February 22, 2012 - The main security weakness that let University of Michigan researchers take control over a planned city of Washington, D.C. Internet voting system pilot for overseas voters in 2010 was "a tiny oversight in a single line of code," the researchers say in a new paper detailing their exploits. City officials canceled the pilot shortly before the November election after the hack was revealed.
It's evidence, say the researchers--led by Assistant Professor J. Alex Halderman--that Internet voting should be postponed until, when or if major new breakthroughs in cybersecurity occur. Mistakes like the one they exploited are all too common, hard to eradicate, and indicative of a brittleness in web applications, they say. Seemingly trivial errors can result in attackers gaining system dominance--and in the case of an internet voting system, controlling the outcome of an election.
Responding to a call by Washington, D.C., election officials for outsiders with no previous access to test system security, Halderman and his students penetrated the pilot system within 48 hours of it going online. Their successful attack went undetected for another 36 hours, they say, despite the fact that they left a calling card in the form of having the vote confirmation screen to play the University of Michigan fight song after 15 seconds. Even then, the detection didn't occur because D.C. officials spotted anomalies in intrusion detection system logs, or even stumbled on the fight song itself, but because someone on a mailing list monitored by the city asked, "does anyone know what tune they play for successful voters?" read more>>>
No comments:
Post a Comment