Microsoft Research Proposes E-Voting Attack Mitigation

Microsoft Research has proposed a mitigation for a known potential attack against verifiable electronic voting machines that could help prevent insiders from being able to alter votes after the fact. The countermeasure to the “trash attack” involves adding a cryptographic hash to the receipts that voters receive.

Voting machineMicrosoft Research has proposed a mitigation for a known potential attack against verifiable electronic voting machines that could help prevent insiders from being able to alter votes after the fact. The countermeasure to the “trash attack” involves adding a cryptographic hash to the receipts that voters receive.

Many verifiable voting systems already include hashes on the receipts, but that hash typically is of the ballot data for each specific voter. The idea proposed by Microsoft Research involves using a running hash that would add a hash of the previous voter’s receipt to each person’s receipt, ideally preventing a privileged insider from using discarded receipts to alter votes. The trash attack that the mitigation is designed to address involves election workers or others who might be motivated to change votes gathering discarded receipts and then altering those votes.

“The provision of receipts to voters who may not want them, however, suggests a very simple means by which election workers could find votes that are good candidates for alteration: poll workers could simply collect the contents of the nearest trash receptacles. Any receipts that have been discarded by voters would be strongly correlated with votes that could be altered without detection.3 Active collection of receipts may also be viable through social engineering,” Josh Benaloh of Microsoft Research and Eric Lazarus of DecisionSmith wrote in a research paper, “The Trash Attack”.

Electronic voting systems have made their way into a lot of jurisdictions in recent years, replacing older manual machines. But security researchers have discovered a number of serious security vulnerabilities in various machines, which could lead to vote alteration and questionable election results.

The solution that Benaloh and Lazarus propose would involve generating an initial value for each machine, and the value would comprise in part the date of the election and a unique identifier for the device.

“If a running hash were to be incorporated, this insider’s options would be severely limited. If the insider had the ability to alter a ballot and a corresponding running hash value in real time (i.e. before the next voter uses a device), then the same 60% success rate could be achieved. But if the insider cannot mount a real-time attack, after-the-fact alteration of 10 ballots would only escape detection if they were all cast after the last ballot whose corresponding receipt was verified by a voter. Not only does this substantially restrict the pool of ballots available to the insider, but this threat can now be completely eliminated by a single diligent voter or observer recording the final running hash value at the end of the voting period,” the paper says.

The researchers said that the mitigation may need to be implemented differently in each voting system, but that the result would be the same.

“Although the details may vary between systems, it is clear that the simple inclusion of a running hash within voter receipts mitigates a serious vulnerability that may occur when insiders or others, who may have the ability to change votes after they have been cast, can use external information to tell which voters are more likely to check their receipts against published lists,” they wrote.

Homepage composite image via Muffet and Subfinitum‘s Flickr photostream.

Suggested articles

Discussion

  • ed smith on

    Gents--

    I may be missing something regarding this vulnerability.  Providing a receipt to the voter showing how they voted is illegal in all 50 States.  Voter Verifiable Paper Audit Trails thus contain a degree of physical security; and no voting machine in use in the United States is actively giving the voter a receipt of any sort, other than one that gives the date and approximate time that a voter cast their ballot (Hart InterCivic, think that a voter needs to prove that they voted to obtain pay for the time away from the jobsite); and even that requires that the voter obtain the receipt from a pollworker.  Can you help me better understand the vulnerability you seek to solve?

  • Andrew on

    Ed - the current paper audit trail doesn't have how you voted per-se, it has a hash that is unique to the time you voted and the votes that you cast.  This would allow you to verify that your vote was recorded correctly.  The attack that they are worried about in this case is that if you leave and throw your receipt in the trash can outside, anyone who looks through that trash can and finds it now knows that they can change your vote and you will have no way to prove that anything was changed.

    By changing the system to a running hash, if any vote is changed, it will invalidate the hashes from your receipt and everyone's receipt who voted after you did.  To find which vote was changed would require more work but that a vote was changed would be easily noticed.

    Hope this helps.

  • Anonymous on

    uyhgtfdsxza

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.