Many election administrators in U.S. states and counties need to receive and open PDF files from voters. Some of these administrators receive these PDFs as e-mail attachments. These may be filled-out voter registration forms, or even voted ballots from UOCAVA (overseas and military) voters. We all know that malware can lurk in e-mail attachments; how can those election officials protect themselves from being hacked?
Internet return of voted ballots is inherently insecure; that’s a separate issue and I’ll discuss it below. For now, how can one safely open a PDF attachment?
I discussed this question with Dan Guido, cybersecurity consultant and CEO of trailofbits.com. The safe way to view a PDF is inside the Chrome or Firefox browser. Printing a PDF directly from Chrome (or Firefox) to your printer is reasonably safe. The unsafe way to view a PDF is with your favorite PDF-viewer app such as Adobe Reader.
The reason is simple: Google (for Chrome) and Mozilla (for Firefox) have put enormous effort into making their PDF viewers safe, putting them inside a “sandbox” that the hackers can’t get out of — and they’ve largely succeeded.
The PDF file format has hundreds of obscure features and complex functionality that are not needed for simple documents. Chrome and Firefox don’t bother to understand the obscure features: they concentrate on getting the common features displayed safely. On the other hand, Adobe Reader does handle all the features of PDF; that’s a much larger thing to get perfectly right, and (perhaps) security is not Adobe’s highest priority.
Sometimes that means that Chrome or Firefox don’t render your document properly; but this is unlikely to be a problem for simple documents such as voter-registration forms or optical-scan ballots.
In some ways that’s a bit disappointing. I like Adobe Reader’s navigation and document-viewing facilities much more than I like the browser’s built-in PDF display. But I should be careful to use Adobe tools only for documents whose provenance I know, or that have been otherwise vetted.
If you do save your PDF to a file, and are tempted to open it later: again, you can use Chrome or Firefox to open it. (See also: PDF.js) If you want to open it in a full-featured (but less secure) tool, first use a PDF “triage tool” such as PDFid, which will scan the file and tell you if anything looks suspicious.
Is it safe to use Fax?
Many jurisdictions still permit (or require) forms and ballots to be sent to them by Fax. Is that safe?
Once upon a time, a “fax machine” was connected to a “land line” that went through the “phone network.” How safe that was in 1985 is no longer relevant today, when nobody has a “fax machine” and the “phone network” is the Internet.
Most voters, and many election administrators, use on-line fax services such as HelloFax. The voter logs in and upload a PDF file; the fax service converts it to a fax-format bitstream and sends it into the part of the Internet called “the phone system”; the receiver logs in (perhaps to a different on-line fax service) and downloads a PDF file that has been converted from the bitstream.
This has so many points of insecurity: the sender’s online-fax service company may be more or less vulnerable to hackers (or insiders); the receiver’s online-fax service, ditto; and the fax-format bitstream is transmitted unencrypted, unauthenticated across the phone network.
In contrast, e-mail can be a lot more secure than that. If you use a major e-mail provider (such as gmail, Microsoft, fastmail) that knows what it’s doing; and if the recipient also uses a reputable e-mail provider, then: your e-mail is uploaded encrypted (and authenticated) to an SMTP server, which goes encrypted (and authenticated) to another SMTP server, which is downloaded encrypted (and authenticated) to the recipient’s mail reader. The vast majority of Internet e-mail traffic is protected this way.
So e-mail your stuff, don’t fax it.
Is e-mail secure? Can we vote that way?
If e-mail is so much more secure than it was 30 years ago, can we safely vote by e-mail?
Unfortunately, no. Even if Internet messages (by e-mail or other protocols) are safe in transmission, the biggest security lapses are in the server computers and especially in the client’s (voter’s) computers. Hackers who can penetrate the security of those systems can change votes before they’re sent, or after they’re received (but before they’re counted).
Furthermore, e-mail is sent from the voter’s computer to the SMTP server (at Google, or Microsoft, or fastmail…) where it is unencrypted and reencrypted for sending to the receiver’s SMTP server (at Microsoft, or fastmail, or Google, …). It’s like, you mail your absentee ballot to your landlord, who takes it out of its envelope, puts it in a fresh envelope, and mails it to an election official. Even if we trust our landlord (and I expect Google, Microsoft, and fastmail are doing a good job), should we need to trust this intermediary? The citizenry elect their government; we don’t entrust this process to a few big tech companies.
And finally, 6% of email (that’s either outbound or inbound from gmail.com) is still unencrypted–that is, insecure. Six percent may not seem like a lot, but it’s millions of users.
Is e-mail voter-registration secure enough?
Internet return of voted ballots, which is not securable by any known technology. But voter-registration can reasonably be done by e-mail: the voter sends in a form, perhaps a scan-to-PDF of their printed and signed registration form. The reason this can work, when it can’t work for voted ballots, is the ability to audit the individual transaction: after a few days, the voter can check the status of their registration with the election official, or the election official can contact the voter to check up. So even if there’s hacking in the client or server computer, it can be detected and corrected. With ballots, we have the secret ballot: nobody is supposed to learn how you voted. Without the ability to check and correct later, “did my ballot get counted for the person I voted for?”, internet voting is insecurable.
Ironically, the link to the PDF “triage tool” PDFid is blocked by my Malwarebytes browser extension: Website blocked due to reputation, Website blocked: blog.didierstevens.com. Malwarebytes Browser Guard blocked this website because it may contain malware activity. We strongly recommend you do not continue.
The one thing that we didn’t talk about much is the risk of polyglots or file “schizophrenia”. This is when a PDF file opened in two different document readers renders a different result. Opening the same PDF in Adobe Reader vs Google Chrome may display different contents.
Imagine filling out a PDF ballot with one ordering of candidates, then a different app is used to tabulate the votes that presents a different ordering of candidates. It can also work with printing: You see one thing when you read the PDF on the screen, but the paper you print out and mail in has slightly different content.
Here’s a detailed presentation on the topic, including our work to write analyzers for them:
https://www.youtube.com/watch?v=LqRbfzhcI5g
This is a more advanced risk than simply emailing people malware in PDFs, and I haven’t seen it play out much in practice, but something to be aware of nonetheless.