Forgot your password?
typodupeerror
Security Government Politics

Voting Machine Attacks Proven To Be Practical 225

Posted by kdawson
from the back-up-the-dumpster dept.
An anonymous reader writes "Every time a bunch of academics show vulnerabilities in electronic voting machines, critics complain that the attacks aren't realistic, that attackers won't have access to source code, or design documents, or be able to manipulate the hardware, etc. So this time a bunch of computer scientists from UCSD, Michigan, and Princeton offered a rebuttal. They completely own the AVC Advantage using no access to source code or design documents (PDF), and deliver a complete working attack in a plug-in cartridge that could be used by anyone with a few private minutes with the machine. Moreover, they came up with some cool tricks to do this on a machine protected against traditional code injection attacks (the AVC processor will only execute instructions from ROM). The research was presented at this week's USENIX EVT."
This discussion has been archived. No new comments can be posted.

Voting Machine Attacks Proven To Be Practical

Comments Filter:
  • by A. B3ttik (1344591) on Tuesday August 11, 2009 @01:59PM (#29026419)

    They completely own the AVC Advantage using no access to source code or design documents

    What do Source Code and Design Documents have to do with purchasing something?

    • by Anonymous Coward on Tuesday August 11, 2009 @02:09PM (#29026565)

      The problem is our elections are supposed to be transparent by law.
      The problem is our elections are supposed to have public oversight.
      The problem is a private company can not provide public oversight.
      The problem is electronic vote tabulation devices use invisible signals which no human (especially a poll watcher) can see.
      The problem is China or North Korea could decide our elections and we wouldn't know.
      The problem is there is no electronic vote tabulation device (or electronic vote registration poll book device) which can be validated with public oversight.
      The problem is without public oversight, no election can be validated.
      The problem is if our elections can not be validated, we can not hold our representatives responsible.
      The problem is if our representatives can not be held responsible, they tend to ignore the rule of law.
      The problem is if our representatives ignore the rule of law, they tend to ignore protecting the US Constitution against all enemies.
      The problem is when the US Constitution is ignored, we no longer live in a Constitutional Republic.
      The problem is when we no longer live in a Constitutional Republic, we slip into fascism.
      The problem is we have slipped into fascism.
      The problem is ignorance is no longer an excuse for corruption.

      • by HTH NE1 (675604)

        The problem is if our representatives can not be held responsible, they tend to ignore the rule of law.

        We've already got that without everything that you listed before.

      • Best quote from the paper:

        The absence of a paper audit trail means that the vote modification will not be detected.

        ... much less corrected.

        You can have a very hackable machine with an immutable, hand-countable, voter-verified paper trail (i.e. printed ballots) and you'll be okay*, assuming multiple mutually-hostile parties are keeping an eye on the paper trail.

        You can have a very difficult to compromise machine without a paper trail and you'll never know with certainty your results are accurate.

        *There may

    • Re: (Score:2, Funny)

      by RobotRunAmok (595286)

      I think -- and I could be wrong -- that "Owning" is like "Pwning," and it means "to dominate," if you're fourteen.

      • by HTH NE1 (675604)

        Owning is done to you; pwning you do to yourself out of your own stupidity. See also FAIL.

      • by Fluffeh (1273756)

        I think -- and I could be wrong -- that "Owning" is like "Pwning," and it means "to dominate," if you're fourteen.

        Actually, chances are a 14 yo would totally understand to own/pwn something where it's much more likely that a 30 year old would have no clue.

  • by MartinSchou (1360093) on Tuesday August 11, 2009 @02:02PM (#29026449)

    What these "intellectuals" and "researchers" have to keep in mind, is that in reality, no one would ever dream of committing election fraud.

    We all live in a utopia, where everyone has equal say, no one would ever coerce others and there's a kitten on every lap. That's why there are no such things as secret ballots. In every voting booth there will be three heavily armed guards who will watch you vote to ensure that you won't be doing anything you shouldn't do.

    Have a cotton candy, drink your beer and turn on the TV. The shiny shiny is on again, you like that. You have always liked that.

    </sarcasm>

    • Re:Still not fair. (Score:5, Insightful)

      by InsaneProcessor (869563) on Tuesday August 11, 2009 @02:08PM (#29026547)
      I work in the computer industry and do not trust any electronic voting system. The more complex a system (any physical system) the more susceptible it is to attack. Give me good old paper ballots any day.
      • There are ways of combining electronic and paper systems so that they are more reliable and more difficult to defraud then either paper or electronic alone. The problem is that no one seems to be willing to sell such a machine.

        • by causality (777677)

          There are ways of combining electronic and paper systems so that they are more reliable and more difficult to defraud then either paper or electronic alone. The problem is that no one seems to be willing to sell such a machine.

          I'm perfectly happy with elections being as low-tech and simple as reasonably possible, i.e. paper. I'll gladly pay the few more cents in taxes every few years that ultra-efficient electronic elections would have saved me. All of this desire to have marginal gain at the expense of substantial risk is one of the worst examples of decision-making.

        • There are ways of combining electronic and paper systems so that they are more reliable and more difficult to defraud then either paper or electronic alone. The problem is that no one seems to be willing to sell such a machine.

          No, the problem is that no one wanting to count the votes would be willing to BUY such a tamperproof machine.

          • Re: (Score:2, Interesting)

            by Anonymous Coward

            The fact that we had one election "stolen" by the R's in 2004 (so say the D's), and the fact that we had the next election "stolen" by the D's in 2008 (so say the R's), should be proof, at least, that there is no ultimate ability to steal on either groups part - otherwise, once you have power, why ever let the other side win?

            It would also imply the following:

            If we have an illegitimate vote in 2004, then it is nonsensical for "them" to not have taken advantage of their power in 2006 and 2008. If that is tru

            • Re:Still not fair. (Score:4, Informative)

              by fuzzyfuzzyfungus (1223518) on Tuesday August 11, 2009 @03:30PM (#29028077) Journal
              I make no claim, one way or the other, about the presence or absence of American electoral fraud; but your point doesn't really follow. Fraud isn't a binary condition(well, in the strictest sense it is; but in a practical sense it isn't). A perfect fraudster could dictate the outcome of every vote cast, without outcry. A wholly impotent fraudster could dictate the outcome of zero votes cast. Actual frauds are somewhere in the middle. If, say, you can manage a 5% nudge without drawing excessive attention, your party will win more than it deserves(probably substantially so, given the fairly low margins by which elections are often won); but a really bad electoral cycle would be beyond your power to change.

              The absence of perfect fraud does not indicate the absence of fraud.
      • by fataugie (89032)

        Riiiight.

        Because no one could stuff a ballotbox, eh?

        Ask Mayor Daily in Chicago how secure they are.

        • by Bigjeff5 (1143585)

          You mean the guy who got caught? Nice example.

          Ballot box stuffing has practical limits that are very, very small compared to electronic vote fraud. I.e. you can only have so many extra ballot boxes before someone gets wise in the counting. When the recording, consolodating, and counting of the votes all happens in a machine(s) that is opaque to observers, the potential for recognizing a problem is much much lower.

          • by Moryath (553296)

            You mean like Minnesota, where Al Franken mysteriously "won" three counties that had more counted votes than registered voters, right?

      • Here's a system I can trust:

        User uses a machine to prepare a printed ballot. In addition to printing the ballot the machine records a running tally. Of course, both are subject to fraud.

        The user inspects the printed ballot. If the printed ballot is bogus it is invalidated and the user votes again. If the user is blind he has a trusted friend or a machine read the ballot back to him. If he uses a machine, it will be a machine developed independently from the ballot-printing machine. There is an opportu

    • by Runaway1956 (1322357) on Tuesday August 11, 2009 @02:58PM (#29027481) Homepage Journal

      There's a kitten on every lap?

      That damned kitten clawed my balls, you insensitive clod!

  • Americans today committed egregious acts of democracy [today.com] to elect the next failed administration and the next failed Congress.

    In a fabulous upset, almost no-one could bring themselves to vote directly for either of the official candidates, instead opting for a write-in vote. Popular write-ins included "the black guy", "the old guy", "McCain from 2000" and "Tina Fey." The seventeen votes for "The Invisible Man" were tallied for Joe Biden. Several tons of Liquid Paper needed to be scraped off voting machines.

    The winning candidate turned out to be Noneof Theabove, 46, of Dogshit, Nebraska. Apart from the Presidency, Mr Theabove won 72% of Congressional seats and all Senate seats up for election this year.

    Mr Theabove's policies include drinking, shouting abuse at the television and inchoate existential despair. "He completely embodies the national mood," said Nate Silver of FiveThirtyEight.com, just before applying for a new job flipping burgers.

    A majority of US soldiers in Afghanistan stated the place was "just fine, really" and they were learning to speak Pashto rather than returning. Canada looked south and snickered, though not very much as they still had Stephen Harper to cope with. The Kingdom of Mexico stated its "regret" today that it has had to close its borders to American refugees.

  • Not a Bug (Score:4, Funny)

    by the_macman (874383) on Tuesday August 11, 2009 @02:07PM (#29026533)

    deliver a complete working attack in a plug-in cartridge that could be used by anyone with a few private minutes with the machine.

    It's not a bug! It's a feature!

    • Re: (Score:3, Informative)

      by Shakrai (717556)

      The only problem with this is that you aren't going to get a few "private minutes" with the machine and that any competent election authority is going to seal the machine with tamper-evident seals.

      I've worked as an elections inspector (poll worker) in the state of New York for the last five years. Every aspect of the machine (both the old style lever machines and the new optical scanning machines) that could be tampered with is sealed with numbered tamper evident devices. If the numbers on the seals don'

      • Re:Not a Bug (Score:5, Informative)

        by Anonymous Coward on Tuesday August 11, 2009 @03:09PM (#29027665)

        From TFA:

        "The attacker does not need to remove any tamper-evident seals; in particular, he does not need to remove the circuit-board cover."

        (CAPTCHA: counted)

      • Re: (Score:2, Insightful)

        by radtea (464814)

        It is designed to serve as a backup in the event that the machine is destroyed (i.e: building burns down) and the ballots are lost.

        How often has that happened in the history of American elections?

        That is exactly the kind of dramatic detail that puts my fraud-detector on alert. "Look, it's so secure that it's even secure against problems you don't have!" Typical distraction. It makes me wonder what you're hiding.

        As it happens, if you google "ballots lost in fire" you get a bunch of hits on the first page

        • Re:Not a Bug (Score:4, Interesting)

          by Shakrai (717556) on Tuesday August 11, 2009 @03:38PM (#29028231) Journal

          It makes me wonder what you're hiding.

          I have no incentive to hide anything as I'm not an employee of the Elections Board nor an office holder with a stake in the system. I became a poll worker because of the controversy surrounding this issue. I wanted to see for myself how the system worked. I came to it as a skeptic and after learning the procedures and seeing them in action have been convinced that the system is as secure as it can be expected to be.

          How often has that happened in the history of American elections?

          That is exactly the kind of dramatic detail that puts my fraud-detector on alert. "Look, it's so secure that it's even secure against problems you don't have!" Typical distraction.

          So now you are complaining that the system is protected against disasters just because they rarely happen? Would you be happier with a system that left less of a paper trail?

          As it happens, if you google "ballots lost in fire" you get a bunch of hits on the first page about fraud and failure related to electronic voting machines.

          As I said, my experience is limited to the State of New York. In NYS we don't use direct electronic recording machines. You fill out a paper ballot that is then tabulated by an optical scanner. In the event of a disputed election the paper ballot is still around and any idiot can count it with the Mark I human eyeball.

          The only part of our voting process that is "electronic" is the so-called "ballot marking device" that handicapped voters use. This is a machine that prints a paper ballot for those voters who are unable to write and have to rely on another interface (audio, sip and puff, foot pedals, etc.) The printed paper ballot is in the same format as the one that you would fill out as a non-handicapped voter and can be read by any human being.

          Given the complete lack of transparency at all levels of any electronic voting system I am extremely suspicious of all of them

          Evidently that's not all you are suspicious of, since you seem to think that I'm trying to hide something :)

      • Re:Not a Bug (Score:5, Insightful)

        by HTH NE1 (675604) on Tuesday August 11, 2009 @03:12PM (#29027733)

        The only problem with this is that you aren't going to get a few "private minutes" with the machine

        Surely that depends on the standards of voting privacy in your district, like whether you get a three-sided screen block or a complete booth with ceiling-to-floor curtains.

        And an election can be thwarted by leaving evidence of tampering in a district you want to disenfranchise.

        • Re: (Score:3, Informative)

          by Shakrai (717556)

          Surely that depends on the standards of voting privacy in your district, like whether you get a three-sided screen block or a complete booth with ceiling-to-floor curtains.

          The voting booth is separate from the machine. The "voting booth" itself is nothing more than a plastic stand with a privacy screen and a supply of felt-tipped markers. The machine itself is in plain view of the election inspectors and everybody else who happens to be in the polling place. Trust me, you aren't going to be able to tamper with it without being caught during the election. After the election is another matter but that's why they have the backup memory card and myriad of seals on the machine

          • Re: (Score:3, Informative)

            by Chris Mattern (191822)

            The "voting booth" itself is nothing more than a plastic stand with a privacy screen and a supply of felt-tipped markers.

            Or, in a lot of cases (including my own state, incidentally), an enclosed booth where you are alone with a touch-screen terminal directly connected to the voting machine. Because felt-tipped markers are, y'know, *old-fashioned*.

      • by UdoKeir (239957)
        If you can find a way to rig an election in the State of New York then I'd be real interested in knowing about it.

        Put lots of voting machines in the rich, white neighbourhoods, and very few in the poor, black neighbourhoods. That's how they did it, at least, in Ohio in 2004.
      • by amplt1337 (707922)

        If you can find a way to rig an election in the State of New York then I'd be real interested in knowing about it.

        Make the machines. Include a backdoor that allows them to be controlled via radio. Rig the machine so that it doesn't print what it says it's printing.
        Fin

        Sincerely,
        A Fellow NY Voter

        P.S. Running machine candidates with major avenues named after their namesake granddaddies is a pretty sure-fire way to rig the democratic process, too, although it has nothing to do with voting machines.

      • by colinnwn (677715) on Tuesday August 11, 2009 @04:26PM (#29029253)
        I worked as an Elections Clerk. I was the person who hired the Elections Judges (poll workers) and was phone triage on elections day when they didn't know what to do with a voter.

        First, 99.99% of the EJs are good people, but there are also bad seeds. You must guard against the EJ's as much as the voter. We had an EJ voting every day of early voting, until the Alternate Judge discovered what he was doing and reported him to us. We reported him to the County Commissioners and County Prosecutor who declined to prosecute the person for whatever (probably politically motivated) reason.

        With paper ballots, the fraud would be easier to spot statistically. But any EJ that could figure out how to upload a virus to their voting machine, and get it onto the tabulating machine, could possibly edit results in a way that would make it very hard to discover.

        Second, an attacker could possibly find a way to defeat a tamper seal, or could break into the storage facility of the voting machines before election day, or I am sure there are a multitude of other attacks where someone could have a short time of unsupervised access to the voting machine that wouldn't be detected by tamper proof seals.
        • Re: (Score:3, Interesting)

          by Shakrai (717556)

          First, 99.99% of the EJs are good people, but there are also bad seeds. You must guard against the EJ's as much as the voter.

          Indeed you must. In my state there are four of us, representing at least two different political parties. It seems unlikely to me that you could get four randomly assigned people from different political parties to all agree to rig an election.

          We had an EJ voting every day of early voting, until the Alternate Judge discovered what he was doing and reported him to us.

          Sounds like the system worked if he got caught. My only question would be why did it take so long? Our machines have always kept a running count of the votes cast that day that must match up with the number of people we've signed in. There are two different peop

      • by legirons (809082)

        I've worked as an elections inspector (poll worker) in the state of New York for the last five years. Every aspect of the machine (both the old style lever machines and the new optical scanning machines) that could be tampered with is sealed with numbered tamper evident devices. If the numbers on the seals don't match up with the records retained by the Board of Elections then you know the machine has been tampered with. This isn't rocket science people.

        and then what happens? do you count its votes (knowing they might be faked) or not (somoene can remove your vote by cutting the seal)

      • Re: (Score:2, Interesting)

        by aschran (895622)

        If you think it's impossible to get a few private minutes with one of these voting machines you are crazy. I am not sure how you have been an election worker and still managed to come to that conclusion. In fact, you can easily get a few private HOURS with them. Ed Felten (one of the writers of this paper) annually takes photos of himself with unattended voting machines the night before Election Day.

        http://www.freedom-to-tinker.com/blog/felten/unattended-voting-machines-usual [freedom-to-tinker.com]

      • Re: (Score:2, Interesting)

        by jbudofsky (1279064)

        The only problem with this is that you aren't going to get a few "private minutes" with the machine

        I am a student at Princeton and last term I took Ed Felton's class on Security. (Ed Felton being one of the authors). This was one of the issues which he talked about. I can't speak for the State of New York, but in New Jersey the voting machines are often stored at the voting sites over night. These voting sites are more often than not, unsecured places such as Churches or Schools. Prof. Felton, on the night before an election, went to all of the election sights. A distrubing number of electronic voting ma

      • by feenberg (201582)

        OK, suppose the tamper-evident seal is found to be broken at the end of the election day. What happens then? Are those votes not counted? I wouldn't expect that result. That would open a door to an intruder going to a district favoring the opponent and merely tampering with the seal. I'd expect the votes to be counted in spite of the broken seal. Is there actual experience anywhere on this point?

    • by tedshultz (596089)
      When I first saw this, my first reaction was "Wow, maybe a good programmer could fix the horrendous interface used now". This voting machine http://www.thedailypage.com/daily/article.php?article=25628 [thedailypage.com] was changing votes by poor design, not malice (I hope...). It wouldn't take much for a decent programmer to fix it up a bit. Maybe the open source voting machine that everyone wants is already here!
  • Site is nearly unresponsive.

    And it's just hosting a 3.1MB PDF...

  • by Bandman (86149) <bandman@gmai[ ]om ['l.c' in gap]> on Tuesday August 11, 2009 @02:10PM (#29026581) Homepage

    Electronic bits do not have the quality of being static. Electronic votes can be changed without obvious physical evidence, and as long as they're purely electronic, it will always be like that.

    Even an optical disk is more static than electronic bits that live in a database.

    People need to demand paper ballots until electronic voting machines are all enhanced with built-in paper trails.

    • by Andr T. (1006215)
      I think the most reasonable solution is an eletronic device that prints the vote so the user can cast it on a ballot. You can still count the votes in a fast way, but when any doubt is risen, you can double-check it with the paper votes.
    • by Andr T. (1006215)
      I just noticed I said the exact same thing you already said. Damn, sorry.
    • by Seakip18 (1106315)

      There is a paper trail actually, if the damned county uses them. The problem though is that old folks running the precients barely understand the devices, so they don't bother with the additional hassle of a vote-by-vote trail and just settle for a total count printout.

      Read one of my journals for when I worked for Dieb-errr....Premier Election Solutions last year. The best thing I like is a electronic tabulator which can deliver results fast as can be but still has a paper ballot. Touchscreen's should not b

      • by CastrTroy (595695)
        I very much agree. There's no point in having a paper trail if you can't get them to count it. They should be hand counting paper votes as the first and only option. If we've established any kind of doubt against the machine (and it seems we have) then there's no reason we should trust that number to begin with. You shouldn't have to order a recount to get a count you can trust. Recounts should be for extreme circumstances.
    • by Sandbags (964742) on Tuesday August 11, 2009 @03:44PM (#29028365) Journal

      Yup. That's a good start.

      I'd also love to see some kind of basic voter assessment to substantiate the vote as well. We all have a right to vote, but if yopur vote is based on fallicy or a complete lack of knowledge, you should not be allowed to register that vote.

      My grandfather is a prime example of this. He's voted republican his entire life, nearly 70 years of going to the polls. I pointed out to him just before Obama's election that he couldn't, other than Right to Life and anti gun restriction, name a single Republican platform stance. Then i further asked him what his personal beliefs were on the top 25 debated items between the 2 parties. Of the 25 things, he chose the side the DEMOCRATS voiced support for. he didn't believe me, so i showed him the republican national website, and ran down the list (which took a while, it's not well organized). He voted straight democratic ticket. You see, the current Democratic platform is actually closer to what the Republicans had for a platform 50-60 years ago. He started voting replublican as a youth and then allways did, not paying ANY attention to the actual politics at stake. He figured about half his retired friends were doing the same thing...

      If you can't name the candidate you're voting for, and at least 1 major platform stance out any 1 issue that candidate supports out of that candidates top 10 supported initiatives, you are not informed enough to effect MY future by registering your invalid votes. If you want to vote straight ticket, that's fine, name 3 platform stances of your party instead. If you can do that, you can vote, if not, either stay home, or only vote for the candidates you know something about. If uninformed people continue to vote, we'll need to bring voter certification back into play... (yes, I know it was used to discriminate in the past, but it would be VERY easy to ensure that did not happen in the future).

      • by Bigjeff5 (1143585)

        You realize that is exactly how the poor used to be kept out of the voting process, right?

        In the early days of the good 'ol US of A, only men who owned land were permitted to vote. Obviously, if you didn't own land and weren't a man, you did not have enough vested interest or mental faculty to have a say in government.

        When that was found to be illegal, the requirements changed and you had to pass a reading test in order to vote. This kept the majority of the poor out of the voting process. That too was e

      • by dkleinsc (563838)

        (yes, I know it was used to discriminate in the past, but it would be VERY easy to ensure that did not happen in the future).

        I beg to differ on your last point about how easy it would be to ensure non-discriminatory practices. Any politician who got elected with this system being used for discrimination would be motivated to sabotage or block any attempt to curb said discrimination, or appoint friends who will do likewise. If it were that easy, we wouldn't have had Strom Thurmond's 24 hour filibuster on civil rights legislation. And no, racism is far from dead: for instance, the vast majority of the so-called 'Birthers' (who beli

      • by Noren (605012)
        Ah, a Literacy test. [wikipedia.org] What could go wrong?
  • Prediction: (Score:2, Funny)

    by chickenrob (696532)
    The nations new electronic voting system helps Obama secure a landslide victory on his historic third term.
    • Well that would be illegal but /shrug that never stopped them before. The presidents these days think they can sign an executive order even if it is in conflict with the constitution.
  • I really hope a politician of some sort with some tech savvy (mod funny lol) gets a hold of this and realizes that opensource is the way to go for voting machines.

    With open source, diebold (or whomever) is still making money because someone needs to build the machines, and someone needs to manage the opensource project, but all those who are concerned about the integrety of the vote can contribute and find/fix exploits like this.
    • I really hope a politician of some sort with some tech savvy (mod funny lol) gets a hold of this and realizes that opensource is the way to go for voting machines. With open source, diebold (or whomever) is still making money because someone needs to build the machines, and someone needs to manage the opensource project, but all those who are concerned about the integrety of the vote who can understand the programming language being used can contribute and find/fix exploits like this.

      And everyone else will just have to take their word that it is OK.
      Oh yeah, how will those people know that the "open source" code they contributed to is actually the code running on any voting machine other than the one nearest them (or even on that one)?

      • by CastrTroy (595695)
        Exactly the point everyone seems to miss out on. It doesn't matter if the code is open source, because there is no way of verifying that the code running on all the machines is actually the code that's been vetted for. Sure you could probably get a team of computer scientists together to rip apart a single machine, and test all the components to ensure it's doing what it's supposed to, but it would be impossible to verify that all the machines were running the correct code on election day.
  • .PDF text (Score:3, Informative)

    by guido1 (108876) on Tuesday August 11, 2009 @02:23PM (#29026807)

    Copy/paste, some formatting, no tables. Extra carriage returns (sorry)... "Implementing the gadgets" section stripped off...

    Abstract
    A secure voting machine design must withstand new attacks
    devised throughout its multi-decade service lifetime.
    In this paper, we give a case study of the longterm
    security of a voting machine, the Sequoia AVC
    Advantage, whose design dates back to the early 80s.
    The AVC Advantage was designed with promising security
    features: its software is stored entirely in read-only
    memory and the hardware refuses to execute instructions
    fetched from RAM. Nevertheless, we demonstrate that an
    attacker can induce the AVC Advantage to misbehave
    in arbitrary ways--including changing the outcome of
    an election--by means of a memory cartridge containing
    a specially-formatted payload. Our attack makes essential
    use of a recently-invented exploitation technique
    called return-oriented programming, adapted here to the
    Z80 processor. In return-oriented programming, short
    snippets of benign code already present in the system
    are combined to yield malicious behavior. Our results
    demonstrate the relevance of recent ideas from systems
    security to voting machine research, and vice versa. We
    had no access either to source code or documentation beyond
    that available on Sequoia's web site. We have created
    a complete vote-stealing demonstration exploit and
    verified that it works correctly on the actual hardware.

    1 Introduction
    A secure voting machine design must withstand not only
    the attacks known when it is created but also those invented
    through the design's service lifetime. Because
    the development, certification, and procurement cycle for
    voting machines is unusually slow, the service lifetime
    can be twenty or thirty years. It is unrealistic to hope
    that any design, however good, will remain secure for so
    long.1
    In this paper, we give a case study of the long-term
    security of a voting machine, the Sequoia AVC Advantage.
    The hardware design of the AVC Advantage dates
    back to the early 80s; recent variants, whose hardware
    differs mainly in featuring a daughterboard enabling audio
    voting for the blind [3], are still used in New Jersey,
    Louisiana, and elsewhere. We study the 5.00D version
    The AVC Advantage voting machine we studied.
    (which does not include the daughterboard) in machines
    decommissioned by Buncombe County, North Carolina,
    and purchased by Andrew Appel through a government
    auction site [2].
    The AVC Advantage appears, in some respects, to offer
    better security features than many of the other directrecording
    electronic (DRE) voting machines that have
    been studied in recent years. The hardware and software
    were custom-designed and are specialized for use in a
    DRE. The entire machine firmware (for version 5.00D)
    fits on three 64kB EPROMs. The interface to voters
    lacks the touchscreen and memory card reader common
    in more recent designs. The software appears to contain
    fewer memory errors, such as buffer overflows, than
    some competing systems. Most interestingly, the AVC
    Advantage motherboard contains circuitry disallowing
    instruction fetches from RAM, making the AVC Advantage
    a true Harvard-architecture machine.2
    Nevertheless, we demonstrate that the AVC Advantage
    can be induced to undertake arbitrary, attackerchosen
    behavior by means of a memory cartridge containing
    a specially-formatted payload. An attacker who
    has access to the machine the night before an election can
    use our techniques to affect the outcome of an election by
    replacing the election program with another whose visible
    behavior is nearly indistinguishable from the legitimate
    program but that adds, removes, or changes votes
    as the attacker wishes. Unlike those attacks described
    1
    in the (contemporaneous, independent) study by Appel
    et al. [3, 4] that allow arbitrary computation to be induced,
    our attack

    • Re:.PDF text (Score:4, Informative)

      by Anonymous Coward on Tuesday August 11, 2009 @03:07PM (#29027641)

      Here it is without the IDIOTIC carriage returns. Yes, you are an IDIOT, guido-cock.

      Abstract
      A secure voting machine design must withstand new attacks devised throughout its multi-decade service lifetime. In this paper, we give a case study of the longterm security of a voting machine, the Sequoia AVC Advantage, whose design dates back to the early 80s. The AVC Advantage was designed with promising security features: its software is stored entirely in read-only memory and the hardware refuses to execute instructions fetched from RAM. Nevertheless, we demonstrate that an attacker can induce the AVC Advantage to misbehave in arbitrary ways--including changing the outcome of an election--by means of a memory cartridge containing a specially-formatted payload. Our attack makes essential use of a recently-invented exploitation technique called return-oriented programming, adapted here to the Z80 processor. In return-oriented programming, short snippets of benign code already present in the system are combined to yield malicious behavior. Our results demonstrate the relevance of recent ideas from systems security to voting machine research, and vice versa. We had no access either to source code or documentation beyond that available on Sequoia's web site. We have created a complete vote-stealing demonstration exploit and verified that it works correctly on the actual hardware.

      1 Introduction
      A secure voting machine design must withstand not only the attacks known when it is created but also those invented through the design's service lifetime. Because the development, certification, and procurement cycle for voting machines is unusually slow, the service lifetime can be twenty or thirty years. It is unrealistic to hope that any design, however good, will remain secure for so long.1 In this paper, we give a case study of the long-term security of a voting machine, the Sequoia AVC Advantage. The hardware design of the AVC Advantage dates back to the early 80s; recent variants, whose hardware differs mainly in featuring a daughterboard enabling audio voting for the blind [3], are still used in New Jersey, Louisiana, and elsewhere. We study the 5.00D version The AVC Advantage voting machine we studied. (which does not include the daughterboard) in machines decommissioned by Buncombe County, North Carolina, and purchased by Andrew Appel through a government auction site [2]. The AVC Advantage appears, in some respects, to offer better security features than many of the other directrecording electronic (DRE) voting machines that have been studied in recent years. The hardware and software were custom-designed and are specialized for use in a DRE. The entire machine firmware (for version 5.00D) fits on three 64kB EPROMs. The interface to voters lacks the touchscreen and memory card reader common in more recent designs. The software appears to contain fewer memory errors, such as buffer overflows, than some competing systems. Most interestingly, the AVC Advantage motherboard contains circuitry disallowing instruction fetches from RAM, making the AVC Advantage a true Harvard-architecture machine.2 Nevertheless, we demonstrate that the AVC Advantage can be induced to undertake arbitrary, attackerchosen behavior by means of a memory cartridge containing a specially-formatted payload. An attacker who has access to the machine the night before an election can use our techniques to affect the outcome of an election by replacing the election program with another whose visible behavior is nearly indistinguishable from the legitimate program but that adds, removes, or changes votes as the attacker wishes. Unlike those attacks described 1 in the (contemporaneous, independent) study by Appel et al. [3, 4] that allow arbitrary computation to be induced, our attack does not require replacing the system ROMs or processor and does not rely on the presence of the daughterboard added in later revisions. Our attack makes essential use of return-oriented programming

  • by hessian (467078) on Tuesday August 11, 2009 @02:29PM (#29026911) Homepage Journal

    1. What form of electronic voting could not be compromised?
    2. What form of paper voting could not be compromised?

    It may be that we must accept that no form of voting is "secure" in the sense of cannot be gamed.

    At least, people have been gaming votes for as long as democracy has existed, so I don't know if they're going to stop just because we make it slightly less convenient.

    • 1. What form of electronic voting could not be compromised? 2. What form of paper voting could not be compromised?

      It may be that we must accept that no form of voting is "secure" in the sense of cannot be gamed.

      At least, people have been gaming votes for as long as democracy has existed, so I don't know if they're going to stop just because we make it slightly less convenient.

      They aren't going to stop because we make it less convenient, but why should we make it more convenient?
      Every form of electronic voting I have seen makes it easier and more convenient to commit massive election fraud and easier and more convenient to hide such fraud. Actually, I can't think of any "voting reform" that has occurred in my life that doesn't make election fraud easier and more convenient.

    • by db32 (862117)
      The real danger is that people believe paper ballots can be easily subject to problems and that electronic voting is somehow impervious to these problems.
      • The real danger is that people believe paper ballots can be easily subject to problems and that electronic voting is somehow impervious to these problems.

        Actually, I find it troubling that many people seem to believe that paper ballots cannot be compromised at all. I'm not more in favor of electronic voting and I'm not against paper ballots, but I get the sense that quite a few people here seem to think "paper ballots = 100% assurance of honesty" and I don't agree with that. Then again, I was in Ukraine in November of 2004 during the Orange Revolution (long story, but I had long standing plans to go there right after the election and those plans had nothin

    • by gclef (96311)

      It's all about managing risk...sure, you can stuff ballot boxes, but it's difficult to do that on an enormous scale without being noticed (note: I didn't say impossible, just difficult). On the other hand, if you can simply edit a database to change votes, the barrier to entry for vote fraud drops dramatically.

      We probably do have to accept that every voting system can be gamed...what we do *not* have to accept is that this means they're all equally good/bad.

    • It isn't about making it impossible, just really, really hard. And to do that we have to understand the possibilities well enough that we can decide what is good enough. If we mistakenly think electric voting is perfect when it really has these big gaping holes in it, then we have a lot more work to do. That's what these guys are trying to point out. You do reach a point of diminishing returns, but that doesn't mean it isn't worth trying.

    • by Chirs (87576)

      I'm in Canada. We use paper ballots. It would be fairly hard to compromise this in any significant way.

      You walk into a room, validate your identity, they give you a ballot from a book of ballots. The ballot has a tear-off part with a serial number that matches the stub in the book.

      You go behind a screen, mark an X for the candidate of your choice, fold over the ballot, then come back out. You hand the ballot to an official who verifies that the serial number matches what was given to you, then rips off

      • by Tacvek (948259)

        Harder than electronic voting, yes, but common exploits such as multiple voting (being on the voter list in multiple polling locations), "losing" ballot boxes during transportation after voting but before counting, would still apply. The later issue could be eliminated by counting all the votes in public at the polling location. At the end the results are recorded and certified on an election results card. Then these cards are accumulated from all voting stations in an area, and the contents of the cards be

  • critics complain that the attacks aren't realistic

    Step 1) Create tool to hack machine.
    Step 2) Next election, reprogram the voting machine to play PacMan.
    Step 3) Watch Cable News Networks spend weeks talking about the issue.
    Step 4) Watch politicians scramble to pass something/anything to prove they care about this issue.
    This will all work as long as you don't care about step 5.
    Step 5) Go to jail. You do have to show ID to vote and if there is someone in line behind you at the booth, they will know real quick you hacked the machine.

  • by Abalamahalamatandra (639919) on Tuesday August 11, 2009 @02:55PM (#29027423)

    Here's what I'm trying to understand.

    We have this great thing called Public Key Crypto and the PKI to go along with it.

    If you presume a custom processor that will only execute code signed by an election commission, that would be a first step - the system won't run anything that hasn't been specifically approved for installation on the machine. There would be no more "last minute fixes" as we've seen in the past, where code was installed without being vetted by an election authority.

    For that matter, require the software developers to store their code on a state or federal election repository, and only sign code that's been compiled on those systems, from that repository. Require that anyone who makes changes sign them with their private key and state the reason for the change.

    For the results, take each ballot, strip off the identifying information, and encrypt it to the election commission, and sign it with a pre-deployed per-machine private key that's known. It would of course also be important to have a reliable time source for the device, to include that in the result file.

    I would even envision that this would be a good purpose for a federal election agency - hosting the code for all certified voting systems, and being the "root of trust" that signs certificates for the state election commissions, which can then sign local and county commissions, which can then issue keys to individual election machines.

    Some patches to an open-source OS, say Linux, a PKI infrastructure (along with some HSM modules to store keys) and a processor with an integrated crypto engine and TPM module would take care of all of this.

    Banks do this kind of stuff all the time - what's so hard about it?

    • It's not that it's hard to do it. It's that they don't want to do it.

    • by gclef (96311)

      I volunteered to run a polling place this past election cycle, so I have a few thoughts on this:

      1) One of the reasons that the electronic voting systems have so many problems is that the local and state elections board are *not* IT shops. They don't spend the time on IT to really get it, and probably won't for a good many years to come. (For example, my local election board had not considered that there would be a pretty significant failure rate on UPS' between election cycles...the UPS' to run the voting

  • I was just walking down the street, out of nowhere voting machines came and attacked me and stole my wallet.
  • by lseltzer (311306) on Tuesday August 11, 2009 @03:12PM (#29027737)

    Give me a few private minutes with a paper ballot box and I can stuff it full of ballots for my candidate. That's an old-school hack.

    • Not sure how you'd do it in my district. My grandmother helps run polls there, and so I have a fairly good idea how it works. (Well, plus having voted there many times.)

      You walk in the door, and (if there's no line) are faced with a table of election workers from all the major parties. Each has a stack of papers, listing around 750 registered voters in the district, in alphabetical chunks. You pick the line that matches up with the first letter(s) of your last name, tell them your name, and they che

  • What do Design Documents have to do with anything. Considering that most developers put them straight in the circular file, I fail to see how that would help you hack the system.
  • look, it's simple.... Digital voting machine swith 2 way paper validation. 1 copie prints out of the back of the voting machine with a unique "voter number" (identifies the ticket itself as a receipt number, and has NOTHING to do with the person voting). A second copy prints out on a large tape at central voting table from a seperate central machine and feeds into a scanner on a 3rd machine. Your voting record is also stored electronically indexed by the voting receipt number in the central machine tha

    • by Bigjeff5 (1143585)

      That's nice and complicated and all, but a breach in the verification machine invalidates the entire process. The validation machine can easilly show a valid count but actually record an invalid count, and there is no way you would know the difference. Vote goes to validation machine, as well as a locked-box printout and a paper printout the voter takes to the validation machine. Voter validates their vote, but what is shown on-screen does not match what is recorded in the database. The vote is then bel

  • This means that politicians will have to go back to old fashioned fraud, like ballot box stuffing, having bums vote for dead people, registering phantoms from empty lots, and on and on.

  • by ehack (115197) on Tuesday August 11, 2009 @04:23PM (#29029195) Journal

    Looks like return-oriented programming is a nice way to own various pieces of locked down hardware, eg. region-coded DVD drives, carrier-locked phones etc.

  • I guess until the critics get in their heads they are flawed, we will have to go to great lengths to show them it does not compute,
    I am thinking of adding a new partisan in the running that stands for Al Quidae being in control for our government, and then using
    the tricks talked about here to actually make the votes go their way....and then 2 minutes before the actual meltdown, when everyone on CNN is seeing the impossible...call in and explain the prank to any who will listen.

    THENNNNNNN.....they would get

  • Besides this being a very nice piece or work in Computer Science, it appears the point of this study is that in order for a software device to be considered "secure", it needs to stand up to exploits that have yet to be discovered at the time of release. This is, of course, seemingly impossible to do since undiscovered exploits are, well, undiscovered.

    Return-oriented programming defeats security measures like DEP, but there are other measures that may be effective against attacks of this sort, such as Addr [wikipedia.org]

Some people carve careers, others chisel them.

Working...