View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 14, 2014

Silent router hijack defrauds e-voting PDF

New electoral system described by researchers as inherently ‘unsafe’.

By Jimmy Nicholls

Routers can be hijacked to silently tamper with PDF election ballots before they are sent to vote counters, according to researchers from computer science firm Galois.

Daniel Zimmerman and Joseph Kiniry were able to modify byte sequences in the document to alter which form element had been selected, a technique that could be used to defraud the voting system.

They said: "Unencrypted PDF ballots sent via electronic mail can be altered transparently, potentially with no obvious sign of alteration, and certainly with no way to determine where on the network any alterations took place or the extent to which votes have been corrupted.

"This method of vote submission is inherently unsafe, and should not be used in any meaningful election."

The researchers tested various PDF readers to see if their changes were passed, with Adobe Acrobat and Apple Preview failing across three methods, while Google Chrome, Gmail and Mozilla Firefox failed in only the most sophisticated attack.

Attack code created by the pair, monitors connections on email submission ports replacing encoded strings when they are detected, with the hack said to be undetectable unless the connection is scrutinised at both ends.

"It is possible that we get unlucky, for a particular ballot/email client/network combination, and our target strings end up split across TCP packets: in such cases our attack cannot modify the ballot," they said.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

"However, given typical TCP packet sizes and the relatively short lengths of the target strings, it is likely that our attack can successfully modify most ballots it encounters."

Internet voting trials in Norway collapsed in June amidst security fears and failure to improve voter turnout, with the country’s Office of Modernisation saying it would not spend money on further trials.

Prior to that Jenny Watson, head of the UK Electoral Commission, said her group would look at e-voting as part of plan to improve participation, particularly among young people.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.