Phishing for votes

Writer: Bradley Evans, Electrical Engineering major

This is my first year here as a transfer to UCR, and so it was my very first exposure to the toxic atmosphere surrounding the annual ASUCR elections cycle. Most troubling to me was when I first saw a campaign volunteer soliciting a student for their UCR Central Authentication Services login information and asking them to vote on a laptop the volunteer owned.

I learned that this was a completely acceptable election practice called “laptopping.” People who run in computer security circles have a very different name for the act of soliciting usernames and passwords from other people: Phishing.

It’s tricky to pull off an election with online voting. There are very good reasons that it isn’t done in national elections, like the presidential primaries going on right now. Officials cannot guarantee the integrity of voting data because they cannot know what sort of programs might be running on a voter’s personal computer, malicious or otherwise. Laptopping, however, takes the security and privacy risks of online voting and ratchets them up to a new and troubling level.

Besides the very troubling ethical problems with, in effect, allowing political parties to operate their own, party-controlled polling locations (a situation that was initially allowed under this policy), you introduce the problem of students providing login credentials to uncertified, unknown devices. I sent ASUCR a vulnerability report that outlined just some of the possibilities:

–          A laptopper could install keylogging software on their own computer, allowing them to harvest and steal login information.

–          They could “hijack the session,” so they could access the email, financial aid records and iLearn accounts of students who failed to log out properly (the original ballot website did not log students out properly).

–          A web browser could be modified with malicious code — very easy to do — using a utility called ”Greasemonkey” that could actually modify the votes when the voter clicks “submit,” casting votes favorable to the attacker in a way completely invisible to the voter.

Unfortunately, ASUCR and many of the candidates that ran for office do not see the problems that arise from their policies as worth discussing. One candidate who was running for senatorial office (and who is now a senator-elect, following the publication of election results), informed me that my security concerns were “just one opinion. You don’t matter.” The sitting ASUCR President Ashley Harano (who was elected as a member of [OUR]Voice), informed me that in regards to elections complaints, her “duties do not include elections parties or anything of that sort.” That is unfortunate, since as the person who is ostensibly the leader of ASUCR, her priorities define the executive priorities of the organization as a whole.

To their credit, the ASUCR elections committee did what they could to address the most important of the privacy and security concerns I identified in my vulnerability report by adding a log-out button to the ballot.

These problems cast very real doubt on the integrity of the election. There is absolutely no way to audit the results for tampering or fraud, because it’s impossible to demand access to so many privately owned laptops. The judicial council seemed to see this, which is part of why I believe they moved for a re-vote (since a recount or audit is impossible). The senate, however, disagreed, so now we have to live with lingering doubt about the election’s legitimacy.

My hope is that ASUCR will take an active interest in correcting these problems. They have 11 more months until the next election cycle to try and push a fix, but they first need to be interested in finding a solution. I’m not confident that they are.

But that’s just my opinion. Just one opinion.
Editor’s Note: The author is a former Marine Corps Sergeant who instructed communications security topics for the military, as well as an electrical engineering student studying security topics here at UCR.

Facebook Comments