Halderman was the star of an Oc-
tober 8 oversight hearing, where he
dropped additional bombshells. From
the start, his team had control of the
network infrastructure for the pilot
project. The team used the default
master password from the owner’s
manuals, which had not been changed,
for the routers and switches, thereby
gaining control of the infrastructure
and obtaining an alternative way to
steal votes in a real election. Control
of the network also enabled the team
to watch network operators configure
and test the equipment. When they
discovered that a pair of security cam-
eras in the BOEE data center was con-
nected to the pilot system and unpro-
tected, the team used the cameras to
watch the system operators. As proof,
Halderman brought some security-
camera photos to the hearing. Halder-
man even discovered a file used to test
the system that consisted of copies of
all 937 letters sent to real voters. The
letters included voter names, IDs, and
16-character PINs for authentication
in the real Internet election. While the
team could already change voter selec-
tions, inclusion of unencrypted PINs
in a file used for testing demonstrates
that the BOEE did not understand the
fundamental principles of computer
security. The PINs would have allowed
the team or any other intruder to cast
ballots for actual voters. Finally, Hal-
derman found evidence of attempted
break-ins that appeared to be from
China and Iran. Since the attempts
involved trying to guess the network
Figure 1. the rigged District of Columbia ballot.
logins, the Michigan team changed the
previously unchanged defaults (user:
admin, password: admin). Whether or
not they were intentionally directed at
the D.C. voting system, the attempts
showed how dangerous the Internet
can be, with sophisticated adversaries
from around the world constantly trying to break in to systems.
Implications of the attack. The D.C.
incursion illustrates how Internet voting can be attacked from anywhere.
Most complex software systems have
an abundance of vulnerabilities, with
attackers needing to exploit just one.
Moreover, all attacks except those specifically targeting the designated BOEE
election network were out of bounds
in the pilot test. Examples of non-al-lowed attacks included client-side malware; denial-of-service attacks; attacks
against ISPs; and DNS, routing, and
other network attacks. Attackers in a
real election would not have felt bound
by such constraints. Once the Michigan team had changed all the votes,
it was impossible for D.C. officials to
reconstruct the original ballots. In a
close race, attackers might control the
outcome without risk of detection. It
took more than a day for D.C. officials
to realize their system had been successfully attacked, despite the musical calling card. By the time officials
discovered the attack, it was too late to
recover from it.
The BOEE had intended to accept
voted ballots over the Internet. If there
had been no pilot test or if the Michigan team had not participated, members of the military and civilians living
abroad who vote in Washington, D.C.
would have been voting over a highly
vulnerable system. The BOEE did the
right thing (for a municipality determined to deploy Internet voting) by setting up a public test. It also learned an
important lesson from the test and ultimately canceled the Internet-ballot-return portion. Voters were instead allowed to download blank ballots from
the Web and print and return them by
postal mail. Unfortunately, other states
have not been as responsible. In the
upcoming 2012 U.S. election, 33 states
will allow some kind of Internet voting, including at least one Web-based
Internet pilot project, and the return of
voted ballots over the Internet through
email attachment or fax, without first