-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy path15-hacking-voting-machines.txt
122 lines (91 loc) · 10.3 KB
/
15-hacking-voting-machines.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
## Asset Info ##
Asset Origins:
bush-speaking.png - https://commons.wikimedia.org/wiki/File:Bush-April14-1.jpg - Public Domain (used as reference)
hillary.png - https://www.washingtonpost.com/news/post-politics-live/wp-content/uploads/sites/53/2016/02/DEM_2016_Debate-01fd0.jpg (used as reference)
cal-bear.png - https://www.flickr.com/photos/8070463@N03/3956233624 - CC-BY-SA
harri-hursti.jpeg - https://alchetron.com/Harri-Hursti-629980-W - CC-BY-SA
scratch.jpg - https://www.flickr.com/photos/usgeologicalsurvey/21894743631/ - public domain
pumpkin-patch.jpg https://commons.wikimedia.org/wiki/File:Pumpkin_Patch.jpg - CC-BY-2.0 (cropped photo)
voting-booth.jpg - https://commons.wikimedia.org/wiki/File:University_at_Buffalo_voting_booth.jpg - public domain
danger-sign.png - https://pixabay.com/en/warning-sign-red-triangle-road-303898/ - CC0
private-property - By Dru Bloomfield from Scottsdale, Arizona, USA - No TrespassingUploaded by Pieter Kuiper, CC BY 2.0, https://commons.wikimedia.org/w/index.php?curid=10213671
By Everaldo Coelho and YellowIcon; - All Crystal Clear icons were posted by the author as LGPL on kde-look;, LGPL, https://commons.wikimedia.org/w/index.php?curid=1159660
buffer-overrun.png - based on example giving in https://en.wikipedia.org/wiki/Buffer_overflow
Sauce Making:
N/A
ASSETS (art, img, anim, text):
X X art: hacker
X X art: robot
X X art: car
X X anim: robot driving in car
X X img: danger sign "electronic voting is dangerous!"
X X art: george w. bush
X X art: hilary clinton
X X img: safety "electronic voting is absolutely safe (1:18)"
X X text: DMCA
X X img: private property sign "thanks but this is our private property (1:43)"
X X img: bear (representing Cal Berkely)
X X art: paper (write quality code, hand off to QA, tests?)
X X art: hacker again (2:52)
X X art: nerd character to represent mathematics (chars/perfectionist)
X X art: another nerd "hand them off to a 3rd party (3:14)"
X X img: buffer overruns, double free errors
X X img: Harry Hursti
X X art: robot (as voting machine)
X X anim: robot opens eyes, question mark over head, turns to 0
X X anim: paper -150 + 150 = 0 (4:15)
X X img: scratched tree
X X img: pumpkin patch
X X re: Harry Hursti
X X img: voting booth
img: security camera in voting booth (5:35)
X X img: usb card (5:48)
X X re: hacker
X X text: dollar sign
## Sources ##
- https://en.wikipedia.org/wiki/Hacking_Democracy documentary about issues with electronic voting machines, specificly Diebold ones
- https://www.supportthevoter.gov/files/2013/09/VSTAAB-Security-Analysis-of-Diebold-AccuBasic-Interpreter-2006.pdf Findings from UC Berkely after CA sec of state requested review of vulnerabilities
- https://thinkprogress.org/why-voting-machines-are-about-to-wreak-havoc-on-another-election-607f3be29389#.9thakldhv
## Notes ##
- Diebold machines use AccuBasic, a limited, well-formed proprietary language whose purpose is to read and count votes
* the limited nature of the language is a plus as it limits the ways a hacker could muck things up
- UC Berkeley review Confirmed the Hursti Hack was possible
- Able to change vote counts with access to nothing more than a memory card (needing no cryptographic keys, passwords or access to the rest of the system)
- gave one candidate positive votes and the other the same number of negative votes so starting count would still register as 0
- falsified the voting machine results tapes and the GEMS central tabulator report (election officials said since those matched they would have certified the election)
- identified other issues in the interpreter (buffer overruns, array bounds violations, double-free errors, format string vulnerabilities, and
several others)
- wouldn't affect how the system runs but could be used by a hacker to change how the program performs
- would only be detectable through a manual recount of the paper ballots
- Unlike the AV-OS (optical scan) the AV-TSx required the memory cards be signed with a cryptographic key (preventing this type of attack from working on those machines)
* There were issues with how the key was implemented. Unless voting officials made use of the option to create their own key, all of the systems fell back to a default key which was hard coded in the source code
* Key was published in well known research paper and can be found on Google so is easily available to anyone who wants the key
- No use of 'high assurance' development methods, appeared to be programmed using standard commercial development methods
- Systems that allow the voter to prove how they voted are never used in U.S. public elections, and are outlawed by most state constitutions. The primary concerns with this solution are voter intimidation and vote selling.
- "attacks on physical voting don't scale well" - computerphile
- sometimes just a photo is the problem
- Jan 2007 a photo of the key used to open Diebold voting machines was posted on it's website. It was confirmed that a copy of the key could be made from the photo alone.
- the key opens a panel that contains a removable memory card leaving the systems vulnerable to tampering.
- five states (Georgia, Delaware, Louisiana, South Carolina and New Jersey) use electronic voting machines that leave no way to audit results after the fact
- Putting electronic voting machines into the category of critical infrastructure, which also includes power grids, airports, and hospitals, would allow DHS to set security standards for voting machines across the country, Wysopal said.
- Digital Millennium Copyright Act of 1998 (DMCA) prevents researchers from inspecting voting machines due to copyright issues
- this was updated October 2015 but does not give enough time for voting machines to be examined prior to 2016 presidential election
- post Help America Vote Act States then “went on a spending spree” with millions of federal dollars, buying state-of-the-art touch screen voting machines, also known as DREs (direct-recording electronic voting machines), Burden said. States also bought optical scan machines, where voters mark their paper ballot choices by filling out a bubble or connecting arrows. The results are read by a machine, similar to how SAT tests are processed.
## Script ##
Can you use code to steal an election? Well.....errr....yes.
[Intro]
I'm a fan of most technological advances. Every time a distracted driver nearly runs me over in a cross walk, I happily remind myself that human drivers will soon be a thing of the past. So when I hear people fretting about electronic voting, my instinct is to roll my eyes. Especially when the complaints seem so politically motivated.
In 2004, conspiracies circulated about Diebold voting machines being rigged to deliver a re-election victory to U.S. President George W. Bush. Fast forward to 2016 and it was nearly the same story - except this time billionaire George Soros was going to deliver a win to Hillary Clinton.
<best villain impression> That's my comic book supervillain impression....
So, when I set out to research e-voting, my expectation was that I'd be able to show how secure it truly is. Sadly, that's not the case.
The first thing you should know is that until October of 2015, voting machine code was considered intellectual property and the Digital Millennium Copyright Act prevented researchers from accessing the code unless the company gave them access to it. As you can imagine, most companies declined.
One exception was in 2006 when California's Secretary of State requested that experts at U.C. Berkely review the security of the voting machines being used in the state. They discovered a number of alarming issues.
The first was that the code did not appear to be written using high-assurance techniques. Regular programming relies on evaluation from quality assurance teams and automated tests to identify issues. Even when written by experts, code can fail or be vulnerable to hackers.
High assurance software engineering is utilized for critical infrastructure (like nuclear submarines and unmanned vehicles on Mars). They are programmed in such a way that mathematical proof can be provided (and verified by 3rd parties) to show that the system will work exactly as intended without issue.
Although the voting machine code was high quality, there were a number of issues in the interpreter like buffer overruns and double-free errors that could be used by hackers to change how the program performed.
The most alarming vulnerability they found though is what's known as the "Hursti Hack". The Hursti Hack, named after Harri Hursti, the Finnish programmer that first identified it, is a high tech form of 'stuffing the ballot box'.
When the voting machines first boot up, they check for a zero-vote count before starting. That way, they can be sure that no one has been pre-gaming the ballot box. However, Hursti realized there are many ways to make something equal zero. He altered the code on the memory card to have one candidate start with a positive vote total and another candidate start with the same amount of negative votes. -150 votes for you + 150 votes for me equals 0 total votes. Since the voting machines were ONLY looking for a zero-count, this was not detected as an anomoly. And, since Hursti was able to alter both the voting machine result tapes and the central tabulator, the manipulation would not have been caught by the central machine either.
If those vote totals match, the vote is a....pumpkin patch? Uh...I'm not so good with the rhymes.
Now, maybe you're thinking this is all well and good in an academic setting, but, no one is just going to sit there and let someone mess with a voting machine in real life. Except, being left alone, in private, in the voting booth is one of the fundamental aspects of modern anonymous voting. You can't have anyone watching what I do in the booth or there's a chance my vote could be coerced. So, just a few minutes alone and blammo - I've got altered code on that machine...and, since it's common for official voting business to involve usb sticks going from one machine to the next, there's a chance I've infected a LOT of machines.
And that's just scratching the surface of the issues found with electronic voting systems.
Given the damage that a single hacker can do AND the value to be had from altering the outcome of an election (especially in a major, industrial nation), when it comes to electronic voting - just say no.