Taking Total Control of Voting Systems: Firmware Manipulations on an Optical Scan Voting Terminal...
18
Taking Total Control of Voting Systems: Firmware Manipulations on an Optical Scan Voting Terminal Nicolas Nicolaou Voting Technology Research (VoTeR) Center Department of Computer Science and Engineering University of Connecticut http://voter.engr.uconn.edu 24th Annual ACM Symposium on Applied Computing SAC 2009, Honolulu, Hawaii Joint work with: Seda Davtyan, Sotiris Kentros, Aggelos Kiayias, Laurent Michel, Alexander Russell, Narasimha Shashidhar, Andrew See and Alexander A. Shvartsman
-
Upload
helen-chapman -
Category
Documents
-
view
213 -
download
0
Transcript of Taking Total Control of Voting Systems: Firmware Manipulations on an Optical Scan Voting Terminal...
Taking Total Control of Voting Systems: Firmware Manipulations on an Optical Scan Voting Terminal
Nicolas Nicolaou
Voting Technology Research (VoTeR) CenterDepartment of Computer Science and Engineering
University of Connecticuthttp://voter.engr.uconn.edu
24th Annual ACM Symposium on Applied ComputingSAC 2009, Honolulu, Hawaii
Joint work with:Seda Davtyan, Sotiris Kentros, Aggelos Kiayias, Laurent Michel, Alexander Russell, Narasimha Shashidhar, Andrew See andAlexander A. Shvartsman
Motivation Electronic Voting Technologies
Direct Recording Electronic (DRE) Touch Screen w/ or w/out printer, not directly voter-
verifiable Optical Scan (OS) tabulator
VVPAT – Voter Verifiable Paper Audit Trail Used in over 50% of counties in 2008
Case Study, Premier AccuVote-OS (AVOS): Wide use in US elections, but…
Can be tampered with if memory card is removed [Hursti’05]
Can be tampered with if memory card is sealed in [EVT’07] Reports by other workers and CA, CT, FL, AL,…
Safe-use procedures can be followed, but all under the assumption that firmware is trusted
04/21/232 VoTeR Center – SAC’09
Question
Can the Can the FirmwareFirmware of Voting of Voting Machines be Machines be TrustedTrusted??
In particular: Can the In particular: Can the FirmwareFirmware of AccuVote tabulator be of AccuVote tabulator be
TrustedTrusted??
04/21/233 VoTeR Center – SAC’09
Work performed by the UConn VoTeR Center on request of the Connecticut Secretary of the State as a part of the overalleffort to evaluate voting equipment, and to enable and performeffective technological audits, pre- and post-election.
Our Findings Firmware of AVOS can be analyzed
Without access to vendor specifications or source code Using off-the-shelf third party tools (<$300) Under the contractual right to “display or disseminate
all information and data related to election results” Three firmware manipulations targeting:
Enabling Effective Auditing: Faithful and fast memory dumping
Audit Improvement (also potential Privacy Violation): “Leak” Ballot Contents
Revealing Weaknesses: Alteration of Election Result Swapping candidate counters
04/21/234 VoTeR Center – SAC’09
Understanding the System Election Management System (GEMS):
Ballot Design and Central Tabulation Serial port communication with AVOS
Transferred data stored on the AVOS memory card
AVOS Terminal: Hardware Components Software Components
Firmware Memory Card Contents
04/21/235 VoTeR Center – SAC’09
Hardware External
LCD Dot Matrix Printer Ballot Reader Input Buttons 128K 40 Pin Epson
Memory Card
Internal 8Mhz MicroController
Emulates an Intel 80186
128K SRAM 128K Firmware EPROM
04/21/236 VoTeR Center – SAC’09
Software Firmware
Version 1.96.6 Stored in a UV light erasable 128K EPROM Responsible for all the functions of the terminal Unencrypted / Unauthenticated: the terminal will
boot modified firmware without a single warning
Memory Card contents Programmed through GEMS Election-specific programming
Election Data and Control Flags depending on the Elections
04/21/237 VoTeR Center – SAC’09
Understanding Memory Card Format
Crucial for Auditing purposes Memory Card can be divided in 5 major
sections: Header Log Election Data Bytecode (AccuBasic) Counters
04/21/238 VoTeR Center – SAC’09
Gaining Access: Serial Port Control over the transmission
One way communication from terminal via a serial line
Identified AVOS communication Methodology Place byte to be sent in a buffer Unmask the serial transmission interrupt to place
the byte from the byte on the wire.
04/21/239 VoTeR Center – SAC’09
Manipulation 1: AVOS as a Card Reader Goal: Transmit MC data from AVOS to PC
Improve Auditing Obtain clean and faithful image of the card contents Enable auditing of large number of cards
Motivation AVOS built-in dumping procedure
Unfaithful transmission of the contents Potential modification of the audit log Too slow for mass auditing ( ~2min per card)
Card Reader/Writer are very hard to find and are slow This type of memory cards discontinued ca. 1998 Even if available, the commercial reader can take 1/2 hour
04/21/2310 VoTeR Center – SAC’09
Manipulation 1: AVOS as a Card Reader Delivery of Memory Card Data:
Inject a function to read the memory card contents Utilizing Memory Card access control
Transmit one byte at a time to the serial line Utilizing Serial Port access control
Speeding Up Card Dumping: Implemented standard Run Lengths Encoding algorithm
Large part of card data contains sequences of identical values
Reduced card dumping from 2min to 20sec Enabled the dump and inspection of large number of cards
Avoid alteration of card contents, e.g., audit log
04/21/2311 VoTeR Center – SAC’09
Manipulation 2: Leaking Ballot Data Dual Significance of the Result:
Benign alteration of firmware: Enhance Hand Count Audit
Potential malicious alteration: Violation of Voter Privacy
Implementation AVOS side:
Transmit the candidate counters after each ballot cast PC side:
Wait for incoming counters Upon receipt of counters compute the difference of current
counter image and the locally stored counter image Counter difference reveal the ballot votes
04/21/2312 VoTeR Center – SAC’09
Manipulation 2: Leaking Ballot Data Used in Hand Count Audit
Ballot as read by AVOS presented on the screen Poll worker may verify validity of the ballot
Reduces audit time Reduces audit errors Reveals ballot read errors
Demonstrates Possible Violation of Voter Privacy Using the same technique during the election Extract order of the ballots cast
Next: Hybrid OS terminal that displays votes as cast Voter could verify their votes as recorded by the
machine
04/21/2313 VoTeR Center – SAC’09
Manipulation 3: Swapping Candidate Counters Time Bomb Attack during Election
Behave “nicely” during pre-election testing “Hit” during the actual elections
Implementing vote swapping: Swap votes for predefined candidates If votes < threshold do not swap
Also avoids pre-election testing detection Otherwise swap after the elections are closed
Swap is done at the closing of elections and before the election report is printed.
04/21/2314 VoTeR Center – SAC’09
Demonstration T=10: Pre-Election Testing
Manipulation 3: Swapping Candidate Counters
Original Firmware Modified Firmware
04/21/2315 VoTeR Center – SAC’09
Demonstration T=10: At Poll Closing
Manipulation 3: Swapping Candidate Counters
Original Firmware Modified Firmware
04/21/2316 VoTeR Center – SAC’09
Conclusions and Discussion Demonstrated 3 AVOS firmware manipulations
Used for: Fast and Faithful Memory Card dumping Potential for: Leaking Ballot Data Potential for: Swapping Candidate Counters
Our results underscore the need for Pre and Post election audits Incorporation of firmware cryptographic integrity
check at the hardware level
Answer to our question: Firmware of an e-voting terminal Firmware of an e-voting terminal
is is notnot necessarily trustworthy necessarily trustworthy 04/21/2317 VoTeR Center – SAC’09
Thank you!
Questions?
04/21/2318 VoTeR Center – SAC’09
