论文信息 - Attacking the Washington, D.C. Internet Voting System

Attacking the Washington, D.C. Internet Voting System

In 2010, Washington, D.C. developed an Internet voting pilot project that was intended to allow overseas absentee voters to cast their ballots using a website. Prior to deploying the system in the general election, the District held a unique public trial: a mock election during which anyone was invited to test the system or attempt to compromise its security. This paper describes our experience participating in this trial. Within 48 hours of the system going live, we had gained near- complete control of the election server. We successfully changed every vote and revealed almost every secret ballot. Election ocials did not detect our intrusion for nearly two business days—and might have remained unaware for far longer had we not deliberately left a prominent clue. This case study—the first (to our knowledge) to analyze the security of a government Internet voting system from the perspective of an attacker in a realistic pre-election deployment—attempts to illuminate the practical challenges of securing online voting as practiced today by a growing number of jurisdictions.

[1] Patrick Traynor,et al. Systemic Issues in the Hart InterCivic and Premier Voting Systems: Reflections on Project EVEREST , 2008, EVT.

[2] D. Jefferson,et al. Security analysis of SERVE 1 A Security Analysis of the Secure Electronic Registration and Voting Experiment ( SERVE ) , 2004 .

[3] Yvo Desmedt,et al. Exploiting the Client Vulnerabilities in Internet E-voting Systems: Hacking Helios 2.0 as an Example , 2010, EVT/WOTE.

[4] Aggelos Kiayias,et al. An Internet Voting System Supporting User Privacy , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[5] Eric Wustrow,et al. Security analysis of India's electronic voting machines , 2010, CCS '10.

[6] Ariel J. Feldman,et al. Security Analysis of the Diebold AccuVote-TS Voting Machine , 2007, EVT.

[7] Ben Adida,et al. Helios: Web-based Open-Audit Voting , 2008, USENIX Security Symposium.

[8] Dan S. Wallach,et al. Analysis of an electronic voting system , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[9] L. Cranor,et al. Security Considerations for Remote Electronic Voting over the Internet , 2002 .

[10] Alexander H. Trechsel,et al. Internet Voting in Estonia , 2008 .

[11] Andrew W. Appel,et al. The New Jersey Voting-machine Lawsuit and the AVC Advantage DRE Voting Machine , 2009, EVT/WOTE.