[This article now cross-published by The Progress...]
We've discussed, many times over the years, the madness of Internet Voting schemes. Today we've got yet another piece of disturbing evidence that underscores why such a scheme for American democracy would be nothing short of insane.
The BRAD BLOG has highlighted how easily Internet elections can be hacked by all sorts of nefarious folks (perhaps most disturbingly, without the knowledge of election officials); how various experiments in Internet Voting have proved disastrous (Hello, Canada! Hello, Honolulu! Hello, Oscars!); and how it is simply impossible to do a true pilot test of any such Internet Voting schemes in advance, since the most dangerous tactics that bad guys might throw at an Internet-based election in order to game it are actually illegal. Because of that, good guy "white hat hackers" wouldn't be able to use those same techniques to test the security of any Internet Voting scheme before it was actually put into use in a live election.
Moreover --- and perhaps the deal-breaker when it comes to the viability of Internet Voting ever being workable in public elections --- even if the Internet Voting scheme remains secure, there is no way that the citizenry can know that was the case. Any such scheme would require faith and trust in others, which is decidedly not what our system of oversight and checks and balances in public elections is supposed to be built on. Thus, even a secured Internet Voting scheme would seriously undermine the basic tenets of, and overall confidence in, American democracy.
Now, Kim Zetter at Wired's "Threat Level" blog offers yet another reason why the Internet, as it currently exists, is simply unfit to serve as a means for secure online voting. Her recently published article, which doesn't focus on voting, is alarmingly headlined "Someone's Been Siphoning Data Through a Huge Security Hole in the Internet".
And no, in this case, it's not the NSA. At least as far as we know.
Zetter details a "huge security hole" indeed, one which, as she documents, was found to have been used earlier this year to re-route "vast amounts" of U.S. Internet data all the way out to Belarus and Iceland, where it was intercepted in a classic "man-in-the-middle" fashion, before being sent on to its intended receiver. During the hijack attack, the senders and receivers of the Internet data were none the wiser, just as would likely be the case if the same gaping security hole in the Internet's existing architecture was used to hijack votes cast over the Internet, change them, and then send them on to the server of the intended election official recipient...
Here's the lede of Zetter's piece:
The traffic hijack, they showed, could be done in such a way that no one would notice because the attackers could simply re-route the traffic to a router they controlled, then forward it to its intended destination once they were done with it, leaving no one the wiser about what had occurred.
Now, five years later, this is exactly what has happened. Earlier this year, researchers say, someone mysteriously hijacked internet traffic headed to government agencies, corporate offices and other recipients in the U.S. and elsewhere and redirected it to Belarus and Iceland, before sending it on its way to its legitimate destinations. They did so repeatedly over several months. But luckily someone did notice.
And this may not be the first time it has occurred - just the first time it got caught.
Analysts at Renesys, a network monitoring firm, said that over several months earlier this year someone diverted the traffic using the same vulnerability in the so-called Border Gateway Protocol, or BGP, that the two security researchers demonstrated in 2008. The BGP attack, a version of the classic man-in-the-middle exploit, allows hijackers to fool other routers into re-directing data to a system they control. When they finally send it to its correct destination, neither the sender nor recipient is aware that their data has made an unscheduled stop.
Zetter goes on to explain that the hijack attacks were found to have captured "vast amount of sensitive information," and occurred "at least 38 times...sometimes for minutes, other times for days --- and they did it in such a way that, researchers say, it couldn't have been a mistake."
In this case, the attacks were initially believed to be targeting financial information, "since traffic destined for a large bank got sucked up in the diversion." But then they found "traffic intended for the foreign ministries of several countries" had been diverted as well as data from a "large VoIP [Voice over IP, Internet telephone] provider in the U.S., and ISPs that process the internet communications of thousands of customers."
Read the full story for much more on the disturbing technical details, but essentially the exploit takes advantage of an Internet infrastructure "feature" that allows anyone with the access to a BGP router to spoof the normal path of Internet traffic to take a longer trip before arriving at its intended location. Zetter's explains it this way [emphasis added]:
To make it easy for e-mail traffic from an ISP in California to reach customers of an ISP in Spain, networks for these providers and others communicate through BGP routers. Each router distributes so-called announcements indicating which IP addresses they're in the best position to deliver traffic to, for the quickest, most efficient route. But BGP routers assume that when another router says it's the best path to a specific block of IP addresses, it's telling the truth. That gullibility makes it easy for eavesdroppers to fool routers into sending them traffic they shouldn't get.
To intercept data, anyone with a BGP router or control of a BGP router could send out an announcement for a range of IP addresses he wished to target that was narrower than the chunk advertised by other network routers. The announcement would take just minutes to propagate worldwide and, just like that, data that should have headed to those networks would begin arriving to the eavesdropper's router instead.
What makes this exploit particularly disturbing is that no one may ever even know that it occurred. In a blog post by Renesys cited by Zetter, the firm warns: "What makes a man-in-the-middle routing attack different from a simple route hijack? Simply put, the traffic keeps flowing and everything looks fine to the recipient...It's possible to drag specific internet traffic halfway around the world, inspect it, modify it if desired, and send it on its way."
A similar BGP hijack is said to have taken place in 2010, when according to a report from the US-China Economic and Security Review Commission "For about 18 minutes on April 8, 2010, China Telecom advertised erroneous network traffic routes that instructed US and other foreign Internet traffic to travel through Chinese servers. Other servers around the world quickly adopted these paths, routing all traffic to about 15 percent of the Internet's destinations through servers located in China."
In that case, as the report details, the incident affected traffic to and from U.S. government and military sites, "including those for the Senate, the army, the navy, the marine corps, the air force, the office of secretary of Defense, the National Aeronautics and Space Administration, the Department of Commerce, the National Oceanic and Atmospheric Administration, and many others." Some commercial traffic from Yahoo!, Microsoft and IBM were also said to have been affected.
A computer security expert we spoke with about that BGP rerouting incident was dubious about the explanation that the traffic diversion was done accidentally, as claimed by China.
Such an attack is, obviously, a horrifying possibility for an Internet-based election, and there seems to be no way to block the ability for such an attack to be carried out, given the way the Internet itself is currently set up to operate. To affect an election, rerouting by such an attack would only one need to be run during hours that the polls are open, or even just a portion of that time. Since this exploit targets specific IP addresses, it could, theoretically, target only the computers used for voting at the polls, or in very specific areas.
Data from Internet votes cast at a precinct (or from a smart phone, or whatever other sort of scheme these Internet Voting loons seem to keep dreaming up) could be hijacked, modified, and then sent to the official election server without anybody ever knowing anything had happened. Since we have secret ballots in U.S. elections, it would be largely impossible to compare the original votes to the ones that were ultimately recorded.
While Internet Voting companies enjoy bragging about things like "military-grade encryption" of data --- or whatever nonsense these election profiteers use to fool gullible lawmakers and others into believing that online elections can be carried out securely --- we've seen enough information about encryption keys being stolen or broken or, thanks to leaks by Edward Snowden and others, the government itself "legally" securing their own access to such keys in order to decrypt (and then modify) just about anything they like...Not that any government entity, someone else's or our own, would have any interest in modifying the results of a U.S. election or anything.
Of course, rather than unencrypt and modify the data, which is more complicated, the data could also simply be deleted, rather than passed on to its final destination at all.
Nobody knows who was behind the particular hijacks described in the Wired piece, and it may be impossible to ever identify the culprits since, according to Renesys' analysis cited by Zetter, while "systems in Belarus and Iceland initiated the hijacks, it's possible that those systems were hijacked by a third party that simply used them as a proxy for the attacks."
Again, this is not something easily "fixed" on the Internet. It's a feature of the architecture, not a bug. So there seems to be little that could be done to change or correct it before voting was carried out over that same Internet, as many of those profiteers --- and too many Democrats and Republicans --- continue to call for.
When reached for comment by The BRAD BLOG, electronic voting expert Dr. Barbara Simons, a former IBM research, past President of the Association for Computing Machinery [ACM] President and co-author of Broken Ballots: Will Your Vote Count?, shared similar concerns to ours about this type of exploit used to tamper with an Internet election.
Simons, one of a number of world-class computer and security experts who have been long time outspoken opponents of Internet Voting schemes, agreed that "Based on what I read in [the Wired] article, it seems to me that a man-in-the-middle attack on Election Day is indeed a cause for concern."
Another computer security and voting system expert we spoke to who preferred we not use his name, noted that actually changing votes on the fly might be difficult, but deleting them entirely would not be.
"The diversion of traffic is a very serious matter for a number of reasons, but I would say that attacks on votes in transit would be low on the list. Vote traffic, done right, would be encrypted, as you point out, and so traffic diversion alone does not allow for the reading or modification of ballots," he explained via email. "It would require getting the keys as well. Also as you point out, we now know of several ways that the NSA does that (or causes weak keys to be used) so it is not impossible, but it requires both a traffic diversion and access to keys to accomplish --- a two part attack, which is much harder to pull off. However, simply throwing away ballots in transit, based on unencrypted metadata like the sender's IP address, would be absolutely easy."
Simons, who is a member of the Board of Advisors to the U.S. Election Assistance Commission (EAC) and co-authored a report in 2004 that led to the cancellation of a Dept. of Defense Internet Voting project ("Secure Electronic Registration and Vote Experiment" or SERVE) due to security concerns, notes that voting over the Internet isn't the only thing that might be affected by such an attack.
Online voter registration, she says, could potentially be corrupted by the very same type of exploit. "The risk is that a voter's address could be modified, without the voter's knowledge. This could be a serious problem in states that are primarily or exclusively vote-by-mail."
Oh, yeah. There's that too.