Abstract
In 2010, Washington, D.C. developed an Internet voting pilot project that was intended to allow overseas absentee voters to cast their ballots using a website. Prior to deploying the system in the general election, the District held a unique public trial: a mock election during which anyone was invited to test the system or attempt to compromise its security. This paper describes our experience participating in this trial. Within 48 hours of the system going live, we had gained near-complete control of the election server. We successfully changed every vote and revealed almost every secret ballot. Election officials did not detect our intrusion for nearly two business days—and might have remained unaware for far longer had we not deliberately left a prominent clue. This case study—the first (to our knowledge) to analyze the security of a government Internet voting system from the perspective of an attacker in a realistic pre-election deployment—attempts to illuminate the practical challenges of securing online voting as practiced today by a growing number of jurisdictions.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Internet voting in Estonia. Vabariigi Valimiskomisjon (February 2007), http://www.vvk.ee/public/dok/Internet_Voting_in_Estonia.pdf
Uncovering the veil on Geneva’s Internet voting solution. Republique Et Canton De Geneve (February 2009), http://www.geneve.ch/evoting/english/doc/Flash_IT_vote_electronique_SIDP_final_english.pdf
District of Columbia’s Board of Elections and Ethics adopts open source digital voting foundation technology to support ballot delivery. OSDV Press Release (June 2010), http://osdv.org/wp-content/uploads/2010/06/osdv-press-release-final-62210.pdf
Internet voting, still in beta. The New York Times editorial (January 2010), http://www.nytimes.com/2010/01/28/opinion/28thu4.html
Internet voting. Verified Voting (May 2011), http://www.verifiedvoting.org/article.php?list=type&type=27
Adida, B.: Helios: Web-based open-audit voting. In: Proc. 17th USENIX Security Symposium (July 2008)
Appel, A.W., Ginsburg, M., Hursti, H., Kernighan, B.W., Richards, C.D., Tan, G., Venetis, P.: The New Jersey voting-machine lawsuit and the AVC Advantage DRE voting machine. In: Proc. 2009 Electronic Voting Technology Workshop/Workshop on Trustworthy Elections (EVT/WOTE) (August 2009)
Butler, K., Enck, W., Hursti, H., McLaughlin, S., Traynor, P., McDaniel, P.: Systemic issues in the Hart InterCivic and Premier voting systems: Reflections on project EVEREST. In: Proc. 2008 Electronic Voting Technology Workshop/Workshop on Trustworthy Elections (EVT/WOTE) (July 2008)
Esteghari, S., Desmedt, Y.: Exploiting the client vulnerabilities in Internet e-voting systems: Hacking Helios 2.0 as an example. In: Proc. 2010 Electronic Voting Technology Workship/Workshop on Trustworthy Elections (EVT/WOTE) (August 2010)
Feldman, A.J., Halderman, J.A., Felten, E.W.: Security analysis of the Diebold AccuVote-TS voting machine. In: Proc. 2007 Electronic Voting Technology Workshop/Workshop on Trustworthy Elections (EVT/WOTE) (August 2007)
Jefferson, D., Rubin, A.D., Simons, B., Wagner, D.: A security analysis of the secure electronic registration and voting experiment (SERVE) (January 2004), http://servesecurityreport.org/paper.pdf
Kiayias, A., Korman, M., Walluck, D.: An Internet voting system supporting user privacy. In: 22nd Annual Computer Security Applications Conference
Kohno, T., Stubblefield, A., Rubin, A.D., Wallach, D.S.: Analysis of an electronic voting system. In: IEEE Symposium on Security and Privacy, pp. 27–40 (May 2004)
Rokey, W., Suleman, I., McGhie, K.W., Togo, D., West, J., Lowery, C.: Making reform a reality: An after-action report on implementation of the Omnibus Election Reform Act. DCBOEE (February 2011), http://www.dcboee.org/popup.asp?url=/pdf_files/nr_687.pdf
Rubin, A.: Security considerations for remote electronic voting over the Internet, http://avirubin.com/e-voting.security.html
Stenbjorn, P.: An overview and design rationale memo. DCBOEE (September 2010), http://www.dcboee.us/dvm/DCdVBM-DesignRationale-v3.pdf
Wolchok, S., Wustrow, E., Halderman, J.A., Prasad, H.K., Kankipati, A., Sakhamuri, S.K., Yagati, V., Gonggrijp, R.: Security analysis of India’s electronic voting machines. In: Proc. 17th ACM Conference on Computer and Communications Security (CCS) (October 2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wolchok, S., Wustrow, E., Isabel, D., Halderman, J.A. (2012). Attacking the Washington, D.C. Internet Voting System. In: Keromytis, A.D. (eds) Financial Cryptography and Data Security. FC 2012. Lecture Notes in Computer Science, vol 7397. Springer, Berlin, Heidelberg. http://doi.org/10.1007/978-3-642-32946-3_10
Download citation
DOI: http://doi.org/10.1007/978-3-642-32946-3_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-32945-6
Online ISBN: 978-3-642-32946-3
eBook Packages: Computer ScienceComputer Science (R0)