Forgot your password?
typodupeerror
Security Government Politics

Voting Machine Attacks Proven To Be Practical 225

Posted by kdawson
from the back-up-the-dumpster dept.
An anonymous reader writes "Every time a bunch of academics show vulnerabilities in electronic voting machines, critics complain that the attacks aren't realistic, that attackers won't have access to source code, or design documents, or be able to manipulate the hardware, etc. So this time a bunch of computer scientists from UCSD, Michigan, and Princeton offered a rebuttal. They completely own the AVC Advantage using no access to source code or design documents (PDF), and deliver a complete working attack in a plug-in cartridge that could be used by anyone with a few private minutes with the machine. Moreover, they came up with some cool tricks to do this on a machine protected against traditional code injection attacks (the AVC processor will only execute instructions from ROM). The research was presented at this week's USENIX EVT."
This discussion has been archived. No new comments can be posted.

Voting Machine Attacks Proven To Be Practical

Comments Filter:
  • Old News (Score:5, Informative)

    by megamerican (1073936) on Tuesday August 11, 2009 @02:22PM (#29026803)
    Or people can listen to a whistleblower [wikipedia.org] who programmed voting machines that easily allowed fraud [youtube.com] without a trace.
  • .PDF text (Score:3, Informative)

    by guido1 (108876) on Tuesday August 11, 2009 @02:23PM (#29026807)

    Copy/paste, some formatting, no tables. Extra carriage returns (sorry)... "Implementing the gadgets" section stripped off...

    Abstract
    A secure voting machine design must withstand new attacks
    devised throughout its multi-decade service lifetime.
    In this paper, we give a case study of the longterm
    security of a voting machine, the Sequoia AVC
    Advantage, whose design dates back to the early 80s.
    The AVC Advantage was designed with promising security
    features: its software is stored entirely in read-only
    memory and the hardware refuses to execute instructions
    fetched from RAM. Nevertheless, we demonstrate that an
    attacker can induce the AVC Advantage to misbehave
    in arbitrary ways--including changing the outcome of
    an election--by means of a memory cartridge containing
    a specially-formatted payload. Our attack makes essential
    use of a recently-invented exploitation technique
    called return-oriented programming, adapted here to the
    Z80 processor. In return-oriented programming, short
    snippets of benign code already present in the system
    are combined to yield malicious behavior. Our results
    demonstrate the relevance of recent ideas from systems
    security to voting machine research, and vice versa. We
    had no access either to source code or documentation beyond
    that available on Sequoia's web site. We have created
    a complete vote-stealing demonstration exploit and
    verified that it works correctly on the actual hardware.

    1 Introduction
    A secure voting machine design must withstand not only
    the attacks known when it is created but also those invented
    through the design's service lifetime. Because
    the development, certification, and procurement cycle for
    voting machines is unusually slow, the service lifetime
    can be twenty or thirty years. It is unrealistic to hope
    that any design, however good, will remain secure for so
    long.1
    In this paper, we give a case study of the long-term
    security of a voting machine, the Sequoia AVC Advantage.
    The hardware design of the AVC Advantage dates
    back to the early 80s; recent variants, whose hardware
    differs mainly in featuring a daughterboard enabling audio
    voting for the blind [3], are still used in New Jersey,
    Louisiana, and elsewhere. We study the 5.00D version
    The AVC Advantage voting machine we studied.
    (which does not include the daughterboard) in machines
    decommissioned by Buncombe County, North Carolina,
    and purchased by Andrew Appel through a government
    auction site [2].
    The AVC Advantage appears, in some respects, to offer
    better security features than many of the other directrecording
    electronic (DRE) voting machines that have
    been studied in recent years. The hardware and software
    were custom-designed and are specialized for use in a
    DRE. The entire machine firmware (for version 5.00D)
    fits on three 64kB EPROMs. The interface to voters
    lacks the touchscreen and memory card reader common
    in more recent designs. The software appears to contain
    fewer memory errors, such as buffer overflows, than
    some competing systems. Most interestingly, the AVC
    Advantage motherboard contains circuitry disallowing
    instruction fetches from RAM, making the AVC Advantage
    a true Harvard-architecture machine.2
    Nevertheless, we demonstrate that the AVC Advantage
    can be induced to undertake arbitrary, attackerchosen
    behavior by means of a memory cartridge containing
    a specially-formatted payload. An attacker who
    has access to the machine the night before an election can
    use our techniques to affect the outcome of an election by
    replacing the election program with another whose visible
    behavior is nearly indistinguishable from the legitimate
    program but that adds, removes, or changes votes
    as the attacker wishes. Unlike those attacks described
    1
    in the (contemporaneous, independent) study by Appel
    et al. [3, 4] that allow arbitrary computation to be induced,
    our attack

  • Re:Not a Bug (Score:3, Informative)

    by Shakrai (717556) on Tuesday August 11, 2009 @02:41PM (#29027123) Journal

    The only problem with this is that you aren't going to get a few "private minutes" with the machine and that any competent election authority is going to seal the machine with tamper-evident seals.

    I've worked as an elections inspector (poll worker) in the state of New York for the last five years. Every aspect of the machine (both the old style lever machines and the new optical scanning machines) that could be tampered with is sealed with numbered tamper evident devices. If the numbers on the seals don't match up with the records retained by the Board of Elections then you know the machine has been tampered with. This isn't rocket science people.

    Our new machines go even further than that. They both retain the actual ballots themselves in a locked ballot box and retain a scanned image of those ballots on a memory card. The memory card is removed from the machine at the end of the election and hand delivered to the Board of Elections. It is designed to serve as a backup in the event that the machine is destroyed (i.e: building burns down) and the ballots are lost. The ballots themselves are only scanned by the machine and not marked in any way. In the event of an issue with the machine there is nothing stopping you from counting each ballot by hand with the Mark I human eyeball.

    If you can find a way to rig an election in the State of New York then I'd be real interested in knowing about it. I've worked behind the scenes here for a long time and I haven't seen any vulnerabilities in the system. The only voting technology that I'd be concerned about is DRE (direct electronic record) -- but thankfully my state wasn't stupid enough to go that route.

  • Re:.PDF text (Score:4, Informative)

    by Anonymous Coward on Tuesday August 11, 2009 @03:07PM (#29027641)

    Here it is without the IDIOTIC carriage returns. Yes, you are an IDIOT, guido-cock.

    Abstract
    A secure voting machine design must withstand new attacks devised throughout its multi-decade service lifetime. In this paper, we give a case study of the longterm security of a voting machine, the Sequoia AVC Advantage, whose design dates back to the early 80s. The AVC Advantage was designed with promising security features: its software is stored entirely in read-only memory and the hardware refuses to execute instructions fetched from RAM. Nevertheless, we demonstrate that an attacker can induce the AVC Advantage to misbehave in arbitrary ways--including changing the outcome of an election--by means of a memory cartridge containing a specially-formatted payload. Our attack makes essential use of a recently-invented exploitation technique called return-oriented programming, adapted here to the Z80 processor. In return-oriented programming, short snippets of benign code already present in the system are combined to yield malicious behavior. Our results demonstrate the relevance of recent ideas from systems security to voting machine research, and vice versa. We had no access either to source code or documentation beyond that available on Sequoia's web site. We have created a complete vote-stealing demonstration exploit and verified that it works correctly on the actual hardware.

    1 Introduction
    A secure voting machine design must withstand not only the attacks known when it is created but also those invented through the design's service lifetime. Because the development, certification, and procurement cycle for voting machines is unusually slow, the service lifetime can be twenty or thirty years. It is unrealistic to hope that any design, however good, will remain secure for so long.1 In this paper, we give a case study of the long-term security of a voting machine, the Sequoia AVC Advantage. The hardware design of the AVC Advantage dates back to the early 80s; recent variants, whose hardware differs mainly in featuring a daughterboard enabling audio voting for the blind [3], are still used in New Jersey, Louisiana, and elsewhere. We study the 5.00D version The AVC Advantage voting machine we studied. (which does not include the daughterboard) in machines decommissioned by Buncombe County, North Carolina, and purchased by Andrew Appel through a government auction site [2]. The AVC Advantage appears, in some respects, to offer better security features than many of the other directrecording electronic (DRE) voting machines that have been studied in recent years. The hardware and software were custom-designed and are specialized for use in a DRE. The entire machine firmware (for version 5.00D) fits on three 64kB EPROMs. The interface to voters lacks the touchscreen and memory card reader common in more recent designs. The software appears to contain fewer memory errors, such as buffer overflows, than some competing systems. Most interestingly, the AVC Advantage motherboard contains circuitry disallowing instruction fetches from RAM, making the AVC Advantage a true Harvard-architecture machine.2 Nevertheless, we demonstrate that the AVC Advantage can be induced to undertake arbitrary, attackerchosen behavior by means of a memory cartridge containing a specially-formatted payload. An attacker who has access to the machine the night before an election can use our techniques to affect the outcome of an election by replacing the election program with another whose visible behavior is nearly indistinguishable from the legitimate program but that adds, removes, or changes votes as the attacker wishes. Unlike those attacks described 1 in the (contemporaneous, independent) study by Appel et al. [3, 4] that allow arbitrary computation to be induced, our attack does not require replacing the system ROMs or processor and does not rely on the presence of the daughterboard added in later revisions. Our attack makes essential use of return-oriented programming

  • Re:Not a Bug (Score:5, Informative)

    by Anonymous Coward on Tuesday August 11, 2009 @03:09PM (#29027665)

    From TFA:

    "The attacker does not need to remove any tamper-evident seals; in particular, he does not need to remove the circuit-board cover."

    (CAPTCHA: counted)

  • Re:Still not fair. (Score:4, Informative)

    by fuzzyfuzzyfungus (1223518) on Tuesday August 11, 2009 @03:30PM (#29028077) Journal
    I make no claim, one way or the other, about the presence or absence of American electoral fraud; but your point doesn't really follow. Fraud isn't a binary condition(well, in the strictest sense it is; but in a practical sense it isn't). A perfect fraudster could dictate the outcome of every vote cast, without outcry. A wholly impotent fraudster could dictate the outcome of zero votes cast. Actual frauds are somewhere in the middle. If, say, you can manage a 5% nudge without drawing excessive attention, your party will win more than it deserves(probably substantially so, given the fairly low margins by which elections are often won); but a really bad electoral cycle would be beyond your power to change.

    The absence of perfect fraud does not indicate the absence of fraud.
  • Re:Not a Bug (Score:3, Informative)

    by Shakrai (717556) on Tuesday August 11, 2009 @03:44PM (#29028377) Journal

    Surely that depends on the standards of voting privacy in your district, like whether you get a three-sided screen block or a complete booth with ceiling-to-floor curtains.

    The voting booth is separate from the machine. The "voting booth" itself is nothing more than a plastic stand with a privacy screen and a supply of felt-tipped markers. The machine itself is in plain view of the election inspectors and everybody else who happens to be in the polling place. Trust me, you aren't going to be able to tamper with it without being caught during the election. After the election is another matter but that's why they have the backup memory card and myriad of seals on the machine.

    And an election can be thwarted by leaving evidence of tampering in a district you want to disenfranchise.

    If tampering is evident than the voting machine is going to receive closer scrutiny. The votes aren't automatically going to be discarded. If the "tampering" consists of removing the seals around the memory interface but not the ballot box and the number of ballots therein equals the number of signatures in the pool book then they are simply going to hand count the ballots (or scan them in a different machine). If the tampering consists of removing the seals around the ballot box then they will fall back on the aforementioned memory card that was removed after the election and returned to the Elections Board.

    It's really not as easy to rig an election as people around here seem to think it is. I would encourage everybody who cares about this issue to volunteer to be a poll worker. The Election Boards are always looking for help and you'll get a chance to see the system from the inside. All it's going to cost you is a vacation day or two and some time. In some states you even get paid for doing it.

  • by ehack (115197) on Tuesday August 11, 2009 @04:23PM (#29029195) Journal

    Looks like return-oriented programming is a nice way to own various pieces of locked down hardware, eg. region-coded DVD drives, carrier-locked phones etc.

  • Re:Not a Bug (Score:3, Informative)

    by Chris Mattern (191822) on Tuesday August 11, 2009 @04:34PM (#29029389)

    The "voting booth" itself is nothing more than a plastic stand with a privacy screen and a supply of felt-tipped markers.

    Or, in a lot of cases (including my own state, incidentally), an enclosed booth where you are alone with a touch-screen terminal directly connected to the voting machine. Because felt-tipped markers are, y'know, *old-fashioned*.

  • by davidwr (791652) on Tuesday August 11, 2009 @05:52PM (#29030485) Homepage Journal

    Here's a system I can trust:

    User uses a machine to prepare a printed ballot. In addition to printing the ballot the machine records a running tally. Of course, both are subject to fraud.

    The user inspects the printed ballot. If the printed ballot is bogus it is invalidated and the user votes again. If the user is blind he has a trusted friend or a machine read the ballot back to him. If he uses a machine, it will be a machine developed independently from the ballot-printing machine. There is an opportunity for fraud by the friend or the ballot-readback machine but the odds of a successful collusion with the ballot-preparing machine are greatly reduced.

    The user deposits the printed ballot in a ballot box just as he would a hand-filled-in ballot. In fact, some voters may choose to use a hand-filled-in ballot, although those voting in languages other than English or heavy-minority languages may be forced to use the ballot-marking machine, as might those who cannot see and who do not have someone with them.

    The numbers collected by the ballot-preparation machine are unofficial and incomplete. They may have utility for spotting statistical anomalies in the official result, which of course would generate a recount.

    The printed ballots are then counted, either locally or at a central location, by two machines, each developed independently and used by different teams of counters. If the results vary by enough to sway any race, a third count, probably by hand, will be done.

    There, that's a system that
    * I can trust, provided I can trust the people conducting the election**
    * A system that has machine voting, or should I say, machine-assisted voting

    **yeah yeah I know, "trust the people conducting the election" is probably impossible, but I can dream, can't I?

    --
    Advantages of such a system over manual-fill-in bubble-sheets:
    * Arbitrary numbers of languages can be supported easily without wasting paper
    * Arbitrary number of different elections can be held at the same location without wasting paper

    Disadvantages:
    * Cost
    * Complexity
    * Requires more poll watchers

The meat is rotten, but the booze is holding out. Computer translation of "The spirit is willing, but the flesh is weak."

Working...