By Alex Altman, Time
A little more than 24 hours after online ballots started pouring into the Washington, D.C., Board of Elections and Ethics in late September, it became apparent that something was amiss. Washington's newly elected U.S. Representative went by the name of Colossus. A villainous computer from science-fiction lore captured the city-council chairmanship. And 15 seconds after voters cast their ballots, they were serenaded by the University of Michigan fight song. The system had been hacked.
Fortunately the vote was merely a test, and the disruption was designed to be instructive. For the first time, Washington planned to allow overseas and military voters to submit their ballots over the Internet during next month's elections. To gauge its security and iron out the kinks, officials invited hackers to take a whack at breaching the system's defenses. That task turned out to be far too easy. "It just took one open door," says J. Alex Halderman, the University of Michigan computer scientist who led the assault. Within three hours, Halderman and two graduate students located a flaw in the system's "brittle" security design. After waiting a day for votes to stream in, the trio hijacked the server — changing ballots, broadcasting the maize and blue's fight song, seizing control of the security cameras in the board's offices and unearthing a folder containing the personal information of the more than 900 overseas voters who were to receive online ballots next month. It took 36 hours for officials to notice they had indeed been hacked.
Halderman says the exercise was meant to educate election officials about the dangers of online voting. "The question is not whether these systems can be broken into," he says. "It's whether anyone wants to." They won't have to wait long to find out the answer. During next month's midterm elections, 33 states will allow a few million military and overseas voters to return their ballots online. Yet few, if any, states have taken the time to test their networks. While it may be tempting to jettison long lines, hanging chads and finicky voting machines for the ease of the Web, experts warn that Internet voting invites disaster. "We don't have the technology yet to do this in a secure way, and we may not for a decade or more," says Ron Rivest, a computer scientist and cryptography expert at MIT. The worst-case scenario? "You may find elections that end up with a totally unclear result," Rivest says. "You may find the entire system taken over and trashed."