There are still some polling places which use the traditional paper ballot system, but nowadays, the use of electronic voting (or also known simply as e-voting) has become widespread.
Rather than having to fill in ovals or punch a paper ballot, a voter can select the candidates of their choice by using an electronic touch screen. In fact, this type of system is also being used worldwide as well.
Although it does have significant advantages over the traditional paper system (such as instantaneous tabulation of votes in real time), it has its own set of security vulnerabilities as well.
Many of these e-voting machines are often interlinked with another, and to a central server, or servers, depending upon the network configuration.
The following are some examples of security vulnerabilities:
This occurs when a voter is either intentionally or unintentionally wrongly identified and authenticated to vote at a particular station. This often happens when there are loose knit security policies put in place to confirm the identity of a voter. The result of this is that a voter can assume the identity of another voter under false pretences.
Adware, malware, and spyware
In this grouping, the most pronounced security threat is that of the Trojan Horse. These are individual pieces of software which can be injected into a computer, a wireless device, or even an e-voting kiosk at a polling station. The latter can cause the voter to cast their ballot in a particular fashion, thus even altering the outcome of an election.
This refers to software that has been developed to create the electronic interfaces used by the polling officials and the voters themselves. These applications can be developed using either closed source or open source software, but the key thing to be remembered is that these applications must be thoroughly QA and penetration tested before they are deployed into the e-toting infrastructure. If not, security gaps and holes could still be remnant from the time when these specific applications were being developed. A prime example of this is known as the “backdoor.” These are used in the software development process to give the developers quick and easy access to the software code. If these are not removed before the actual deployment and cyber attacker can gain covert access to the e-voting infrastructure.
This can happen when an election or government official who has knowledge of the inner workings of an e-voting kiosk can covertly manipulate the technology for either personal gain, or to change the outcome of an election. The only countermeasures to prevent these types of vulnerabilities from surfacing is to implement the use of the “separation of duties” principle, and/or have an independent third-party conduct audit checks of the e-voting infrastructure.
Man in the middle attacks
This type of security threat can be defined as “an attack where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other.”
When this type of attack is used on an e-voting infrastructure, a specialised type of electronic device is implanted into the e-voting kiosk. In these instances, a logical analyser can be used, which then lets the cyber attacker see the exchange of information and data that is being sent back and forth between the e-voting kiosk and the central server(s) that are processing and tabulating the e-votes which have been cast. The idea is to mimic the metadata so that falsified e-votes can be cast and tabulated. This particular type of security threat preys upon the use of open standard communication formats which are used quite heavily in the e-voting infrastructure.
Our next article will examine how the use of biocryptography (this is the combination of biometrics and cryptography) can be used to overcome the above-mentioned security vulnerabilities.
- W. Trappe and L.C. Washington. Introduction to Cryptography with Coding Theory. Pearson, New York, 2005.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.