Mind your surroundings: Security concerns with Online Voting, outside the system
@InternetNZ is currently running a consultation on what their position on Online Voting should be. This post is inspired by a discussion (login required) around the threats that apply independent of any particular online voting system.
For context, New Zealand is considering trialling online voting as an alternative option to run alongside postal voting for the 2019 local authority elections.
What follows are two things:
- The beginning of a catalogue of the security issues relevant to online voting, excluding any that apply to the online voting system itself
- A collection of scenarios in which those security issues could be used to attack an election in various ways.
For context, here are some objectives an attacker could have:
- Change the outcome of a close election
- Determine how people voted (whether specific people, or everyone)
- Change the vote of a specific voter (example: imagine I want my choice to win but can only influence people in my house)
And here are some strategies that an attacker might adopt to achieve their aims:
- Delay the vote to an advantageous time
- Prevent or discourage critical voters from voting
- Change a number of critical votes
- Submit what look like plausible votes
What are some things an attacker could do without attacking the system itself to achieve their aims?
1. Target the voter with false information
Trick a voter into compromising their computer, or believing they have already voted. This could be achieved in the following ways:
- Sending an official looking email with vote.exe attached to it, asking the voter to install the program so they can vote.
- Sending an email with a link to a lookalike copy of the voting system, and encouraging the voter to use it. The voter could be tricked into providing their credentials to this system, granting the attacker free rein to cast a vote with the official system using those credentials.
- Advertising to voters via Facebook to trick them to visiting a fake system and inputting their credentials.
2. Target computers used for voting (personal or public)
A large portion of the computers in use by voters today have been compromised, or are compromisable. A targeted attack could take advantage of this in a number of ways:
- Viruses/trojans — malicious software that can manipulate almost any aspect of a computer, including changing the appearance of the online voting system, or changing the information sent, or recording it for the attacker
- Browser extensions/plugins, if installed, can modify web pages or change/record information sent.
- Operating system/application updates — most operating systems and many applications automatically update, and these vectors have been used before to install viruses or trojans.
- Installing a keyboard sniffer — a device or software that records what keys have been pressed on a computer — could be used to record votes or steal credentials.
Smart phones can also be compromised by viruses or trojans, and many smart phones are not automatically patched for security vulnerabilities.
3. Target home/office networks
Once a vote leaves a computer at home or in the office, it must travel through the network at that location before heading out to the Internet. These networks are often easily compromised, and in some cases the attacker is already present at the location.
- Modem/router compromise — broadband connections are often supplied with a modem or router which is then ignored by the user. Rarely patched, these devices often have security bugs which can be exploited to manipulate or record traffic coming to or from the home or business.
- Wireless access point compromise — access points can be compromised to allow the attacker to read or change traffic on the network. In some cases, this could be done knowingly by the person who set the access point up, leaving everyone who uses the home/office network vulnerable.
- Appliances — many in-home smart devices now have some form of network connectivity. These devices are rarely updated, can be easily compromised, and then used to sniff network traffic or attack computers or phones.
4. Target public wifi
Many people use public wifi, which is highly susceptible to attack.
- Wireless access point compromise — like with home/office networks, APs can be compromised to allow attackers to read or change traffic on the network. With a larger number of users, this attack could be more valuable, especially if the access point was a popular one (e.g. in a library)
- Interception of traffic — some public wifi services are not encrypted at all, exposing all traffic by users. Others only have very weak encryption.
- Trojan APs — attackers can set up access points with the same name as valid ones. They can then record or redirect traffic as they see fit.
5. Target corporate networks
Corporate networks can have hundreds, if not thousands of users.
- Firewall/proxy/switch compromise — corporate networks can and do have their border or network systems compromised, which can allow interception, recording or manipulation of traffic on that network.
- Deep packet inspection — some corporate networks deliberately subvert encryption security in order to monitor traffic on the network, which could easily reveal private voter information to compromised hosts or IT staff.
6. Target cellphone towers and networks
People could vote using 4G or similar technologies, which could make attacking this infrastructure attractive to the right attacker.
- Interception — much like wireless, cellphone signals can be intercepted and decrypted. This is far harder but within reach of governments.
- Trojan towers — fake cellphone towers can be set up to provide unwitting phones with service that can then be recorded or manipulated.
- Network infrastructure — cellphone networks have standard network infrastructure which can be compromised to manipulate or record traffic.
7. Target major ISPs, peering exchanges
Attacks on ISPs or exchanges are likely only within reach of nation state actors or hostile employees, but would allow influencing a far greater proportion of the vote than previous targets.
- Compromise of key equipment — Traffic from the voter to the voting system will pass through upwards of 10 different devices on the way. These devices, or the cabling between them, can be compromised or spliced to gain visibility of or manipulate traffic.
- Routing manipulation — Internet providers often have multiple ways to get data from A to B, some of which go via other countries.Targeted attacks could result in voter traffic being sent via other countries, where compromised devices may wait.
- Denial of service attacks — Service providers are vulnerable to attacks designed to clog up network connections or force equipment or software to fail, preventing voters from communicating with the voting service.
The previous section listed some examples of tactics that could be used to manipulate an election. Here are some scenarios where those tactics could be used.
Chris wants to know how Jenny voted
Chris and Jenny are in a relationship. Chris is abusive and controlling, and wants to know how Jenny voted. Despite Jenny voting using her smart phone in private, Chris previously compromised the home wifi network and can read Jenny’s traffic to determine her vote.
This scenario can play out already with a paper ballot and the number of votes influenced is likely small. It is listed to demonstrate that moving the vote online doesn’t solve the secrecy problem within the home.
A library is compromised by a local hacker
Zhang is a young hacker who hasn’t yet learned the danger of his craft. He installs a keylogger on a library computer, and hacks the library’s wifi so he can see what other library users are visiting on the Internet.
The library has no idea they have been hacked, so Zhang has access to the system for weeks. In that time, Zhang sees traffic to the voting system, and uses the keylogger to determine who people are voting for. If a hacker controls a device between the voter and the voting system, they are likely able to at least read, if not change votes.
This scenario may seem unlikely, however malicious citizen hackers exist and occasionally even get caught. It also demonstrates an escalation over the previous scenario: Zhang could access dozens of votes. We are already drifting into the kinds of “scale of attack” issues that are the hallmark of online solutions: how hard would it be for someone like Zhang to do a similar thing to the postal voting system without detection?
A systems administrator abuses their power
Samantha works at a well known New Zealand bank. She is deeply political and wants her choice of candidate to win. Using her insider access and privileged position in the network, she writes a program that changes all votes cast by bank computers to always choose her candidate.
Currently, mass-changing votes is nearly impossible for the general public. Gaining access to hundreds of ballots is difficult, and attempts to change already marked ballots will spoil them. The mere existence of an online voting system puts a small but skilled set of the public in unique positions of power, which they should never have.
A candidate wants to stuff the ballot box
Simon is a candidate who will do anything to win. He sets up an official looking clone of the voting system at a similar domain name, and gets a valid SSL certificate for it. He then places Facebook advertising targeting voters in his area, and uses his email database to send out emails to voters, directing them all to his clone system. Once a voter inputs their credentials, the system stores them, then tells the voter it is down for maintenance. Simon amasses hundreds of sets of credentials he then uses to place real votes in the official system.
Simon doesn’t have to have these skills himself — he can purchase them from unscrupulous suppliers in New Zealand or overseas. Setting up one website that looks like another is easy, as is grabbing official looking domain names that fool voters — i.e. the official system could be at elections.govt.nz but the fake could be at elections-govt.nz. Such an attack is impossible with postal voting, but with online, it moves into the realm of having enough money to execute, where the cost could be low enough for one person to fund.
A New Zealand based state or political actor wants to know how everyone voted
New Zealand’s security services decide that for national security reasons it is important to know who voted for whom. They can use access to peering exchanges/national fibre networks/ISPs (that they may have already) to intercept traffic to the voting system and record who voted for whom, without the voters or the voting system itself having any idea such interception occurred. This scenario may need to involve obtaining the private key for the SSL certificate, a task not beyond state power.
It’s hard to see how this could ever happen with postal voting, but it’s possible for a nation state actor with many resources to attack an online system in this fashion. Our democracy might not have this fear now, but it could do in future, and an online system enables this without any need to have the nation state actor physically see the pieces of paper.
A foreign state actor wants to change the outcome of an election
It becomes pressing to a foreign government that a particular candidate becomes mayor of a large New Zealand city, in order to progress a key business deal or otherwise advance their interests. Using a combination of social media manipulation and a well-timed denial of service attack, they manage to suppress the turnout of the opposition candidate to the point the election result is changed.
Foreign actors have next to no influence on our postal voting system, yet unprecedented power and ability with an online system. The more votes the online system takes, the more appetising it is to attack the system. We’ve already seen this happen overseas, most recently with Russian interference in the US elections, and there’s no reason to think we’re somehow immune to it. There’s also no reason to think that a sufficiently powerful NZ-based actor wouldn’t have the capability to influence an election in this fashion either.
Differences from postal voting
- grants appropriately skilled members of the public unique opportunities to attack the vote
- grants malicious candidates opportunities to cheat to win
- grants nation-state actors unprecedented access to manipulate the results
- gets rapidly riskier as it takes a greater portion of the total vote
While providing no re-countable paper trail in the event of a dispute. In each of these cases, the online voting system will only ever see that “these IP addresses using these credentials cast these votes”. It has no way of knowing what manipulation has happened before the votes arrive.
This is why conversations around online voting can’t just think about the system itself. Even a perfect, hack and DDoS-resistant, system is being deployed into an environment we can’t control.
And finally, you might ask “I bank in that environment, how is voting different?”. With banking, every request is meant to be tied to a person, which makes auditing a lot easier (compare with voting where we want to ensure everyone votes once but that nobody can see how anyone voted). Also, banks will replace your money if you get hacked. They run large anti-fraud operations and can absorb the cost. Your money can be replaced, but if your vote is taken, how are you meant to get it back?