Threats to the integrity of Internet voting have been a major factor in keeping the practice to a bare minimum in the United States. On the heels of the recent midterm elections, researchers at Galois, a computer science research and development firm in Portland, Ore., sent another reminder to decision makers and voters that things still aren’t where they should be. Researchers Daniel M. Zimmerman and Joseph R. Kiniry published a paper called “Modifying an Off-the-Shelf Wireless Router for PDF Ballot Tampering” that explains an attack against common home routers that would allow a hacker to intercept a PDF ballot and use another technique to modify a ballot before sending it along to an election authority. PDF ballots have been used in Internet voting trials in Alaska, and in New Jersey as an voting alternative for those displaced by Hurricane Sandy. The ballots are downloaded, filled out and emailed; the email is equivalent to putting a ballot into a ballot box. Election authorities then either print the ballots and count them by hand, or count them with an optical scanner. The Galois attack is by no means the only attack that threatens Internet voting; malware on a voter’s machine could redirect traffic or cause a denial of service condition at the election authority. But the attack described in the paper is certainly a much more quiet attack that the researchers say is undetectable, even in a forensics investigation.
“We describe a more subtle attack at the transport level, which changes the raw data traveling through the electronic mail system between the voter’s computer and the election authority,” Zimmerman and Kiniry write in their paper.
The attack relies on a hacker first replacing the embedded Linux firmware running on a home router. This aspect of their attack required fewer than 50 lines of code to alter the kernel code that handles transmission of packets on the network device. A new firmware, which they claim is indistinguishable from the manufacturer firmware, is loaded. The only subtle changes it enforces is that TCP connections on email ports 25 and 587 are slower than the original firmware and bytes sent to these ports are different.
The new firmware is installed by taking advantage of any number of known vulnerabilities, including problems with UPNP, exploits that allow admin-level backdoors, or exploiting weak or known default passwords. On the router used in this attack, firmware updates are done via an unprotected FTP connection. The router does do an MD5 comparison of the respective firmware, but the researchers were able to circumvent that check.