Internet Voting Revisited:
Security and Identity Theft Risks of the DoD’s
Interim Voting Assistance System
David Jefferson, Avi Rubin, Barbara Simons, and David Wagner
info@servesecurityreport.org
October 25, 2006
Background
In 2004 the Defense Department Federal Voting Assistance Program (FVAP) built and intended to deploy a voting system called SERVE, the Secure Electronic Registration and Voting Experiment, designed to help military personnel and overseas civilians to register and vote in the primary and general elections of that year. As members of an external peer review panel for SERVE, we published a report entitled “A Security Analysis of the Secure Electronic Registration and Voting Experiment (SERVE),” available at http://servesecurityreport.org. In the report we identified a large number of security risks and vulnerabilities, including denial of service attacks, insider attacks, viral attacks on voters’ PCs, and many others. Shortly after publication of the report, the DoD terminated the program, citing security concerns.
We recently learned that FVAP has created a new online system, the Interim Voting Assistance System (IVAS). IVAS has a similar mission, namely to aid military personnel and overseas civilians to register and vote in the coming November 7 general election. In this short paper we present our serious concerns about the security issues posed by this new system. None of these security concerns is original; all were raised in a DoD internal review, discussed below.
IVAS was announced to the public only last month (September), and has been designed and built only over the last several months, an extremely short time for a system of this complexity and importance. The current system has never been used in a public election before (not even in a primary), and has not been subject to any publicly available external security examination. The technical specifications have not been made publicly available.
Read the whole report (6 pages)
It is disturbing that the DoD
did not heed warnings about the security risks of IVAS
from its own internal review.
~ Jefferson, Rubin, Simons, Wagner
|