marco
blog
Menu:
Seal security
January 23, 2011
Andrew Appel has a nice post on Freedom to Tinker on the mystique of the tamper-indicating seals often used in electronic voting systems. His conclusion: as with all security mechanisms, one should verify how well they work.
Tamper-indicating seals do not work too well, according to Roger Johnston, who with his group at Livermore and Argonne national laboratories, has assessed a variety of seals used in programs of waste management and nuclear disarmament. Their reports are scary and fascinating to read at the same time.
We did our share of testing security seals when we were investigating the security of the electronic voting systems used in California, as part of the Top-To-Bottom Review. Unsurprisingly (that is, after reading Johnston's reports), we were able to defeat the seals in use at that time and gain access to the internals of the machines they were supposed to protect. For example, we could extract and replace memory cards, power on and off a machine, and access its mother board without breaking or altering any of the protective seals that should have revealed these operations.
The following video shows an example of the simple attacks that were possible:
The real question then is: what do you when you find that tamper-indicating seals do not work?
Voting security in the pop culture
October 9, 2008
It is pretty interesting to see how the pop culture picks up and re-elaborates something you have been working on as a research topic, in this case, the security of electronic voting machines.
And, what's more pop culture than The Onion, The Simpsons, and xkcd (OK, maybe geeky-pop)?
The Onion has covered eletronic voting in several cases. Probably, the funniest one is a breaking news where it is announced that Diebold prematurely leaked the results of the '08 elections.
The Simpsons have a great (leaked) episode where Homer attempts to vote for Obama, but is confronted with "miscalibrations" in the DRE machine he's forced to use...
xkcd came up with a great comic strip to comment on the fact that anti-virus software allegedly caused problems with Premier Election Solutions (formerly, Diebold) voting machines in Ohio.
Attacking electronic voting systems: the video
September 8, 2008
Last summer, I was a member of the UCSB Computer Security Group that tested the security of the Sequoia electronic voting system. Our work was part of the Top-To-Bottom Review of electronic voting machines in California, ordered by Secretary of State D. Bowen.
Our task was to detect vulnerabilities in the Sequoia voting system and implement exploits that would "cause incorrect recording, tabulation, tallying or reporting of votes" or that would "alter critical election data such as election definition or system audit data".
We designed and implemented a number of these attacks. In particular, we proved that it is possible to combine several attacks to inject into the system a virus-like malicious software that automatically spreads to as many voting machines as possible. We have (at last!) been able to release a video we prepared that shows what can be achieved by such a virus.
The video lasts about 16 minutes: it gives a nice overview of the voting system and shows the complete life-cycle of the virus (click on the video to play it). If you are in a hurry, I recommend to start watching around minute 12:26 to see that votes can be changed on a VVPAT-enabled DRE machine and that seals can be bypassed without being detected.
You can download the video from here. More information is available on the Computer Security Group's voting page.
Update: the group's site has been slashdotted... The video can be found on youtube (part I, part II)
Unfettered access?
August 20, 2008
This was not a security risk evaluation but an unrealistic worst case scenario evaluation [...] performed in a laboratory environment by computer security experts with unfettered access to the machines and software over several weeks. This is not a real-world scenario [...]
Security reviews of the Hart system as tested in California, Colorado, and Ohio were conducted by people who were given unfettered access to code, equipment, tools and time [...]
The "unfettered access" claim has been a standard response from electronic machine vendors to the reports of serious security flaws in their equipment, as identified by recent evaluations, such as the California's Top-To-Bottom Review and the Ohio's EVEREST project.
This claim, essentially, postulates two theories:
- Vulnerabilities can be discovered only if analysts have extended access to the voting equipment under study.
- Attackers don't have extended access to voting equipment.
Theory number 1) is very suspicious from a security point of view, in that it builds on two discredited ideas: that "attackers/analysts have limited capabilities" (weak threat model), and that "as long as the system is unknown, it is secure" (security by obscurity). I will not elaborate further on this, since, I think, what follows is more interesting.
Theory number 2) (electronic voting equipment is not available to the general public) has been proven wrong a number of times in the past. There are various ways in which voting equipment can become accessible to non authorized people:
- It may be put up for auction, for example, when counties have surplus.
- It may be lost or displaced.
- It may be stolen.
Here is a list of cases when, for similar or other reasons, voting systems have finished (or might have finished) in the hands of the general public:
- B. Harris, The First Public Look — Ever — into a secret voting system, 2003. Bev Harris discovers a publicly accessible FTP server that hosts the source code repository, binaries, and various documentation for Diebold machines.
- Mysterious touchscreen voting machine found, USA Today, September 9, 2004. Diebold DREs are found abandoned on a street and in a bar in Baltimore.
- Voting machine stolen from polling site, Topeka Capital-Journal, March 1, 2005. A vote tabulator is stolen from a polling site (a school) in Topeka, KS.
- Voting machine stolen from elections judge, Dallas Morning News, March 6, 2006. An iVotronic machine is stolen from the home of a Dallas County elections judge.
- A. Dechert, Smash Diebold, June 2006. OVC buys a Diebold TS Touch Screen voting machine from eBay.
- C. Barr, Officials Probing Possible Theft of Voting Software in Md., Washington Post, October 20, 2006. Three disks containing the source code of Diebold programs is anonymously delivered to a former Maryland legislator.
- A. Feldman, J. Halderman, E. Felten, Security Analysis of the Diebold AccuVote-TS Voting Machine, September 13, 2006. The Princeton team obtains the complete voting machine (software and hardware) from an undisclosed "private party".
- A. Appel, How I bought used voting machines on the Internet, February 2007. Andrew Appel buys 5 Sequoia AVC Advantage machines on the auction site govdeals.com. Total price: $82.
- K. Zetter, Election Software Lost in Transit Found — But More Chips Go Missing, Wired, January 31, 2008. Chips loaded with software that run Diebold optical scanners are lost in California.
- D. Gang, Cast ballots stolen from Thermal site still missing, registrar's office says, Press-Enterprise, February 25, 2008. 119 cast ballots and a used voting cartridge for the Sequoia Edge DRE are stolen from a voting precinct in Riverside County.
- E. Felten, NJ Election Day: Voting Machine Status, June 3, 2008. Ed Felten describes (and photographs) Voting machines left unguarded around Princeton.
- B. Livingston, Voting machine stolen from church, Meridian Star, March 21, 2008. A voting machine is stolen in Lauderdale County, AL.
- eBay, ES&S OPTECH EAGLE IIIP VOTING MACHINE III/3P - COMPLETE, Item number 230277629190, August 2008. ES&S voting machine on sale on eBay.
I'll try to maintain this list accurate and up-to-date, so if you know more cases, please, let me know! Thanks to Joseph Lorenzo Hall for his comments and for contributing many entries to this list. Errors are mine.
Are your votes really counted?
July 21, 2008
Tomorrow, the International Symposium on Software Testing and Analysis (ISSTA) starts in Seattle. It is one of the main venues for research on testing and software analysis.
This year, we have a paper there. It is Are Your Votes Really Counted? Testing the Security of Real-world Electronic Voting Systems and it is joint work with quite a few people in the Computer Security Lab (Davide Balzarotti, Greg Banks, myself, Viktoria Felmetsger, Richard Kemmerer, William Robertson, Fredrik Valeur, and Giovanni Vigna). The paper is the result of our experience with the California Top-To-Bottom Review of electronic voting machines and the similar EVEREST project in Ohio. We describe the methodology we used to perform red-team testing of two real-world electronic voting systems (one produced by Sequoia, the other by ES&S), the tools and techniques we developed, some of the vulnerabilities we identified (spoiler: we designed and implemented malicious code capable of spreading from machine to machine in both cases), and the lessons we learned in the process.
Here is the abstract:
Electronic voting systems play a critical role in today's democratic societies, as they are responsible for recording and counting the citizens' votes. Unfortunately, there is an alarming number of reports describing the malfunctioning of these systems, suggesting that their quality is not up to the task. Recently, there has been a focus on the security testing of voting systems to determine if they can be compromised in order to control the results of an election. We have participated in two large-scale projects, sponsored by the Secretaries of State of California and Ohio, whose respective goals were to perform the security testing of the electronic voting systems used in those two states. The testing process identified major flaws in all the systems analyzed, and resulted in substantial changes in the voting procedures of both states. In this paper, we describe the testing methodology that we used in testing two real-world electronic voting systems, the findings of our analysis, and the lessons we learned.
If you are attending the conference, see you in Seattle!
