Paper published as pp.

255-266 in Informatik und Recht, Staempfli, Zürich, 2003

Protection against “internal” attacks on e-voting systems

Neil Mitchison
Cybersecurity sector
Institute for the Protection and the Security of the Citizen
Joint Research Centre,
European Commission, Ispra, Italy

The opinions expressed here are those of the author alone, and do not reflect the view of the
European Commission.

Introduction
In this paper we are going to look at the security implications of electronic voting,
more specifically of electors casting an electronic vote over the Internet from a computer
- typically the computer of the elector at home or at work, but in any event a computer
which is not under the physical control of the election officers.

Verification: the particular challenge of e-voting

For most human activities using computers, the obvious reply to most of the
security considerations raised in this paper would be to verify the results of the activity
concerned, by comparing the records of the computer system with the actual input: in this
case comparing the vote recorded with that cast. For a major election, a relatively small
sample of cases verified without problems would be sufficient to give very high
confidence in the results obtained. Thus, if, in an election with a million votes cast, 5000
of these votes were selected at random, and verified without showing up any problems,
one could have very high confidence that no attack mounted at random which distorted
the results by as much as 0.2% had been executed. (The confidence would be
approximately 99.995%.) And with the same sample verified, the chance of even much
smaller distortions passing unnoticed is poor: there would be a 91% chance of catching a
distortion of 0.05%, or 1 vote in 2000 having been modified.
However, straightforward verification is not compatible with the principle of the
secret ballot. There are two difficulties: firstly, in order to protect the elector from
improper pressures, the electoral system must not issue any proof of what vote was cast
which the elector could show to a third party (in the absence of such proof, even leaving
aside the possibility of deliberate abuse, the error rate of human memory would be
sufficient to cast doubt on the verification process); and secondly, the mechanism of
verification would surely involve someone other than the elector knowing what the vote
cast was.
At the end of this paper, a scheme is outlined which, given certain premises,
might be capable of overcoming both these difficulties, and providing reliable
verification without infringing the principle of the secret ballot.

Different traditions of control

An important difference between different electoral traditions is in the answer to

the question “who ensures the correct functioning of the system?” There appear to be two
broad traditions within Europe: in one, the electoral officials are assumed to be
trustworthy, so that the technical control of the electoral system can be left to them. (It is
not necessary for this model to assume that every electoral official is intrinsically
Paper published as pp. 255-266 in Informatik und Recht, Staempfli, Zürich, 2003

trustworthy, merely that there are enough checks and balances within the electoral office
that any wrongdoing would come to light.) In the second tradition, the control is carried
out by the political parties themselves, who are invited to place observers within the
electoral system.

On first appearances, the second system would seem to set the more severe
challenge in ensuring the security and confidentiality of a technological voting system;
but in fact the differences are not as great as they appear. In both cases, the mechanisms
for validating and counting the vote must ensure that no individual within the electoral
office can know the vote of an identified individual. Thus for example, if this
requirement is rigorously applied, even to systems programmers, it has consequences for
the computing architecture needed: it would seem to require a computing architecture
which separates out the voter-identification computing system from the vote-counting
computing system1.

Be that as it may, it is clear that if there is any difference in the challenge

involved, the second tradition will certainly pose no less challenge than the first. Thus a
technological voting system designed according to the second tradition, with political
parties invited to observe in detail what is going on and check for any wrongdoing,
would also be acceptable in the first tradition. For that reason, in the rest of this paper, I
am assuming that the election is begin carried out according to this second tradition, and
that the control of the integrity of the system is carried out in the last resort by the
political parties involved in the election.

Threat analysis
When a new technological system is being considered, it is important to carry out
a thorough threat analysis and risk assessment, considering risks arising from accident,
error and malice, and analysing their likelihood, their consequences, and the possible
countermeasures. This paper studies only risks from malicious attacks, and so needs to be
complemented by consideration of the other sources of risk. Indeed the risk analysis
should be carried out in an integrated manner: most malicious attacks against computer
systems are made possible by an error in computer architecture, software specification, or
software implementation, and therefore prevention and detection of such errors is an
important element of protection against malicious attacks.

The key concepts to focus on in analysing risks of computer-based systems are

those of: “single point of vulnerability” and “technological amplification”. The first of
these refers to the fact that certain computer systems become focal points for
vulnerabilities, so that action against them spoils the entire system. In the case of a voting
system, this obviously applies to the central vote-processing computer. Less obviously, it
may also apply to the nearby nodes in the Internet communication network, so that, for
example, an attack which succeeds in flooding one of those nodes may make the voting
system unavailable. The second term, “technological amplification”, is important in the
case of e-voting because an Internet Trojan horse with self-replicating capabilities may
manage to install thousands or millions of copies of itself in users’ computers after a
short period of time.

These are not the only risks attached to Internet voting: there are others which,
being widespread by their nature have no need of technological amplification. It is clear,
for example, that Internet voting, just like postal voting, is more open to impersonation
Paper published as pp. 255-266 in Informatik und Recht, Staempfli, Zürich, 2003

from within the voter’s household than going to a polling booth. These risks have to be
evaluated, but there is no particular need for specialist advice when doing so.

To return to the analysis of possible attacks, the parameters which have to be

considered include:

• The motivation behind the threat

• How easy the attack would be to implement
• Can the attack be prevented without imposing major burdens on the voters?
• Can the attack be detected? If so, is it technical recovery possible?
• Can the attack be deterred by the threat of legal (civil or criminal) response?

The first of these questions can be applied collectively to many sorts of Internet
attacks, and the principal possibilities are outlined below. For the other questions, the
response is different for different technical modalities of attack, and these questions are
discussed under the various attack categories in the next chapter.

Attacks intended to disrupt

Many people like to disrupt elections. They range from political parties which
believe - or claim to believe - that they have been hard done by, through those hostile to
the political system or to the overall policy of the country concerned, to people simply
wishing publicity for a particular cause, or even publicity for its own sake.

In the case of electronic voting, to these groups should be added the “hackers”,
those to whom the technical challenge of disrupting an electronic voting system is
sufficient in itself.

Moreover, given that any vote is a relatively rare and expensive operation, it also
represents a possible vulnerable point for commercial or other pressures, including
threats of strikes. See Pratchett et al.2 for a more detailed discussion of these possibilities.

The principal attacks of this type involve attacking the communications

infrastructure. This could be achieved physically - e.g. by cutting cables - or logically,
e.g. by flooding the routers or by attacking the DNS machines on the network. There is
also the possibility of attacks on the central computer, for example by electromagnetic
disturbance or even low-tech means such as flooding the machine room or bringing down
power cables.

Attacks intended to change the result

However, the most serious attacks are those which could actually modify the
result of the election, either by preventing particular people from voting or by modifying
votes as they are cast or subsequently. (It should of course be noted that any disruption of
a voting system may prevent or at least discourage some people from voting, and this
could introduce systematic distortions.)

An important point to note in this context is that the political effects of a claim
that such an attack was carried out may be significant, whether or not the claim is true.
Paper published as pp. 255-266 in Informatik und Recht, Staempfli, Zürich, 2003

There appear to be three essential mechanisms for attacks of this type: attacking
the voter’s computer system (by installing corrupted software, whether from source or by
an Internet “Trojan horse”); attacking the communications system (a “Man in the Middle
- MITM” attack, or a “spoofing” attack in which a false voting site pretends to be the real
one); or attacking the central computing software (by hacking into it from the Internet, or
by authorised personnel installing corrupted software). These possibilities are considered
individually below.

Attacks intended to gain information

The third possible category of attack is that intended to find out how particular
electors have voted. The mechanisms are essentially the same as those outlined in the
previous section, though there are further possibilities in attacks after the event - for
example, an Internet Trojan horse which reads the log files of the voters’ computers.

Since the mechanisms for these attacks are essentially the same as those of the
previous section, they are not considered separately here.

Risk assessment
Having then identified the possible categories of attack, and having decided that
attacks intended to change the result - whether real attacks or claimed attacks - represent
the most serious threat to the legitimacy of the democratic process, we focus on a few of
these, trying to ask the questions outlined above, concerning ease of implementation,
preventability, detectability, recoverability, and deterrence.

In this paper, we have decided to focus on what appear the most threatening of
these attacks, that is attacks which are in some sense “internal”, in that they come
through the computer systems, either that of the voter or the central system. In a
comprehensive approach to security, the considerations brought up in this paper should
be complemented with measures to prevent attacks on the communication system, such
as MITM or spoofing attacks, starting with encryption of the voting session.

Attacks from within the central system

Let us assume that our central system has been well-designed to prevent intrusion
attacks, and that we have good protection which should also identify if any such intrusion
attacks have been made. This would involve typically:
- the system only going on-line shortly before the election starts
- the system being booted from hash-checked, clean, CDs which have been checked
and digitally sealed by the system development staff
- the system not being used for anything other than voting
- a well-configured firewall, IDS, and HIDS
and perhaps other precautions such as running a secure log, with heartbeats from an
HIDS module in constant communication with the operating system kernel, taking
regular hashes of the system modules running …

Can we trust this system? In other words, can we be sure that at no point has any
code been introduced which would corrupt the system, either by making a false count of
the votes, or by recording the result of an individual vote? If all the software is open-
source, then it can be supplied to the political parties, who can be invited to verify it -
supposing they have the technical ability to do so. They would also have to observe the
process of creating the clean CDs to boot the system, check the configuration of the
Paper published as pp. 255-266 in Informatik und Recht, Staempfli, Zürich, 2003

firewall, IDS and HIDS, check the pseudo-random number generator used to generate
private keys ... It’s a tall order. Even for major elections in large countries, political
parties would probably have difficulty calling on all the specialist knowledge required.
However, the possibility of checking exists: and given that modifying the software so as
to corrupt the system is not an easy task, and that the staff concerned would be liable to
criminal sanctions, it may be that this theoretical possibility of checking would be judged
sufficient, combined with the internal monitoring of the electoral office, to protect
against such an attack.

If the software is not open-source, it is much more difficult to see how such a
check could be carried out. Moreover, in the case of open-source application software
running over a proprietary operating system, there is the - admittedly remote - possibility
that the underlying operating system software has been corrupted. See the next section
for discussion of this possibility.

So the judgement here seems to be that while mounting an attack on the central
software might be only moderately difficult - given that staff with specialist knowledge
have privileged access to the systems concerned - the possibilities of prevention,
detection, and legal response can be made adequate, provided that open-source software
is used.

Attacks from within users’ computers

It is technically possible to ensure that voters’ computers are “clean”. This could
be done by sending out CDs (checked in the ways described above) to be used to boot the
voter’s computer for the purpose of voting. However, apart from the expense of such a
procedure, it is liable to encounter some resistance from voters. Many would not
understand, and many would not accept, the justification for re-booting their system; and
the extra trouble involved might discourage significant numbers.

If the voter’s computer is not rebooted off a clean CD, there would seem to be
two ways in which it could be corrupted.

Firstly, the operating system or application software could have been corrupted
on issue. This seems extremely improbable, but it is hard to say that it is completely
impossible, and is perhaps a possibility to be borne in mind for elections which are
important at a national or international level. Consider the following scenario:

I work in a company which supplies a software suite widely used in home

computers. I insert in this suite a module which modifies the operating system’s
screen-capture software. If the screen contains two writeable windows with the
words “Republican” and “Democrat” nearby, and if the word “President”
occurs on the screen, and if the month is November and the day of the month is
between 3 and 12 and the year is divisible by 4, then 3 times in 100 the result is
switched from one window to the other …

Can we really be certain that that has not happened? Or that, is it has, we would
know about it? Or that, if we knew about it it would be possible to trace and prosecute
the programmer concerned?
Paper published as pp. 255-266 in Informatik und Recht, Staempfli, Zürich, 2003

Against this, it is reasonable to point out that this would require considerable
preparation, and a good knowledge of how the voting software for a particular election
was likely to work. In that sense, it is an extremely difficult attack to carry off
successfully.

Such an attack, therefore, is extremely difficult to mount; and there is the

possibility of prevention, by using clean software - but at a significant cost in terms of
voter disruption. However, detection seems unlikely, and legal deterrence very difficult.

The second scenario, rather less improbable, concerns the wealth of worms,
viruses, and Trojan horses which circulate on the Internet. Consider:

Shortly before the election, I publicise the availability of a new music-playing

suite. This suite, which has to be installed on the user’s computer, does indeed
play music well, and has some new and attractive features. However, it also
modifies the user’s Internet browser, installing a “Trojan horse” in such a way
that communication with a particular website passes through a “spoof” site,
which modifies the vote cast. Moreover, since I have got into the browser
software, I can ensure that this is completely invisible to the user, unless he
should be one of the small minority running a firewall, in which case my Trojan
horse remains inactive. To reduce the possibilities of detection of my Trojan
horse I carry out some social engineering, specifying that the software is illegal
and unauthorised…

An attack like this would not require so much preparation, and could aim at a
particular election rather than the “general” possibility mentioned above. It is possible
that such an attack would be detected by some user, and the electoral office, thus alerted,
could find the Trojan horse. However, the Trojan horse could be set to eliminate itself
after use, and then the probability of detection would seem to be quite low. And if the
attack were launched from another country, it is not clear that legal deterrence would be
available.

So this attack is not quite as difficult to mount; the possibility of prevention relies
on clean software, with the drawbacks mentioned above; detection seems difficult, and
legal deterrence quite impossible.

Moreover, it is possible to imagine some sort of mixture of these two sorts of

attacks: software installed on issue which on a certain cue goes to a specified Internet
address and downloads a Trojan from there for a particular election. Again it just might
be discovered; but it might well not.

Verification

So far, the results of our analysis look very discouraging. Even taking all
reasonable precautions, using only open-source software and heavily protected computer
systems, we are still vulnerable to attacks on the voters’ computers - unless we go for the
armour-plated solution of voters being required to boot off a clean CD. These attacks
may not be likely, at least for small-scale elections, but they are almost impossible to
Paper published as pp. 255-266 in Informatik und Recht, Staempfli, Zürich, 2003

prevent, detect, or deter. The consequences for the political legitimacy of any electronic
election are serious.

If it were possible to verify the results of individual votes after an election, then
we could with very high confidence detect such an attack after the event. Finding such an
attack would have serious consequences - the election concerned would presumably have
to be re-run - but the knowledge that the verification was routinely carried out would also
represent significant deterrence, perhaps enough to prevent would-be attackers from
putting in the large amount of effort needed to organise and mount a successful attack.

We should point out that there has long been considerable scepticism in the
computing security community as to whether any Internet election system can be made
adequately robust while respecting other requirements such as auditability and
confidentiality. See, for example, Rebecca Mercuri’s Ph.D. thesis3 in which she claims to
demonstrate that an electronic voting system cannot conform to the ISO’s Common
Criteria for Computer Security and be both confidential and secure. See also
Shamos4,Neumann et al.5 However, this should not stop us from trying new solutions to
see if they work, and it is in that spirit that the author of this paper would like tentatively
to suggest the following “voter verification system”. Even if judged positively, it will
doubtless need further development, but the concept behind may be a valid - if limited -
contribution to improving the security of Internet voting.

Connected to the voting computer Cv is a verification computer Cc - here we do

not go into details about the architecture of Cv. Cc runs open-source software; it is placed
under physical seal, and it only has two external connections, one to Cv and the other to
two terminals within the electoral office building. At voting time, Cc receives the voter’s
number and the vote cast. It encrypts this information using a key which it has generated,
and returns to Cv a hash of the result. This hash is made available to the voter. (For those
not expert in computing terms, we should explain that a “hash” is a form of a file, such
that it is not computationally possible to work out what the file is from the hash, but since
the same file will always generate the same hash, it is possible to confirm from the hash
when the correct file is found.)

A voter who wishes later to check his vote is invited to print the voting screen on
which his vote is recorded. This information is not of course proof as to how that voter
voted; it is always possible to print one vote, then change one’s mind, and enter another.
However it should be reasonable protection against failure of memory. The voter is also
invited to note down - or to print - the hash of his vote. This information is not in practice
of any use in discovering how the voter has voted without the key held in Cc. However,
during a certain period after the election, the voter can go to the election building, and
there can ask to see what his vote is as recorded in Cv. The vote is displayed on the
screen, along with the corresponding hash. If the vote is correct according to the user’s
memory and print-out, and if the hash produced is the same, then there is no problem. If
the vote is wrong, then the hash provides powerful confirmation as to whether the
problem was in the voter’s computer or in the central vote-counting system.

The idea is that political parties are invited to nominate reasonable numbers of
their supporters who will check their votes. This verification system does not provide
complete protection against political parties in bad faith, in that it is still possible for
people to say “there must have been a Trojan in my computer: the hash corresponds to
Paper published as pp. 255-266 in Informatik und Recht, Staempfli, Zürich, 2003

the vote recorded, but it doesn’t correspond to the vote I thought I was casting”. (At that
point it would be possible to look at the voter’s computer’s log, and see if it showed any
inconsistencies.) Nor - and this is important - does it provide any protection against
attacks on the communication system aimed at recording rather than falsifying votes. But
it would provide good protection against the most worrying and delegitimising
possibility, that the election result had been fraudulently manipulated.

Various further checks and procedures would be needed. For example, one of the
terminals in the election building would be used by election officials to identify the voter,
while the other would be used by the voter, alone in a closed room, to actually see the
vote. Provisions, whether technical or procedural, would have to be made to ensure that
election office staff did not look at individual votes. And at some predetermined time,
say a fortnight after the election, if no problems had come forward Cv would be taken out
of action in such a way that the cryptographic key it had used was lost. At the same
moment, all the storage media used for the election would be overwritten a large number
of times …

It will be seen that the essence of this verification scheme is using a verifying
indicator, the hash, which provides a “proof of vote”, but of such a nature that it cannot
be read other than within the electoral system itself.

Conclusions
Attacks against Internet elections are a real possibility, and it seems reasonable to
hypothesise that the more important the election is the more likely it is that there will be
serious attacks. While some of these would “merely” disrupt an election, there is a
worrying possibility that attacks which could change the result of an election may be
undetectable. In the absence of any verification scheme, the consequence of these
vulnerabilities, at least in the view of the computer security community, is such that there
would always be a question mark attached to the legitimacy of any major election
conducting by Internet voting.

In this context, a verification scheme is proposed in this paper which, by enabling

individual voters to verify their votes, would at least give confidence that such an attack
would be detected after the event. Such a scheme would need further development, but
does at first sight appear to be a possible contribution to the security of Internet voting.

1
Richter D., Hartmann V.: “A component approach to on-line voting” presented at E-voting and the
European Parliamentary Elections, Florence 10/11 May 2002
2
Pratchett L., Wingfield M., Ben Fairweather N., Roferson S. “Balancing Security and Simplicity in E-
voting: is there an effective compromise?” presented at E-voting and the European Parliamentary
Elections, Florence 10/11 May 2002
3
Mercuri, R. “Electronic Vote Tabulation Checks & Balances” Ph.D. thesis no. 3003665 submitted to the
University of Pennsylvania, available from http://www.umi.com/. A summary can be found at
http://www.notablesoftware.com/Papers/thesdefabs.html
4
Shamos M.I. “Electronic Voting - Evaluating the Threat”, available at
http://www.cpsr.org/conferences/cfp93/shamos.html
5
Neumann P., Mercuri R., Weinstein L. “Internet and Electronic Voting”, available at
http://www.notablesoftware.com/Papers/Risks2114.html