Hacked DC School Board E-Voting Elects Bender President

We may earn a commission from links on this page.

Yes, that Bender. The one on the left. A University of Michigan team got him elected to the Washington DC school board in 2010 by hacking the district's electronic absentee ballot system.

In 2010, the school board in Washington DC had just erected a new electronic voting system for its absentee constituents. To test the system—given the paltry performance of e-voting systems in the past—the school board opened the system to public scrutiny and challenged them to hack it in four days during the lead-up to the election.


Alexander Halderman, a professor at the University of Michigan, along with two grad students, took up the challenge, "How often do you get the chance to hack a government network without the possibility of going to jail?"

Halderman explained the underlying methodology in his account of the attack,

Our objective was to approach the system as real attackers would: starting from publicly available information, we looked for weaknesses that would allow us to seize control, unmask secret ballots, and alter the outcome of the mock election.


Within hours of examining the Ruby on Rails software build that constituted the voting system, Halderman's team discovered a shell injection vulnerability, allowing them to alter an images directory on the compromised server as well as change outputs, and had guessed the admin login for the terminal server (hint: both the name and password were ADMIN).

From there, the team found vulnerabilities in the system controlling the server farm's security camera's, which allowed them to time attacks when nobody was around to notice the extra activity. Best of all, the team found a PDF containing authentication codes for every DC voter—you know, the ones voters use to prevent electoral fraud and prove their identities.


With this data, the team was able to change every ballot to a vote, not for any of the actual candidates, but a write-in for a fictional IT entity with Bender edging out Skynet in his political debut. Their control was so complete that even if new ballots were generated, they too would vote Bender.

Even after changing the systems log out screen to read "Owned" and play the University of Michigan fight song, it took system admins a solid two days to discover the changes. They only noticed when another team told them the system was secure but complained of the music when logging off. Even more amusing, while the Michigan team was rummaging around inside the system, they took the liberty of blocking intrusion attempts from other teams including those from a Persian University, India, and China.


That seems entirely too easy a hack for something like voting—one of America's basic tenets—especially given that more than thirty states employ e-voting systems. "The states are in the habit of certifying voting systems, typically without testing them or seeing the source code," Dr. David Jefferson from Lawrence Livermore National Labs said at the recent RSA 2012 conference in San Francisco. "In many cases the voting system uses proprietary code that government can't legally check, and the running of the systems is outsourced to the vendors. This situation is getting worse." [Alex Halderman.pdf via The Register]