'Major security hole' could allow attacker to read, change votes...
By Brad Friedman on 3/23/2015, 6:05am PT  

Another new Internet Voting system, another major vulnerability to massive election fraud discovered along with it. This time in Australia, as reported by ABC:

A "major security hole" that could allow an attacker to read or change someone's vote has been discovered in the New South Wales online iVote platform, security experts say.

The iVote system allows people to lodge their votes for Saturday's state election online, instead of visiting a physical polling station.

It aims to make voting easier for the disabled or for people who live long distances from polling booths.

However computer security researchers said they found a critical issue and alerted the NSW Electoral Commission on Friday afternoon.

The commission said the problem was fixed over the weekend and it expected 200,000 people would use the system in the lead up to the election.

Well. If the people who run it said it was fixed, why worry? (Just because they also said it was secure in the first place? Silly you.)

"Just because they've patched this particular bug that they've been specifically notified of does not mean that they've fixed the fundamental questions around the security and verifiability of the system," said University of Melbourne's Vanessa Teague, who discovered the security vulnerability. "If anything the existence of this one particular bug serves to bolster the argument that these kinds of bugs are probably inevitable in these kinds of systems"...

"We've been told repeatedly that votes are perfectly secret and the whole system is secure and it can't be tampered with and so on, and we've shown very clearly than that's not true - that these votes are not secret and they can be tampered with," Ms Teague said.

She said the attack could allow another person to either read, or even manipulate a vote, before it was sent to the electoral commission's servers.

"The analogue would be pulling someone's postal vote envelope out of the post, pulling out their vote and finding out how they intended to vote and then putting a different ballot in instead," Ms Teague said.

"The point of course with the electronic equivalent is that an attacker wouldn't necessarily need to be in New South Wales to do this and they could potentially do this in an automated way to a very, very large number of votes."

Ms Teague said the voter would be unaware their vote had been changed.

The Chief Information Officer with the NSW Electoral Commission offered this unfortunate quote to the ABC: "We are confident however that the system is yielding the outcome that we actually initially set out to yield," before adding: "and that is that the verification process is not telling us any faults are in the system."

The ABC also notes that "The computer code of the iVote platform is not open source and is not available broadly for security experts to review."

Other than that, sounds like a fantastic idea!

We've written about so many Internet Voting disasters over the years, along with scientifically supported reasons why it can never be done safely or verifiably, that we'll just summarize by sharing this quote from our 2013 article about L.A. County's plans for a new voting system which, while set to be 100% unverifiable after an election, as currently planned, at least does not include Internet Voting, according to our interview at the time with Los Angeles County Registrar-Recorder/County Clerk Dean Logan:

We have long detailed the madness of Internet Voting. Among our coverage, we've documented a number of disastrous attempts at Internet Voting systems and the many dangers they pose to security and oversight, as well as the warnings against them by computer science and security experts, and Election Integrity experts.

One need only look back to Washington D.C.'s disastrous experiment in Internet Voting, which almost went live in 2010 for overseas and military voters. The plans to use the system were scrapped at the last minute after it was hacked and completely taken over by "white hat hackers" (University of Michigan computer students and their professor), who had gained such total command of the system in mere hours that they were not only able to change every vote already cast on it during a mock election, but inserted a script into the system to change all future votes invisibly as well. They even modified all of the system's main passwords to thwart similar attempts to hack the system that they discovered to be ongoing by computers from both Iran and China.

There have been many other disasters in Internet Voting --- from a 2012 online Canadian election attacked by some 10,000 computers, to a 2012 CA State University student body election that was hacked by one of the candidates in order to gain control of an annual salary and the student government's $300,000 budget, to this year's embarrassment by the Academy of Motion Picture Arts and Sciences which attempted to use Internet Voting for the first time this year, to disturbing and questionable effect.

The non-partisan election integrity group, VerifiedVoting.org posted a "Statement on the Dangers of Internet Voting in Public Elections," signed by nearly a dozen top computer science and security experts with backgrounds in electronic voting systems. The letter explains that "Cyber security experts at the National Institute of Standards and Technology and the Department of Homeland Security have warned that current Internet voting technologies should not be deployed in public elections," as they "cannot be properly protected and may be subject to undetectable alteration."

* * *
Please help support The BRAD BLOG's fiercely independent, award-winning coverage of your electoral system and much more --- now in our TWELFTH YEAR! --- as available from no other media outlet in the nation...


Choose monthly amount...

(Snail mail support to "Brad Friedman, 7095 Hollywood Blvd., #594 Los Angeles, CA 90028" always welcome too!)

Share article...