"The SERVE system has all of the problems that electronic touchscreen voting systems have: secret software, no protection against insider fraud and lack of voter verifiability," says Jefferson. "But it also has a host of additional security vulnerabilities associated with the PC and the Internet, including denial-of-service attacks, automated vote buying and selling, spoofing attacks and virus attacks."
As currently implemented, certain members of the U.S. Armed Forces, the Merchant Marines, the Public Health Service and the National Oceanic and Atmospheric Administration, as well as U.S. citizens living abroad, are eligible to vote using SERVE. Such voters can go to the SERVE Web site using a Windows-based computer connected to the Internet and cast their ballots.
After studying the prototype system, however, the four researchers said it would be too easy for a hacker, located anywhere in the world, to disrupt an election or influence its outcome by employing any of several common types of cyber-attacks:
- A denial-of-service attack, which would delay or prevent a voter from casting a ballot through the SERVE Web site.
- A "Man in the Middle" or "spoofing" attack, in which a hacker would insert a phony Web page between the voter and the authentic server to prevent the vote from being counted or to alter the voter's choice. What is particularly problematic, the authors say, is that victims of "spoofing" may never know that their votes were not counted.
- Use of a virus or other malicious software on the voter's computer to allow an outside party to monitor or modify a voter's choices. The malicious software might then erase itself and never be detected.
"Voting in a national election will be conducted using proprietary software, insecure clients and an insecure network," says Simons, a former IBM Research Staff Member and a past president of the Association for Computing Machinery. "Congress and the Department of Defense should understand that providing soldiers with an insecure system on which to vote is not doing them any favors."
The full security analysis of the SERVE system can be viewed online at http://www.servesecurityreport.org. For detailed information about the SERVE system, including a list of participating states and counties, go to http://www.serveusa.gov/public/aca.aspx.
Source: THE JOHNS HOPKINS UNIVERSITY OFFICE OF NEWS AND INFORMATION
