iPads ‘more secure than voting systems’ — claim

Dutch security researcher Sijmen Ruwhof has examined the software used at Dutch polling stations to send election results, and now claims “the average iPad is more secure than the Dutch voting system.”

Local television station RTL asked the researcher to examine the security of Dutch voting systems after they heard they used weak SHA1 cryptography in certain parts of the system.

Dutch elections have used paper-based voting since 2009, when the government banned electronic voting on security grounds.

However, once the vote is cast, election officials will use electronic systems to send manually counted votes from each district. As the vote is counted data is transferred and shared on USB sticks, with the final tally going to the central Electoral Council in a digital file.

This means that at multiple points during the result calculation, the data is shared electronically using systems that may not be so secure. The voting software can even be installed on personal devices, Windows XP, and non-current versions of web browsers, the researcher said.

You can take a look at the accumulation of security weaknesses identified by the researcher here.

“Anyone with a certain level of IT-security knowledge will tell you that a computer cannot be trusted,” Ruwhof explains.

“Whatever steps you take to secure a computer, it will always be possible to hack it. And against state-sponsored hackers you have almost zero chance.

“To put it bluntly: you can’t protect a computer system against experienced and well-funded state-employed hackers.”

He’s full of harsh criticism for the Dutch voting software.

Just last week Dutch Home Affairs Minister, Ronald Plasterk, ordered an investigation to explore the possibility of its forthcoming March elections being vulnerable to interference. News that the Dutch system is less secure than an iPad will likely fill no one with too much joy.

The Dutch news follows a series of claims that the recent US election may have been hacked by a foreign power.

These claims have been in circulation since late last year. The House and Senate Intelligence Committees are making separate inquiries into the matter though it is likely to be hard to figure out if it happened at all.

Speaking earlier this month, FBI director James Comey admitted to identifying multiple instances in which Russia is alleged to have hacked voter registration databases and political groups.

Only last week the New York Times claimed two Russian intelligence officers linked to offices alleged to have been involved in these attempts were arrested in Russia for treason. These arrests followed the U.S. investigation.

It has not been said that voting systems themselves have been attacked.

The latest Dutch voting system security news shows how vulnerable electronic systems can be to determined attacks. The security researcher has identified numerous flaws in the Dutch model. These create security problems that really shouldn’t exist.

A Wired report in August 2016 made claims that U.S. electronic voting machines were also vulnerable, as they were also not made with security in mind.

“People weren’t thinking about voting system security or all the additional challenges that come with electronic voting systems,” the Brennan Center’s Lawrence Norden told Wired.

The similarity between both the Dutch and US models – use of Windows XP, for example, and that neither system appears to have been designed with security in mind may worry anyone who cares about their voting system.

While there have not been claims these sorts of hacks have taken place, it should concern any citizen if such essential systems are poorly protected, as these reports suggest.

It also strongly underscores the big lie at the heart of a laissez faire approach to security.

If you think about it, it remains deeply irresponsible for any vendor of critical equipment to fail to field advanced security in their devices. Yet we know that from the Internet of things devices to smartphones, some vendors appear to see security as an afterthought.

This is inappropriate. In an incredibly connected world, security is becoming critical. Elections, identity, infrastructure and financial stability depend upon them.

In other words, every connecting computing device you use – from your mouse to your PC – should be at least as secure as an iPad. In my opinion it is shameful that any device or system you use is any less secure than that. 

Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic’s Kool Aid Corner community and join the conversation as we pursue the spirit of the New Model Apple?

Got a story? Drop me a line via Twitter. I’d like it if you chose to follow me there so I can let you know when fresh items are published here first on Computerworld.

http://www.computerworld.com/category/security/index.rss