Modifying an Off-the-Shelf Wireless Router for PDF Ballot Tampering – Daniel M. Zimmerman and Joseph R. Kiniry, Galois, Inc., 421 SW 6th Ave., Suite 300, Portland, OR 97204. November 7, 2014
“Abstract – In order to highlight the dangers associated with Internet voting carried out over electronic mail with PDF forms, we show that an off-the-shelf home Internet router can be easily modified to silently alter election ballots. The modification is nearly undetectable and can be carried out in a way that leaves no evidence to be found in a postelection investigation.
Introduction – A number of governments, at various levels, have expressed interest in the establishment of Internet voting systems. Examples include the state of Alaska, which has carryed out an Internet voting trial for the 2012 and 2014 elections; Washington, D.C., which in 2010 developed an Internet voting pilot project with the OSET Foundation for absentee voters that was successfully attacked by an academic research group [6]; and the nation of Estonia, which has had Internet voting since 2005 that exhibits significant security flaws [3]. One mechanism proposed for Internet voting involves ballots rendered as standard Adobe Portable Document Format (PDF) forms. These forms are made available to voters on a web site; the voters then use standard software (e.g., Acrobat Reader, Preview, etc.) to fill out the forms and submit the completed forms via electronic mail to the appropriate election authority. The submitted ballots are then printed and counted, either by hand or with optical scanners. This ballot-return mechanism was used as a fallback mechanism after the Washington, D.C. Internet voting system was successfully hacked and removed from service, it was used as an emergency measure in New Jersey elections in 2012 because of the impact of superstorm Sandy, and it is also available to current Alaska voters. Unfortunately, this mechanism is vulnerable to fairly obvious attacks at several levels: malicious software on the user’s computer could modify or invalidate a vote; a malicious election authority could intentionally miscount (or simply “lose”) received votes; malicious third parties could masquerade as the election authority or perform denial of service attacks against the actual election authority to prevent votes from being cast or flood them with invalid ballots; and more. Here we describe a more subtle attack at the transport level, which changes the raw data traveling through the electronic mail system between the voter’s computer and the election authority.”
Sorry, comments are closed for this post.