Security Analysis of the Democracy Live Online Voting System

New research: “Security Analysis of the Democracy Live Online Voting System“:

Abstract: Democracy Live’s OmniBallot platform is a web-based system for blank ballot delivery, ballot marking, and (optionally) online voting. Three states—Delaware, West Virginia, and New Jersey—recently announced that they will allow certain voters to cast votes online using OmniBallot, but, despite the well established risks of Internet voting, the system has never been the subject of a public, independent security review.

We reverse engineered the client-side portion of OmniBallot, as used in Delaware, in order to detail the system’s operation and analyze its security.We find that OmniBallot uses a simplistic approach to Internet voting that is vulnerable to vote manipulation by malware on the voter’s device and by insiders or other attackers who can compromise Democracy Live, Amazon,Google, or Cloudflare. In addition, Democracy Live, which appears to have no privacy policy, receives sensitive personally identifiable information­—including the voter’s identity, ballot selections, and browser fingerprint­—that could be used to target political ads or disinformation campaigns.Even when OmniBallot is used to mark ballots that will be printed and returned in the mail, the software sends the voter’s identity and ballot choices to Democracy Live, an unnecessary security risk that jeopardizes the secret ballot. We recommend changes to make the platform safer for ballot delivery and marking. However, we conclude that using OmniBallot for electronic ballot return represents a severe risk to election security and could allow attackers to alter election results without detection.

News story.

EDITED TO ADD: This post has been translated into Portuguese.

Tags: , , , ,

Posted on June 9, 2020 at 6:26 AM8 Comments

Comments

Clive Robinson June 9, 2020 2:37 PM

@ All,

    “Democracy Live, which appears to have no privacy policy, receives sensitive personally identifiable information­ — including the voter’s identity, ballot selections, and browser fingerprint­ — that could be used to target political ads or disinformation campaigns.”

Perhaps one of the most fundemental requirments of a voting system if democracy is to be retained is the privacy of the individuals vote. So that they can not be bribed or coerced.

For “Democracy Live” to breach those basic requirments strongly suggests that preserving democracy is not high on their list of aims and objectives, if on it at all.

A trend I’ve noticed in the US when it comes to anything to do with politics is to name things in the opposite direction to their real intent…

myliit June 9, 2020 4:12 PM

Democracy Now, as opposed to “Democracy Live” or “Democracy Dead”, has covered some topics lately about trying to keep “Democracy Alive”. These three (3) are about mail-in voting. Any thoughts?

https://www.democracynow.org/2020/5/15/securing_2020_election_during_pandemic

https://www.democracynow.org/2020/4/29/trump_vote_by_mail_2020_election

https://www.democracynow.org/2020/5/21/headlines/trump_threatens_to_cut_funding_to_michigan_nevada_over_mail_in_voting

““Can Democracy Survive the Pandemic?”: Election Hangs in the Balance as Trump Attacks Mail-In Voting …”[1]

“Vote by Mail: Head of Postal Union Says Mailed Ballots Are Best Way to Secure 2020 Election …”

“Trump Threatens to Cut Funding to Michigan, Nevada over Mail-in Voting …”

[1] https://www.nytimes.com/2020/05/05/magazine/voting-by-mail-2020-covid.html

“FEATURE

Will Americans Lose Their Right to Vote in the Pandemic?

The safest way to cast a ballot will very likely be by mail. But with opposition from the president, limited funding and time running out, will that option be available? …”

TheTKS June 11, 2020 9:53 AM

@Clive Robinson

“A trend I’ve noticed in the US when it comes to anything to do with politics is to name things in the opposite direction to their real intent…”

Where have we seen that before?

German Democratic Republic
People’s Republic of *[Insert country name here]

Not meaning to pick on oppressive leftist regimes. Totalitarian is totalitarian, no matter what colour/side they choose as an emblem

Left/right is a historic description, not an indication of position on a spectrum. As others have said, it’s not a spectrum, it’s a circle; as you follow lefter and lefter, and righter and righter, you see they meet.

TKS, longtime lurker, and skeptic that we will soon find a way to do online voting as representative as in-person

Erdem Memisyazici June 12, 2020 10:46 PM

@wiredog

That’s great XD I don’t think I saw that one before. You know it’s funny how everybody knows something is unsafe, everybody warns against it in the entire industry yet we still see it being made and implemented just as bad as everyone thought it was going to be and still nobody is surprised. How does this happen over and over? Clearly the issue isn’t in the technical details.

Clive Robinson June 13, 2020 3:39 AM

@ Erdem Memisyazici,

How does this happen over and over? Clearly the issue isn’t in the technical details.

Have you ever watched a program called “Dragons’ Den”[1] / “Shark Tank”?

You fairly quickly realise two things,

Firstly, that some people “have a dream” but reality is not something they wish to have anything to do with.

Secondly, that Alexandre Dumas-fils observation that,

    “The difference between genius and stupidity is: genius has its limits.”

Can be seen more frequently than you would expect.

But you will also see in the US version those that do not appreciate,

    “Insanity is doing the same thing, over and over again, but expecting different results.”

After all in the US you can go from millionaire to bankruptcy to bankruptcy many times, and still rise to reality TV fame and beyond…

[1] https://en.m.wikipedia.org/wiki/Dragons'_Den

Gunter Königsmann June 18, 2020 1:07 AM

@Clive: in the GDR voting was controlled using a side channel attack: You only had the choice to accept the vote or to reject it. Or not to go voting at all.
Accepting was easy: Just put the piece of paper they gave you into the box, unmodified.
Rejecting instead required striking out each single line. In any other than these two states the vote would count as invalid. So if you spent more than a minute inside the voting cabin you were assigned the lowest jobs your factory had, you wouldn’t be assigned a better flat, nothing in your home would be repaired, your children would have to struggle for grades…

myliit June 20, 2020 8:32 AM

A long read that includes “Democracy Live”, poor security, and potential voter fraud.

https://www.newyorker.com/tech/annals-of-technology/why-you-cant-just-vote-on-your-phone-during-the-pandemic

“Why You Can’t Just Vote on Your Phone During the Pandemic

This month, long waits and pandemic fears have hampered voting sites around the country, including this one in Indianapolis. But online voting is still far from safe.

When Alex Howard, a resident of Washington, D.C., failed to receive an absentee ballot for the city’s June 2nd primary, he assumed that he would have to vote in person. Then, by chance, on the day of the election, he saw a Twitter post alerting voters of the option to vote remotely over the Internet. Howard, a digital-governance expert at Demand Progress, an advocacy group for good governance, decided to give it a try. “I’m a poker and a prodder and a professional evaluator of government I.T. programs,” he told me. “I like to see how things work.” He was directed to a Web site typically reserved for members of the military, which sent him to a site where he confirmed his date of birth and address. He then logged on to another site to vote. A few minutes later, he e-mailed his completed ballot to the Board of Elections. “There were people who stood in line for hours and hours to vote, and here I was, voting at home on my laptop,” he said. “It was really good for my family from a health standpoint, but whether it’s a good idea at scale—I don’t think so.” He is still waiting to hear if his ballot was received.

[…]

For computer scientists who study election software, online-voting programs are a security nightmare. They invite bad actors to slip in undetected and compromise election systems, leaving those systems susceptible to denial-of-service attacks, ransomware, malware, and vote flipping. In 2014, a team of computer scientists at a company in Portland, Oregon, that builds secure systems for the National Security Agency and the Department of Defense showed, in real time [ https://galois.com/blog/2014/11/hacking-internet-voting-via-ballot-tampering/ ], how easy it is to change the contents of a voter’s PDF file as it travels over the Internet. They sent a video of their attack to secretaries of state and other election officials, and posted an explanatory video on YouTube, showing all the weak links in the online transmission of ballots. “This is not just a theoretical danger,” one of the researchers, Joe Kiniry, said at the time. “Votes are silently changed after they leave your computer and before they reach election officials. What’s more, there’s no trace of foul play.” Last month, in anticipation of renewed calls for online voting during the pandemic, the Department of Homeland Security sent a federal risk assessment to state election officials around the country, warning them of the insecurities of Internet voting and concluding that the technology was not advanced enough to be widely disseminated.

[…]

Five days after the D.C. election, two computer scientists, J. Alex Halderman, at the University of Michigan, and Michael Specter, at M.I.T., released the results of an independent forensic analysis of OmniBallot. Their report can be summed up in three words: it’s not safe. In their estimation, the system is vulnerable to malware and manipulation. Halderman and Specter were especially concerned that, even when a voter returns an OmniBallot by traditional mail, the contents of that ballot, along with the identity of the voter, are recorded by the software. If that information were to be leaked or sold, they wrote, it could be used for targeted political ads, disinformation, or coercion. (When the researchers pointed out that the Democracy Live Web site did not have a policy spelling out the company’s privacy protocols, Finney added one.) In his response to the report, Finney noted that Halderman and Specter’s complaints “relating to the transmission of ballots and the possibility of a compromised device . . . is a universal critique of Web sites in general.”

But a voting Web site, which conveys the most basic expression of citizenship, is also a repository for the democratic process. In January, Halderman co-authored a piece for Slate titled “Internet Voting Is Happening Now and It Could Destroy Our Elections,” which took aim at a blockchain-based electronic-voting system that was in use at the time in West Virginia, called Voatz. Specter and two other M.I.T. researchers were the authors of a technical takedown of Voatz, which resulted in its actual takedown by the state. Among other issues, they found that hackers could easily change votes. West Virginia switched to OmniBallot.

West Virginia’s Voatz pilot and the King County Conservation District OmniBallot election were underwritten by the venture capitalist Bradley Tusk, through his charity, Tusk Philanthropies. …”

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.