Researchers have published a paper detailing a new attack method that can be leveraged to silently modify the digital ballots used in the Internet voting process.
In Estonia, people can vote over the Internet since 2005, but the United States has also conducted some tests over the past years. Online voting was used in Alaska in 2012 and 2014, and in New Jersey in 2012 due to the impact of the Sandy superstorm. Washington D.C. also developed a system in 2010, but the project was abandoned after it was hacked by researchers.
One of the proposed voting systems involves digital ballots in PDF format. People fill out the forms and send them via email to a specified address. The ballots are printed and counted by hand or with an optical scanner. This type of mechanism is currently used in Alaska, but it was also used in New Jersey and in Washington D.C. as a fallback system.
Attack description and implementation
According to Daniel M. Zimmerman and Joseph R. Kiniry, researchers at Galois, Inc., this type of mechanism is vulnerable to several types of attacks. Malicious actors can use malware to modify or invalidate votes, and third parties can pose as the legitimate election authority or they can launch DDoS attacks against the organization to prevent votes from being cast.
However, the attack described by the researchers occurs at transport level and it involves hacking into the targeted users’ routers. The method they presented in their research paper allows the attacker to change the vote after the ballot has been sent via email to the election authority. The attack is dangerous because it’s difficult to detect by both the voter and the election authority.
In order to modify the vote casted by the user without invalidating the file, the attackers must change certain strings within the PDF. Successful tests have been conducted on several popular PDF viewer applications such as Adobe Acrobat Pro XI, Apple Preview, Google Chrome, Gmail (on all browsers), Mozilla Firefox, Safari and Skim.
The PDF documents are not tampered with while they are stored on the victim’s computer. Instead, the attack is carried out by modifying one or more TCP packets of the email attachment after it’s sent by the user’s email client and before it reaches the election authority.
Researchers have achieved this by changing the firmware on the victim’s wireless router. For their tests, they’ve selected an off-the-shelf home router.
“Nearly all such routers on the market today are based on embedded versions of the Linux operating system and therefore, in accordance with the GNU General Public License, the source code for their firmware is freely available,” the researchers explained.
They have downloaded the source code for their test router’s firmware and made a small modification (less than 50 lines of code) to the part of the kernel that handles packet transmission. The new firmware looks very similar to the original one. The only differences are the slower TCP connections on standard email submission ports (25 and 587), and the fact that certain sequences of bytes sent to these ports are replaced with different sequences.
Researchers believe it would take a detailed inspection of the compiled code or a detailed analysis of the router’s traffic handling to notice that the firmware is not genuine. Performance is negatively impacted, as the TCP connections to these ports are 25% slower, but the experts argue that users don’t usually monitor the speed of their outgoing messages when using email clients.
In order to get the modified firmware on the targeted router, an attacker can leverage one of many vulnerabilities, such as the recently disclosed flaw affecting ASUS routers. Another way to install the malicious firmware is to drive around in a neighborhood and gain access to network connections and router administration interfaces by leveraging the fact that many users set easy-to-guess passwords and don’t change the default credentials, researchers said.
The researchers have suggested three possible mitigation strategies: signing or encrypting the PDF file before it’s sent to the election authority, encrypting the connection to the SMTP server, and more secure router firmware update mechanisms.
“The overall conclusion is inescapable: unencrypted PDF ballots sent via electronic mail can be altered transparently, potentially with no obvious sign of alteration, and certainly with no way to determine where on the network any alterations took place or the extent to which votes have been corrupted. This method of vote submission is inherently unsafe, and should not be used in any meaningful election,” the researcher wrote in their paper.
In Estonia, over 100,000 people used the Internet to cast their votes at the European Parliament elections in May 2014. Just two weeks before the vote, security researchers warned Estonian authorities that the system contained serious vulnerabilities which could be tempting for a state-level actor such as Russia. However, the country’s electoral commission dismissed the reports, claiming they were confident in the system’s security.