The District of Columbia created an electronic system to make it easier for overseas and military voters to cast ballots over the Internet. I want to point out that this is not some complicated electronic voting system, it is very simple:
The voter goes to a website and they get a PDF file of the ballot. They can do one of two things: print out the ballot, mark it by hand, and send it back by regular mail, OR they can vote directly on the PDF file and then send it back electronically. The only part that needs to be secure is the part where they transfer their ballot file back to the server. Transferring files securely is something that is done all the time, so this should be easy, right?
So confident were the DC officials that their system was secure, they decided to have a test period and invite people to try to hack into it. That was their big mistake.
An assistant professor at the University of Michigan, along with a couple of grad students, decided to take the challenge. The result? In less than 36 hours, they broke into the system, replaced all the ballots, installed a “back door” that would allow them to see and modify any ballots cast on the system. And for fun, they installed an easter egg that played the University of Michigan fight song after the voter submitted their ballot.
Now here’s the ironic part. Despite the fact that the hackers were not trying to hide their attack, and that the DC system administrators had systems in place to detect any attack, the successful takeover of the voting system was not detected. In fact, they only found out about it (after two days) because test voters reported hearing the UM fight song.
In other words, it was trivial to take over this supposedly secure voting system and — without detection — change enough votes to change the results of an election. Just imagine what an organization who actually wanted to throw an election could do.
As a result, the DC Board of Elections and Ethics has announced that they will not proceed with a live deployment of their system in a real election. Whew, I guess we dodged that bullet, right?
Well, not quite. That was just DC. According to the NY Times, 33 states will allow overseas and military voters to cast ballots over the internet in the upcoming November election. A real election. With no test period. That’s millions of votes that can easily be hacked. D’oh!