Threats to the integrity of Internet voting have been a major factor in keeping the practice to a bare minimum in the United States.
On the heels of the recent midterm elections, researchers at Galois, a computer science research and development firm in Portland, Ore., sent another reminder to decision makers and voters that things still aren’t where they should be.
Researchers Daniel M. Zimmerman and Joseph R. Kiniry published a paper called “Modifying an Off-the-Shelf Wireless Router for PDF Ballot Tampering” that explains an attack against common home routers that would allow a hacker to intercept a PDF ballot and use another technique to modify a ballot before sending it along to an election authority.
PDF ballots have been used in Internet voting trials in Alaska, and in New Jersey as an voting alternative for those displaced by Hurricane Sandy. The ballots are downloaded, filled out and emailed; the email is equivalent to putting a ballot into a ballot box. Election authorities then either print the ballots and count them by hand, or count them with an optical scanner.
The Galois attack is by no means the only attack that threatens Internet voting; malware on a voter’s machine could redirect traffic or cause a denial of service condition at the election authority. But the attack described in the paper is certainly a much more quiet attack that the researchers say is undetectable, even in a forensics investigation.
“We describe a more subtle attack at the transport level, which changes the raw data traveling through the electronic mail system between the voter’s computer and the election authority,” Zimmerman and Kiniry write in their paper.
The attack relies on a hacker first replacing the embedded Linux firmware running on a home router. This aspect of their attack required fewer than 50 lines of code to alter the kernel code that handles transmission of packets on the network device. A new firmware, which they claim is indistinguishable from the manufacturer firmware, is loaded. The only subtle changes it enforces is that TCP connections on email ports 25 and 587 are slower than the original firmware and bytes sent to these ports are different.
The new firmware is installed by taking advantage of any number of known vulnerabilities, including problems with UPNP, exploits that allow admin-level backdoors, or exploiting weak or known default passwords. On the router used in this attack, firmware updates are done via an unprotected FTP connection. The router does do an MD5 comparison of the respective firmware, but the researchers were able to circumvent that check.
“While the router does compute an MD5 checksum of the downloaded firmware and compare it to the checksum in the firmware information file,” the researchers wrote, “the fact that both the checksum and the firmware come from the same source means that DNS-based spoofing of the firmware upgrade server can easily fool the router into installing our modified firmware.”
Once a hacker is able to sit in the traffic stream, they will be able to intercept a ballot in traffic and modify data within the PDF to change the submitted votes. The researchers describe that there are object identifiers associated with the radio buttons used to vote for respective candidates. Code strings indicate the selected radio button; there is a vote string and a selection string for each identifier, or candidate. So for a two-candidate race, there are three strings, one for the vote, and one for each candidate.
“Our attack code monitors connections on standard email submission ports, replacing our target encoded strings with our desired replacement strings when they are encountered,” the researchers wrote. “The replacement is performed by modifying individual packets at the TCP protocol level, and cannot be detected in real time unless the connection is actively monitored at both ends to ensure that packet contents are transferred unmodified.”
Slight modifications to any of those strings resulted in various changes to votes depending on the standalone or browser-based PDF reader used. The researchers tested their attack on Adobe Acrobat Pro XI; Apple Preview; Chrome; Gmail; Firefox, Safari, and Skim. In Acrobat, Apple Preview, Safari and Skim, minimal changes were required to change a vote. In Chrome, Gmail and Firefox, all three strings had to be modified to alter a vote, the researchers said, adding that printed output also matched the digital alterations.
“It is extremely likely that an election authority would use a standalone PDF viewer to print the votes, rather than printing them directly from a web browser, as they would hopefully not use a web-based email account to receive the votes” the researchers wrote. “Since all the standalone PDF viewers we tested were convinced by a single string change, it is likely that a single string change (per targeted ballot) would be sufficient to change an election outcome.”