Fascinating report. Let's let H-online security news tell the tale (my emphasis; some reparagraphing):
Researchers at the University of Michigan have reported that it took them only a short time to break through the security functions of a pilot project for online voting in Washington, D.C. "Within 48 hours of the system going live, we had gained near complete control of the election server", the researchers wrote in a paper [pdf] that has now been released. "We successfully changed every vote and revealed almost every secret ballot."At least they decided to actually look for problems:
The hack was only discovered after about two business days – and most likely only because the intruders left a visible trail on purpose.
In 2010, the developers of the municipal e-voting system that enables voters living abroad to vote via a web site, invited security experts to conduct tests. The university researchers say that the project was developed in cooperation with the Open Source Digital Voting Foundation (OSDV) and that other US states have also worked on services similar to Washington's "Digital Vote-by-Mail Service".More at the story link, of course, and you can download the full PDF report and read for yourself.
They also praise the system's transparency as exemplary but point out that its architecture has fundamental security weaknesses and was not able to withstand a shell injection and other common hacker techniques.
The security experts investigated common vulnerable points such as login fields, the virtual ballots' content and filenames, and session cookies – and found several exploitable weaknesses. Even the Linux kernel used in the project proved to have a well known vulnerability.
The researchers have concluded that we're a fair distance from a secure e-voting system. That means we'll have it soon, right? (No, I don't think I'm just kidding.)
GP
(To follow on Twitter or to send links: @Gaius_Publius)
