Hacking the Election With Online Voting

This article was originally published in the Spring 2016 edition of Eureka!

Imagine it's the 2032 election and you've just woken up on a bright November 2. You check your smartphone, noticing that today happens to be Election Day. Following several quick Internet searches, you learn the stances of the three major candidates: Robama, a left-leaning robot created in the image of the 44th president, jockeying to be the first Robot-American President of the United States; a paper cutout of Ronald Reagan who, after cutting himself in half to symbolize the tax cuts he is proposing, stitched himself back together to prove just how well suited he is for rebuilding America; and the ghost of Steve Jobs who, after becoming bored of the afterlife, decided to pursue a career in politics as a third-party candidate.

After several minutes of studying your choices, you cast your vote with the tap of a button from the comfort of your own home. You remember that this system was piloted in the 2030 midterm elections to great effect and that the 2032 election will be the first American election to be held entirely online, the Netherlands having already completed the world's first fully digital election in 2026. Sounds cool, doesn't it? But is online voting really secure? As it turns out, there are three simple attacks that could tip the scales of this landmark election.

The first method of rigging the election is just a simple phishing attack: send out a bunch of fraudulent emails, linking everyone to your Totally Legit Polling Page™ where they can vote for the candidate you most agree with. Don't believe this can work? Of the 320 million people in the United States, about 30 million of them each year fall for This One Trick so Simple, It'll Blow Your Mind! Phishing Emails are one of the largest markets in the world of cybercrime. Just think how bad it could become when these people go from selling you fake penis pills to electing the leader of the free world. And who's to say that it would stop at the script-kiddie cybercriminals? Wouldn't it be in the best interest of [insert enemy of freedom and bald eagles here] to control the outcome of the election? Online voting makes this process so easy, you could rig the election from the comfort of your kitchen.

“But my phishing website wouldn't have the little green lock, indicating that it's a secure connection to a trusted website! You're a dumb idiot head!” you might say. First of all, “dumb idiot head”? That's all you could come up with? Secondly, I would like to point you to the Superfish incident, which was when Lenovo gave themselves the ability to intercept and rewrite the contents of webpages sent over a secure connection. What Superfish did was execute what is known as a Man-in-the-Middle attack.

You can think of a MITM attack as someone cutting the string between the two tin cans you call an internet connection and attaching their own tin can, allowing them to listen in and impersonate you or the other end. “But Superfish had to already be installed on your computer!” you might reply. Just a few months ago, Symantec—one of the companies your computer, smartphone, tablet, and refrigerator implicitly trust to vouch for the authenticity of websites (known as a Certification Authority, or CA)—fired three employees who issued fake certificates for Google, allowing these employees to pretend they are Google and have the green padlock next to the address bar.

These employees never got away with anything, but security researchers discovered in 2011 that the CA DigiNotar had been breached and fake certificates for Gmail were being used in the wild to transparently spy on an estimated 300,000 Iranians. The researchers dubbed this incident “Operation Black Tulip.” If Google—one of the most securely designed websites on the internet and with whom you trust your internet search history, browser history, bank account information, and a million other things—can be impersonated, what can we say about the lowest bidder?

These two attacks come before even considering the implementation of the actual election website itself. The reason this “independent” contractor was able to give the government such a low price might have been because they weren't as independent as you thought. There is simply no guarantee that your vote is even counted after you press the button.

In the end, all that is going to happen is the Totally Independent Polling Website™ is going to tell us that the winner wasn't Robama, Paper Cutout Reagan, or even Spooky Steve Jobs, but it was the company's owner who was running as a write-in candidate. And look: they've got all of the vote records to verify it. It's too bad that voting is a completely anonymous process, or else you would be able to question these voters as to who they actually voted for.

Really? Your complex election rigging system was for nothing all because the people hired to count the digital ballots were rigging the election themselves? Too bad; that's politics.

That isn't to say these are the only problems with online voting. There are so many other problems, you could cover one method per week and have enough content to last for years. In fact, there are countless articles on why you shouldn't even trust the electronic ballot boxes which are already in widespread use today. The difference is that with physical voting, we have literally had thousands of years and millions of elections to devise, use, and defend against nearly every voter-fraud trick in the book.

Now days, physical voter fraud is so difficult and inconvenient that even when it does happen, the effect on the overall election is miniscule. But when you can change millions of votes in real time, as they happen? This is an advancement on such an unprecedented scale that nobody is even equipped to begin to combat it. So next time someone comes to you claiming that they've “solved online voting,” think of how to break it; because if even you can imagine how to break it, just think what governments and companies with billions of dollars invested in the outcome can do.