and showed how they could modify and replace marked ballots in the system. The researchers even tweaked the system so that voters would be greeted with the University of Michigan fight song when they landed on the vote confirmation page.
The election officials in charge of such systems do not have the technical expertise or the resources needed to detect or protect their systems against such attacks, Jefferson said. "The kind of attack that Halderman did can be repeated anywhere at any time," with little response, he said.
In addition, Web-based voting systems are vulnerable to the same security threats that face other websites. These threats include DNS routing attacks, man-in-the middle attacks and denial-of-service attacks and can prevent voters from casting their ballots. The client systems that eligible voters use to cast their ballots are equally vulnerable, Jefferson said, noting the possibility of numerous attacks where a voter might cast a ballot and have no way of knowing whether the ballot was intercepted, modified or cast at all.
Electronic voting systems of the sort proposed for use in this year's general elections do not provide anywhere near the auditability provided by paper votes, he said. While there are mechanisms to ensure that the same voter does not cast multiple ballots, there is nothing to prove that a ballot was cast in the manner that the voter intended, he said.
"Once you put ink on paper, you can't change it without that change being easily detectable," Jefferson said. "Paper is indelible. People can see it, track it and read it." He noted that the only country with an Internet voting system comparable to the U.S. is Estonia. Other countries have tried e-voting technology and have either gone back to paper voting or are reconsidering it, he said.
"What we are asking every state, every jurisdiction to do is not use Internet voting," Jefferson said. "It is OK to transmit blank ballots over the Internet" to overseas and absentee voters, he said, but not ballots that have been filled in.
Susannah Goodman, director of the election reform project at the watchdog group Common Cause, said states that are moving ahead with Internet voting plans would do well to look at states such as New York and California, which have said they will not adopt such measures because of security concerns.
"Knowing what we know, it is not a verifiable form of voting. It is not a safe form of voting," she said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His email address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts