Hackers Elect Futurama's Bender to the Washington DC School Board

Researchers hack the Washington DC electronic voting system, and elect Bender, the drunk robot from Futurama, as school board president.

Electronic voting has earned a pretty bad reputation for being insecure and completely unreliable. Well, get ready to add another entry to e-voting's list of woes.

One Bender Bending Rodríguez was elected to the 2010 school board in Washington DC. A team of hackers from the University of Michigan got Bender elected as a write-in candidate who stole every vote from the real candidates. Bender, of course, is a cartoon character from the TV series Futurama.

This was not some nefarious attack from a group of rouge hackers: The DC school board actually dared hackers to crack its new Web-based absentee voting system four days ahead of the real election. University of Michigan professor Alexander Halderman, along with two graduate students, did the deed within a few hours.

After looking over the e-voting system's Ruby on Rails software framework, Halderman's team discovered that they could use a shell injection vulnerability to get into the system. This allowed them to retrieve the "public key," which is used to encrypt the ballots. With the public key in hand, the hackers were able to change every ballot already in the system and replace any subsequent real ballots with fakes.

While the hackers were mucking about the system's server, they discovered other files that were not ballot-related in the /tmp/ directory. Among them was a 937-page PDF containing instructions to individual voters as well as authentication codes for every voter. If someone with malicious intent got their hands on these codes, they could use them to cast ballots as a real voter.

The researchers also managed to hack into the network, allowing them to gain access to other systems within the building. The team was able to get into the surveillance system, which gave them access to the security cameras. This allowed them to time their attacks so that the technicians would not notice the additional server activity.

When the team tried to get into the terminal server, they noticed there was an attack coming from Iran; they traced the IP address to the Persian Gulf University. The team realized the Iranians were getting in with one of the default admin logins (user: admin, password: admin). To stop the outside attacks the team blocked the offending IP address with iptables (a piece of software for server admins) and replaced the admin password with something more challenging. The team also blocked similar attacks launched from New Jersey, India, and China.

For the team's pièce de résistance, the researchers replaced the "Thank you for voting" note with "Owned," and programed the site to start playing the University Of Michigan's Fight Song "Hail To The Victors!" 15 seconds later. Despite all this, the system administrators did not notice anything strange until two days later.

Halderman's closing statements on e-voting are that a single flaw in the configuration of the system could be fatal, and secure Internet -based voting won't be ready until there are significant fundamental advances in computer security. Be sure to check out the full paper on Attacking the Washington, D.C. Internet Voting System.

(pdf) via The Register and Gizmodo]

Like this? You might also enjoy...

Get more GeekTech: Twitter - Facebook - RSS | Tip us off

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Kevin Lee

PC World (US online)

Comments

Joel

1

"The DC school board actually dared hackers to crack its new web-based absentee voting system four days ahead of the real election. University of Michigan professor Alexander Halderman, along with two graduate students, did the deed within a few hours."

Somewhere, a sysadmin is crumpled up in a heap. We tell the higher-ups to never challenge hackers but they never listen.

Anonymous

2

That's so much fail I think it gave me cancer.

Anonymous

3

At least they had a sense of humor about this. You should never really challenge hackers... they prove you wrong every time.

Also, 3rd paragraph: 'rouge' should be 'rogue', as I'm sure we aren't talking about cosmetics.

j

4

Hackers have the advantage of exploting faulty programing with little or no cost to themselves while the company or administrator has the burden of patching the program. Personally I belive it was a good way to test the system for future use. Still though you know they didn't plan it that way instead some computer geek thought he was the $#!+ an got owned. Lol.

B

5

As funny as this is, I have to think the fact that the hackers blocked four other attackers (including Iran and China) deserves more attention than it's given.

kalihto

6

The election board announced has been set up.

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

Resources

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?