Tuesday, September 9, 2008

Newly released video shows how easily electronic voting machines can be hacked, pried open


John Byrne
Published: Tuesday September 9, 2008

Test of company's software recently double-counted thousands of votes

A newly released video depicts an eerie scenario in which voting machines produce an XXXXXX result for the ballot position of US senator after a vote is placed and then replaces the XXXXXX with an individual's name.

Though it appears to be part of an eerie low-budget sci-fi thriller, the producers weren't B-movie conspiracy theorists. Instead, they were students from the University of Santa Barbara's Security Group, participating in a project commissioned by the California Secretary of State.

Why the video was posted now despite the fact that the project took place last year remains unknown. It may have its roots in a legal threat issued by the voting machines' manufacturer in March. In a sharply worded letter to a Princeton research team that had audited their machines before, Edwin Smith, the VP for "Compliance/Quality/Certification," said that the publication of any security audit of "Sequoia software [or] its behavior" would force the company to "take appropriate steps" through its "retained counsel."

In the film, included below, students demonstrate uploading a virus-like program to a voting terminal by inserting a data card and pressing a key. They then proceed through the voting process -- selecting candidates and approving ballot issues. Following their votes, the machine spits out a paper receipt.

The receipt correctly displays the student's choices. But a moment later, it spits out a second receipt, topped "VOID," which has replaced the student's senatorial selection with XXXXXX. The following receipt replaces XXXXXX with James P. 'Jim' Gray.

The student project also reveals the system's vulnerability to hacking the machines' internal workings. One student is able to slip one of the virus-implanting cards into a theoretically "sealed" machine simply by peeling back the flap.

Sealed machines opened up in seconds

A physically sealed machine is opened and hacked in just 18 seconds.

A second machine is unscrewed in less than a minute.

A piece of sheet metal holding on the door is removed in several minutes with a simple Phillips head screwdriver.

It's possible the letter from Sequoia's Smith has succeeded in keeping some audits of the company's software off the national radar. In his letter to the Princeton professors who'd planned an audit of the company's voting machines, the firm all but threatens a lawsuit.

"As you have likely read in the news media, certain New Jersey election officials have stated that they plan to send to you one or more Sequoia Advantage voting machines for analysis," Smith writes. "I want to make you aware that if the County does so, it violates their established Sequoia licensing Agreement for use of the voting system. Sequoia has also retained counsel to stop any infringement of our intellectual properties, including any non-compliant analysis. We will also take appropriate steps to protect against any publication of Sequoia software, its behavior, reports regarding same or any other infringement of our intellectual property."

Sequoia reemerged in the news late last month after votes were double counted during a test in Florida. Yesterday, the company blamed the glitch on "operator error."

"Procedures by the poll workers and the Supervisor's office staff proved to be good," Sequoia asserted. "The hardware and software performed as it should. The accuracy will be confirmed at a later date. The reason that the vote totals doubled in these 40 precincts was due to an inadvertent operator error.

The California students' video was picked up Tuesday by the blog BoingBoing.

Evaluating the Security of Electronic Voting Systems

Are your votes really counted?

Electronic voting systems have been introduced to improve the voting process. Since their inception, they have been controversial, because both the technologists and the general public realized that they were losing direct control over an important part of the voting process: counting the votes.

A quote attributed to Stalin says: "Those who cast the votes decide nothing. Those who count the votes decide everything." It is clear that voting systems represent a critical component of a democracy. Although the consequences of a malfunctioning electronic voting system are not as readily apparent as those for air traffic control or nuclear power plant control systems, they are just as important, because the well-being of a society depends on them.

While most critical systems are continuously scrutinized and evaluated for safety and correctness, electronic voting systems are not subject to the same level of scrutiny. A number of recent studies have shown that most (if not all) of the electronic voting systems being used today are fatally flawed, and that their quality does not match the importance of the task that they are supposed to carry out.

In the Summer of 2007, the Security Group of UCSB participated in the Top-To-Bottom Review (TTBR) of the electronic voting systems used in California. This was a first-of-its-kind review, where the evaluators had unprecedented access to the systems' source code, hardware, and associated documentation.

The Report

Our team focused on the security analysis of the Sequoia voting system. Our public report can be found here (a local copy can be found here). We found a number of major flaws that can be exploited to compromise the integrity, confidentiality, and availability of the voting process.

In particular, we developed a virus-like software that can spread across the voting system, modifying the firmware of the voting machines. The modified firmware is able to steal votes even in the presence of a Voter-Verified Paper Audit Trail (VVPAT).

The Paper

We wrote a paper that describes our methodology and our findings:

Are Your Votes Really Counted? Testing the Security of Real-world Electronic Voting Systems, D. Balzarotti, G. Banks, M. Cova, V. Felmetsger, R. Kemmerer, W. Robertson, F. Valeur, and G. Vigna, in Proceedings of the International Symposium on Software Testing and Analysis, Seattle, WA July 2008.[PDF]

The Movie

We also prepared a movie that shows how the virus-like attack would be carried out, and exemplifies the different scenarios that our malicious firmware would exploit.

The video shows how one can use a simple USB key to infect the laptop used to prepare the cards that initialize the various voting devices. As a result, the cards are loaded with a malicious software component.

When a card is inserted in a voting terminal, the malicious software exploits a vulnerability in the terminal loading procedure and installs a modified firmware, effectively "brainwashing" the terminal.

Later, when the terminal is used by the voters to cast their votes, the firmware uses a number of different techniques to modify the contents of the ballots being cast.

The movie also shows that the physical security measures being used to limit access to essential parts of the voting systems are ineffective.

The movie cannot be downloaded from this page anymore, because after we were featured on Slashdot the Department web server maxed out.

However somebody uploaded the video on YouTube.

Part 1

Part 2

The Computer Security Group at UCSB
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)