Study Shows Major E-Voting System Open To Numerous Hacking Attacks
from the e-voting-can't-be-secured.-Full-Stop. dept
Another day, another electronic voting system that's simply not up to the task.
Over the weekend, researchers at MIT and the University of Michigan released a paper (pdf) showcasing how OmniBallot, an electronic voting system made by Seattle-based Democracy Live, is vulnerable to hack attacks and vote manipulation. OmniBallot is currently being used used in Colorado, Delaware, Florida, Ohio, Oregon, Washington, and West Virginia. Courtesy of the pandemic, these and several additional states are considering their expanded use of the platform. But the study makes it abundantly clear that may not be a particularly good idea:
"We find that OmniBallot uses a simplistic approach to Internet voting that is vulnerable to vote manipulation by malware on the voter’s device and by insiders or other attackers who can compromise Democracy Live, Amazon, Google, or Cloudflare. In addition, Democracy Live, which appears to have no privacy policy, receives sensitive personally identifiable information—including the voter’s identity, ballot selections, and browser fingerprint— that could be used to target political ads or disinformation campaigns."
Great.
Techdirt has, of course, been highlighting the problems with electronic voting since the site began. It's a sector dominated by companies that simply don't seem to care if their platforms can be secured, that often refuse to adhere to basic security standards, that don't allow third-party researchers to fact check their claims, and then simply utter "trust us" every time concerns are raised.
The Omniballot system lets states deliver ballots electronically to voters as a pdf, letting users vote via email, fax or mail. But it's also being used as a pure internet voting system in states like Delaware, which used it as the backbone of its primary voting just last week. Security researchers have been pointing out for decades that there are simply too many attack vectors between your PC/phone and the target destination to adequately secure the data in transit. In this case, researchers found the system was open to both vote and ballot manipulation:
"Specter and Halderman found that with regard to the blank ballots delivered to voters over the internet, an attacker could alter those ballots to change or remove races or candidate names. They could also misdirect completed ballots returned through the internet so they’re sent to the wrong destination. The greatest risk, though, is manipulation of votes. Attackers could use malware on the voter’s computer or injected into the OmniBallot web app so that the ballot could appear correct to the voter reviewing it on their computer while the ballot that’s submitted has different selections."
Researchers found the system transmits all manner of sensitive voter data over the internet that simply doesn't need to be transmitted. The system also uses a wide number of intermediaries, including Amazon, Google, and Cloudflare, all of which researchers say create additional opportunities for manipulation:
"The biggest security problem with internet voting is the insecurity of all the millions of voters’ computers and phones. That doesn’t change, depending on who is hosting the server,” Appel said. “But it’s still an important point to realize that [in this case] it’s not just one server that would need to be secure in addition to the millions of voters’ computers; it’s a whole ecosystem of connected companies."
Again, internet voting cannot be adequately secured. It simply can't at this moment in the technology's development history. There's a long list of companies and government leaders that have fooled themselves to the contrary because it's profitable, but it's hard to find any reputable security researcher that genuinely thinks electronic voting is anywhere near prime time, and this is just one of countless studies making that very clear.
But because our broken Congress has refused to secure proper funding to do mail voting with a proper paper trail correctly, and is insistent on turning secure remote voting into an idiotic partisan issue, this isn't a problem that's going away anytime soon.
Filed Under: e-voting, electronic voting, omniballot, security risks
Companies: democracy live
