Class voting hacks prompt call for better audits

Hacking the vote
For the exercise, the class of 11 students split into six teams. First, the teams assumed the alias of unethical programmers at a fictitious voting machine company and plotted to sway an election’s outcome without getting caught.

For their target, the students tried their devious hand at a somewhat simplified in-house electronic voting machine called Hack-a-Vote, programmed with the same Java language as many Web applications. After each team carried out its mischief, the machine’s subtly altered source code was inspected by two other teams playing the part of election inspectors tasked with certifying the code.

Some teams created a backdoor PIN code so that workers in cahoots could always use the same PIN — say 111 — to vote multiple times and effectively stuff the electronic ballot box. Other teams tampered with the administrator’s password. One team, according to Wallach, even took advantage of a bug in the underlying Java script controlling images — from buttons on the screen to a picture of an American flag — to create a secret button that would allow one person to cast multiple votes.

Grady and Michael Dietz, a graduate student studying under Wallach, corrupted the file so that the only way of knowing something had changed would be to run the entire program (instead of just visually inspecting the code during an audit process). “So it would survive the audit, and only be malicious once it had been rolled out in the voting place,” Dietz said.

The trickery, in fact, survived two in-class audits by other students well aware of the motive for mischief. Likewise, Dietz missed two bugs that another group introduced by simply omitting a small amount of code that had been there initially.

One of Dietz and Grady’s modifications wasn’t even in the source code, a cleverly hidden bug that wouldn’t have been caught unless the entire system was verified (it wasn’t picked up by either in-class audit). The result? One candidate on the ballot was guaranteed to receive 90 percent of the vote. An obviously fishy result, perhaps, but what if the guaranteed total was 55 percent?

Many other tweaks, though, were caught by the inspectors. “I think it’s proven that source code audits are very beneficial to these kinds of systems,” Dietz said. “Having lots of eyes on them tends to catch these kinds of things.”

Wallach said the argument against opening up a company’s code to multiple viewers rests on the concept of “security through obscurity,” which proposes that a system’s inaccessibility protects it from attack.

“Inevitably, obscurity only damages security, it doesn’t improve it,” he said.

A matter of electronic trust
Ken Fields, a spokesman for Omaha, Neb.-based Election Systems & Software, Inc., said security procedures based on best practices should be implemented no matter which technology is being used (ES&S’s touch-screen and optical-scan machines are now in place in 38 states, a greater number than any other company, according to statistics compiled by the Pew Center on the States).

“It is important to note that every line of our source code is reviewed and tested by an independent testing authority to ensure it meets rigorous federal voluntary voting system standards before it is ever used in an election,” Fields said in a statement.

After completing the federal certification process, he said, the voting systems complete a “thorough” state certification examination as well as third-party reviews in a number of jurisdictions.

Aggelos Kiayias, an assistant professor of computer science and engineering at the University of Connecticut’s Voting Technology Research Center, said the results of the Rice exercise aren’t surprising to experts in the field.

“To be blunt, without a voter-generated paper trail that enables a post-election audit using the actual voter selections, there is no way right now to positively rule out any type of misbehavior/malfunction,” he said in an e-mail.

Kiayias, though, warned against making generalizations about the security of elections based on an issue specific to one type of equipment.

“Always keep in mind that the equipment is only one component in the election process," he said. "It is possible to mitigate equipment vulnerabilities within a larger process, just the same as one can still employ a sub-par lock in a safe that takes 10 minutes to pick as long as a guard checks the room every 10 minutes.”

One way to audit an electronic voting system, Wallach said, might be to assign one or more machines to a fake precinct with election workers as “voters” to check for any misbehavior. California has instituted such parallel tests, though they can only detect certain types of malice and would be flummoxed by tricks like the secret button bug; workers wouldn’t know to push blank portions of the screen as part of the election-day audit.

Technology boasting a more secure voting environment may be on the way. On Tuesday, computer scientists at George Washington University are expected to unveil a system named Scantegrity, which uses optical scan ballots, invisible ink and a “fool-proof” confirmation code-based method for voters to ensure their ballots are counted correctly.

Although Rice’s Wallach favors optical-scan ballots as the best available technology, both he and Kiayias said there’s no reason why better electronic voting machines couldn’t be part of more trustworthy election processes in the near future.

One prototype built from scratch in Wallach’s lab, dubbed VoteBox and written with Java code that has already been released over the Internet, allows a suspicious voter to challenge it on the spot and require the machine to prove that it’s generating accurate votes. If not, Wallach said, the computer delivers the ultimate electronic mea culpa: the equivalent of a signed confession.

MORE FROM FRONTIERS

Tourist or terrorist? Computer knows

Tourist or terrorist? Computer knows Climbing no obstacle for snakebots The next 'American Idol'? Ask your computer How a deadly avalanche can be triggered Green alternative to plastics: liquid wood Getting lost for better architecture Turning air into drinking water Revving up the race for fuel efficiency How to be a disagreeable (but likable) robot Can concept of clean coal be salvaged?   Add Frontiers headlines to your news reader: