We’ve discussed, many times over the years, the madness of Internet Voting schemes. Today we’ve got yet another piece of disturbing evidence that underscores why such a scheme for American democracy would be nothing short of insane.
The BRAD BLOG has highlighted how easily Internet elections can be hacked by all sorts of nefarious folks (perhaps most disturbingly, without the knowledge of election officials); how various experiments in Internet Voting have proved disastrous (Hello, Canada! Hello, Honolulu! Hello, Oscars!); and how it is simply impossible to do a true pilot test of any such Internet Voting schemes in advance, since the most dangerous tactics that bad guys might throw at an Internet-based election in order to game it are actually illegal. Because of that, good guy “white hat hackers” wouldn’t be able to use those same techniques to test the security of any Internet Voting scheme before it was actually put into use in a live election.
Moreover — and perhaps the deal-breaker when it comes to the viability of Internet Voting ever being workable in public elections — even if the Internet Voting scheme remains secure, there is no way that the citizenry can know that was the case. Any such scheme would require faith and trust in others, which is decidedly not what our system of oversight and checks and balances in public elections is supposed to be built on. Thus, even a secured Internet Voting scheme would seriously undermine the basic tenets of, and overall confidence in, American democracy.
Now, Kim Zetter at Wired’s “Threat Level” blog offers yet another reason why the Internet, as it currently exists, is simply unfit to serve as a means for secure online voting. Her recently published article, which doesn’t focus on voting, is alarmingly headlined “Someone’s Been Siphoning Data Through a Huge Security Hole in the Internet”.
And no, in this case, it’s not the NSA. At least as far as we know.
Zetter details a “huge security hole” indeed, one which, as she documents, was found to have been used earlier this year to re-route “vast amounts” of U.S. Internet data all the way out to Belarus and Iceland, where it was intercepted in a classic “man-in-the-middle” fashion, before being sent on to its intended receiver. During the hijack attack, the senders and receivers of the Internet data were none the wiser, just as would likely be the case if the same gaping security hole in the Internet’s existing architecture was used to hijack votes cast over the Internet, change them, and then send them on to the server of the intended election official recipient…
Here’s the lede of Zetter’s piece:
The traffic hijack, they showed, could be done in such a way that no one would notice because the attackers could simply re-route the traffic to a router they controlled, then forward it to its intended destination once they were done with it, leaving no one the wiser about what had occurred.
Now, five years later, this is exactly what has happened. Earlier this year, researchers say, someone mysteriously hijacked internet traffic headed to government agencies, corporate offices and other recipients in the U.S. and elsewhere and redirected it to Belarus and Iceland, before sending it on its way to its legitimate destinations. They did so repeatedly over several months. But luckily someone did notice.
And this may not be the first time it has occurred – just the first time it got caught.
Analysts at Renesys, a network monitoring firm, said that over several months earlier this year someone diverted the traffic using the same vulnerability in the so-called Border Gateway Protocol, or BGP, that the two security researchers demonstrated in 2008. The BGP attack, a version of the classic man-in-the-middle exploit, allows hijackers to fool other routers into re-directing data to a system they control. When they finally send it to its correct destination, neither the sender nor recipient is aware that their data has made an unscheduled stop.
Zetter goes on to explain that the hijack attacks were found to have captured “vast amount of sensitive information,” and occurred “at least 38 times…sometimes for minutes, other times for days — and they did it in such a way that, researchers say, it couldn’t have been a mistake.”
In this case, the attacks were initially believed to be targeting financial information, “since traffic destined for a large bank got sucked up in the diversion.” But then they found “traffic intended for the foreign ministries of several countries” had been diverted as well as data from a “large VoIP [Voice over IP, Internet telephone] provider in the U.S., and ISPs that process the internet communications of thousands of customers.”
Read the full story for much more on the disturbing technical details, but essentially the exploit takes advantage of an Internet infrastructure “feature” that allows anyone with the access to a BGP router to spoof the normal path of Internet traffic to take a longer trip before arriving at its intended location. Zetter’s explains it this way [emphasis added]:
To make it easy for e-mail traffic from an ISP in California to reach customers of an ISP in Spain, networks for these providers and others communicate through BGP routers. Each router distributes so-called announcements indicating which IP addresses they’re in the best position to deliver traffic to, for the quickest, most efficient route. But BGP routers assume that when another router says it’s the best path to a specific block of IP addresses, it’s telling the truth. That gullibility makes it easy for eavesdroppers to fool routers into sending them traffic they shouldn’t get.
…
To intercept data, anyone with a BGP router or control of a BGP router could send out an announcement for a range of IP addresses he wished to target that was narrower than the chunk advertised by other network routers. The announcement would take just minutes to propagate worldwide and, just like that, data that should have headed to those networks would begin arriving to the eavesdropper’s router instead.
What makes this exploit particularly disturbing is that no one may ever even know that it occurred. In a blog post by Renesys cited by Zetter, the firm warns: “What makes a man-in-the-middle routing attack different from a simple route hijack? Simply put, the traffic keeps flowing and everything looks fine to the recipient…It’s possible to drag specific internet traffic halfway around the world, inspect it, modify it if desired, and send it on its way.”
A similar BGP hijack is said to have taken place in 2010, when according to a report from the US-China Economic and Security Review Commission “For about 18 minutes on April 8, 2010, China Telecom advertised erroneous network traffic routes that instructed US and other foreign Internet traffic to travel through Chinese servers. Other servers around the world quickly adopted these paths, routing all traffic to about 15 percent of the Internet’s destinations through servers located in China.”
In that case, as the report details, the incident affected traffic to and from U.S. government and military sites, “including those for the Senate, the army, the navy, the marine corps, the air force, the office of secretary of Defense, the National Aeronautics and Space Administration, the Department of Commerce, the National Oceanic and Atmospheric Administration, and many others.” Some commercial traffic from Yahoo!, Microsoft and IBM were also said to have been affected.
A computer security expert we spoke with about that BGP rerouting incident was dubious about the explanation that the traffic diversion was done accidentally, as claimed by China.
Such an attack is, obviously, a horrifying possibility for an Internet-based election, and there seems to be no way to block the ability for such an attack to be carried out, given the way the Internet itself is currently set up to operate. To affect an election, rerouting by such an attack would only one need to be run during hours that the polls are open, or even just a portion of that time. Since this exploit targets specific IP addresses, it could, theoretically, target only the computers used for voting at the polls, or in very specific areas.
Data from Internet votes cast at a precinct (or from a smart phone, or whatever other sort of scheme these Internet Voting loons seem to keep dreaming up) could be hijacked, modified, and then sent to the official election server without anybody ever knowing anything had happened. Since we have secret ballots in U.S. elections, it would be largely impossible to compare the original votes to the ones that were ultimately recorded.
While Internet Voting companies enjoy bragging about things like “military-grade encryption” of data — or whatever nonsense these election profiteers use to fool gullible lawmakers and others into believing that online elections can be carried out securely — we’ve seen enough information about encryption keys being stolen or broken or, thanks to leaks by Edward Snowden and others, the government itself “legally” securing their own access to such keys in order to decrypt (and then modify) just about anything they like…Not that any government entity, someone else’s or our own, would have any interest in modifying the results of a U.S. election or anything.
Of course, rather than unencrypt and modify the data, which is more complicated, the data could also simply be deleted, rather than passed on to its final destination at all.
Nobody knows who was behind the particular hijacks described in the Wired piece, and it may be impossible to ever identify the culprits since, according to Renesys’ analysis cited by Zetter, while “systems in Belarus and Iceland initiated the hijacks, it’s possible that those systems were hijacked by a third party that simply used them as a proxy for the attacks.”
Again, this is not something easily “fixed” on the Internet. It’s a feature of the architecture, not a bug. So there seems to be little that could be done to change or correct it before voting was carried out over that same Internet, as many of those profiteers — and too many Democrats and Republicans — continue to call for.
When reached for comment by The BRAD BLOG, electronic voting expert Dr. Barbara Simons, a former IBM research, past President of the Association for Computing Machinery [ACM] President and co-author of Broken Ballots: Will Your Vote Count?
Simons, one of a number of world-class computer and security experts who have been long time outspoken opponents of Internet Voting schemes, agreed that “Based on what I read in [the Wired] article, it seems to me that a man-in-the-middle attack on Election Day is indeed a cause for concern.”
Another computer security and voting system expert we spoke to who preferred we not use his name, noted that actually changing votes on the fly might be difficult, but deleting them entirely would not be.
“The diversion of traffic is a very serious matter for a number of reasons, but I would say that attacks on votes in transit would be low on the list. Vote traffic, done right, would be encrypted, as you point out, and so traffic diversion alone does not allow for the reading or modification of ballots,” he explained via email. “It would require getting the keys as well. Also as you point out, we now know of several ways that the NSA does that (or causes weak keys to be used) so it is not impossible, but it requires both a traffic diversion and access to keys to accomplish — a two part attack, which is much harder to pull off. However, simply throwing away ballots in transit, based on unencrypted metadata like the sender’s IP address, would be absolutely easy.”
Simons, who is a member of the Board of Advisors to the U.S. Election Assistance Commission (EAC) and co-authored a report in 2004 that led to the cancellation of a Dept. of Defense Internet Voting project (“Secure Electronic Registration and Vote Experiment” or SERVE) due to security concerns, notes that voting over the Internet isn’t the only thing that might be affected by such an attack.
Online voter registration, she says, could potentially be corrupted by the very same type of exploit. “The risk is that a voter’s address could be modified, without the voter’s knowledge. This could be a serious problem in states that are primarily or exclusively vote-by-mail.”
Oh, yeah. There’s that too.
FTA:
Yes, and imagine if those address alterations were used to deny the right to vote in states where the GOP has passed polling place Photo ID laws.
One can easily foresee a circumstance in which computer address manipulations could then be used to compel citizens to cast provisional ballots because the computer showed that they were voting at the wrong precinct.
Internet voting may be the final frontier, the front where the 1% tier exacts their final will on the other tier, the 99% tier.
Those who will celebrate the final frontier will be in the war party, the oldest party.
What if a hacker were to access –ON SITE or off – and surreptitiously look at all or some of the machine voting results and find – or “find” – they were rigged, because different from the reported outcome? Anyone could claim to have done that – and if they claim that from another country – they won’t be investigated by the USA. Especially if they can’t be identified. So they could accuse a liberal of rigging an election. Of course, it’s much easier to just buy SCOTUSII.
If they lied and said the election was rigged – that has one result. If they actually found the election was really rigged – they would be Snowdened into exile.
Hi Brad,
Great analysis, as usual. As you pointed out, Internet voting is folly. As Ernest Canning pointed out, such exploits can also impact voter registration. I’d like to add two more applications to elections: poll lists and delivery of aggregated results.
Let me explain: As I’ve mentioned before, the four most crucial areas of accountability for elections, which should be authenticatable by the public, and any one of them can compromise an election even if the other three are intact:
– Who can vote
– Who did vote
– Vote count
– Chain of custody
As Ernest points out, voter registration lists, with the online registration and retrieval systems, are vulnerable to such an exploit. That impacts the “who can vote” part of accountability. Its remedy is to commit to a voter registration list before the election and publish that list. Most countries do that; many places here in the USA do not.
The second part of accountability, who did vote, is increasingly being handled by electronic pollbooks, with interface online. They wouldn’t need to be online, but enter the next “reform” — vote centers. When anyone can vote anywhere, the electronic pollbook MUST sync up online with the other polling places. This puts the “Who Did Vote” portion of accountability at risk, and through that, also the Who Can Vote, because if it is falsely reported that you did vote, you can’t vote.
The third area, counting of the vote, is impacted with the internet component when results are relayed either electronically or through automated mobile phone systems. Here we see a big current risk. SOE software, in the USA, is middlemanning results for over 1,000 of our 3,000 jurisdictions. In 2004, we saw that the Ohio secretary of state placed its results server on the National Republican Party server. I am working on a story on Kenya elections with MANY SIMILARITIES TO USA ISSUES, whereby in their last very controversial presidential election, the IP for the supposedly independent results server was the same as the IP for the (winning, arguably) presidential candidate parties.
That very very interesting situation resulted in installing president who has been indicted for crimes against humanity.
The mitigation for electronic results servers is prompt, public dissemination of disaggregated results from the original source. In other words, posting copies of all the poll tapes online, along with the polling place forms signed by pollworkers.
In Kenya, after demonstrators hovered around their results server building, they belatedly published these forms, but — according to the Carter Center report, most of the forms somehow never appeared online. They also refused to provide disaggregated results (polling place results).
The fourth accountability area, chain of custody, is breached with all online systems, be they registration, pollbook, or counting. Precisely the point of Zetter’s article, at its core, is that chain of custody was (and still is) a “hole” in the system.
Bev Harris
Black Box Voting