RUVS test run reveals system vulnerabilities
On March 15, the Elections Commission tested the Rensselaer Union Voting Suite in preparation for the upcoming Student Government elections. While not widely advertised, this dry-run was an open invitation for students to test RUVS and suggest improvements. 78 votes were cast during this event, with an additional 12 falsified by Web Technologies Chairperson Joseph Lyon ’20. During this trial run, Lyon was able to find two crucial vulnerabilities within RUVS that would invalidate voting results, if not addressed properly.
The first vulnerability allowed for session hijacking. Lyon was able to access a session cookie from a voting laptop and vote remotely—from his personal laptop—for other students by using their credentials. This means that votes can be cast without proper student authorization, and would allow for vote tampering.
The second vulnerability made use of mimicking voting booths. Lyon hosted a nearly identical page to the voting suite and was able to replicate the real voting experience at a booth. The code he ran was located on a remote server. This sent student votes to an improper server, instead of recording them in the actual election.
When asked what was being done to remedy these solutions, Elections Commission Chairperson Zachary Taylor ’21 said they plan to “lock down both the Chromebook laptops themselves, as well as the voting browser.” He continued, “We’re preventing users from accessing most any function of the machine that is not directly involved in voting, including restricting the ability to edit the page, view cookies, and visit urls not used by the voting booth.”
In a Senate meeting following the RUVS test run, Lyon presented this information and stressed the importance of these issues. With this in mind, the Elections Commission feels confident in their repairs of the system—which include the use of “parental controls on the browser”—and plans to use RUVS during this election season.
Another test run of RUVS is scheduled for Tuesday, and students are permitted to participate and test the system.