“Bender Bending Rodriguez” better known as simply Bender, from the television series Futurama, was elected to the 2010 school board in Washington DC. That’s right; a cartoon character was written in and won by a landslide, thanks to the hard work of hackers from the University of Michigan.
The most astounding part of the whole story is that it only took them a few hours to accomplish the feat.
The hacking was not carried out by so-called “black hat” hackers or individuals operating under the ambiguous label of Anonymous (although it seems like it would be given the popularity of Futurama), this was actually sanctioned by the Washington DC school board itself.
Unfortunately, I see incidents like this as just giving support for plans like that of John McCain togive the control of American networks over to the NSA and the military and others which wouldprefer that the Department of Homeland Security take control, especially with the twist in the story which you will discover as you read on.
The DC school board challenged hackers to comprise their new Internet-based voting system for absentees just four days ahead of the actual election.
Alexander Halderman a professor at the University of Michigan and two graduate students cracked the system and elected Bender in just a few hours, dealing yet another blow to the false sense of security surrounding electronic voting systems.
I didn’t think it could get any worse than the discovery that just $10 and a basic grasp of electronics is all that is needed to hack into a Diebold voting machine, but clearly I was wrong.
Indeed, when a Vulnerability Assessment Team from the Argonne National Laboratory in Illinois tested the machines, they found that a hacker was even able to change the votes of a random individual without their knowledge.
“We believe these man-in-the-middle attacks are potentially possible on a wide variety of electronic voting machines, Roger Johnston, the leader of the team, said at the time. “We think we can do similar things on pretty much every electronic voting machine.”
Is there really any more proof anyone needs to show that electronic voting systems are inherently insecure and therefore completely nonviable? Electing Bender to a school board is just adding insult to injury at this point.
Halderman and his team discovered that they were able to use a shellinjection vulnerability after looking at the electronic voting system’s framework built on Ruby on Rails.
In the past, I myself have been a victim of such attacks which can be quite devastating when done maliciously. It resulted in a great deal of lost funds, stolen passwords and a massive fee from the hosting company.
When Halderman and his associates exploited the vulnerability, they were able to obtain the public key which is used to encrypt all of the ballots. Obtaining this key allowed them to not only change every single ballot already put in the system but also change the votes of any ballots cast after the attack.
The damage didn’t end there, with the hackers discovering a PDF of over 900 pages with voter instructions and authentication codes for every voter, which would allow someone with less than admirable intentions to vote as other people.
They were also able to hack into the network which the system resided on, thus giving them access to additional systems in the building including the surveillance system, allowing them to carry out their attacks at the optimum time to avoid being detected by technicians.
The interesting bit of the story as reported by PC World comes when the hackers allegedly discovered an attack coming from Iran.
They supposedly traced the IP address all the way back to the Persian Gulf University and found that the Iranian hackers were breaching the system by using the default administrator logins, which are admin as both the username and password.
The team then blocked the IP addresses and changed the password while also blocking attacks allegedly coming from New Jersey, India and China.
The problem is that anyone can mask their IP address with just a tiny bit of technical know-how and make an attack look like it is coming from anywhere quite easily.
The whole story gets even more insane knowing that even after the team changed the “Thank you for voting” note to “Owned” and then had the site play their university’s fight song after a few seconds, the system administrators didn’t notice anything amiss until a whopping two days later.
I honestly hope that the administrators and the individual who designed and supposedly secured the system were promptly fired.
Halderman makes the point in his paper on the attack that just a single flaw in a system’s configuration for electronic voting could be fatal.
Furthermore, he supports my assertion that electronic voting has a long way to go before being a real viable choice in saying that secure Internet-based voting will not be ready until significant advances in computer security are made.
Until such major leaps in security can be made, I don’t see why any vote should utilize electronic voting machines, even for a race as seemingly small as a school board. I just don’t know how much more proof people are going to need until they demand a return to physical ballots.