CRYPTO '89 Proceedings on Advances in cryptology
EVT'06 Proceedings of the USENIX/Accurate Electronic Voting Technology Workshop 2006 on Electronic Voting Technology Workshop
Studying the Nedap/Groenendaal ES3B voting computer: a computer security perspective
EVT'07 Proceedings of the USENIX Workshop on Accurate Electronic Voting Technology
Extensible Web Browser Security
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Helios: web-based open-audit voting
SS'08 Proceedings of the 17th conference on Security symposium
The New Jersey voting-machine lawsuit and the AVC advantage DRE voting machine
EVT/WOTE'09 Proceedings of the 2009 conference on Electronic voting technology/workshop on trustworthy elections
EVT/WOTE'09 Proceedings of the 2009 conference on Electronic voting technology/workshop on trustworthy elections
Electing a university president using open-audit voting: analysis of real-world use of Helios
EVT/WOTE'09 Proceedings of the 2009 conference on Electronic voting technology/workshop on trustworthy elections
Running mixnet-based elections with Helios
EVT/WOTE'11 Proceedings of the 2011 conference on Electronic voting technology/workshop on trustworthy elections
Communications of the ACM
A systematic process-model-based approach for synthesizing attacks and evaluating them
EVT/WOTE'12 Proceedings of the 2012 international conference on Electronic Voting Technology/Workshop on Trustworthy Elections
The bug that made me president a browser- and web-security case study on helios voting
VoteID'11 Proceedings of the Third international conference on E-Voting and Identity
Remotegrity: design and use of an end-to-end verifiable remote voting system
ACNS'13 Proceedings of the 11th international conference on Applied Cryptography and Network Security
Attacking and fixing Helios: An analysis of ballot secrecy
Journal of Computer Security
Hi-index | 0.02 |
Helios is a web-based open-audit voting system designed using state of the art web technologies and advanced cryptographic techniques to provide integrity of ballots and voter secrecy in an insecure Internet environment. In this paper, we demonstrate a simple attack against Helios 2.0 that takes advantage of the fact that every candidate in Helios can provide a URL referring to his/her candidacy statement. A malicious candidate, who wishes to win a Helios-managed election, uploads a specially crafted PDF file containing a candidacy statement to his/her website. The attack is then triggered against each voter who is using a vulnerable machine. The security of the machine is undermined, e.g., when the voter visits the attacker's webpage. In essence, we exploit Adobe Acrobat/Reader's vulnerabilities to install a malicious browser extension on the voters' machines. Such an extension provides an opportunity for an attacker which may fool the voter (using Social Engineering) into accepting a hacked ballot. Due to our attack Helios 2.0 was upgraded to Helios 3.0. We discuss generalizations and the impact of the latest upgrade of Helios on security. We also discuss defences against this attack, generalizations and the impact of the latest upgrade of Helios on security.