Dan Zimmerman and Joe Kiniry
Election Day was this week. If you took advantage of early voting, or you live overseas, you probably used a paper ballot you received in the mail a few weeks ago. A digital alternative, being considered across the USA, is voting-by-email.
To vote using email (Fig. 1), you download and fill out a ballot on your computer and then email it back to election officials. Sending an email is meant to be like putting your vote into a ballot box.
This kind of system would be convenient for voters and officials as it ensures ballots are filled out properly, permits disabled voters to vote independently, and ballot counting is quick and accurate (Fig. 2).
Unfortunately, this idea has serious security flaws: It permits a single hacker to remotely manipulate the outcome of any election.
When you download a file—like a ballot—or send an email—such as a vote—your data flows through many untrusted computer systems (Fig. 3). For example, your ballot can be intercepted on the way to you, viruses on your computer can manipulate your vote without your knowledge, or your vote can be modified while on its return trip to the government. Any of these attacks can change the outcome of an entire election, since the hacker can control ballot distribution, vote choice, and ballot submission.
This is not just a theoretical danger. At Galois, we have demonstrated that a normal wireless router—like the one your ISP installed in your home, or that you bought and installed yourself—can be taken over from anywhere in the world. By tweaking your router’s software, your and your family’s votes are silently changed after they leave your computer and before they reach election officials. What’s more, there is no trace of foul play, and the attack can be automated. For example, hackers could target a critical number of voters supporting a particular candidate in a close race, thus tipping the election whichever way they—or their customers—want.
Despite its presumed benefits, voting by email is deeply flawed. Our demonstration only took a few days to develop, and is very difficult to detect, even for security experts. Printing a ballot and mailing it through postal services, or putting it in a ballot drop, is still the most secure and reliable solution for early and absentee voting.
Links to the video about this work:
PDF version of this post: