Seda Davtyan, Sotiris Kentros, Aggelos Kiayias, Laurent Michel, Nicolas Nicolaou, Alexander Russell, Andrew See, Narasimha Shashidhar and Alexander A. Shvartsman
In Proceedings of the 24th Annual ACM Symposium on Applied Computing (SAC 2009)
March 9-12, 2009, Honolulu, HI, USA www.acm.org/conferences/sac/sac2009/
The firmware of an electronic voting machine is typically treated as a “trusted” component of the system. Consequently, it is misconstrued to be vulnerable only to an insider attack by someone with an in-depth knowledge of the system and access to the source code. This case study focuses on the Diebold/Premier AccuVote Optical Scan voting terminal (AV-OS) that is widely used in the USA elections. We present three low level manipulations of the above voting terminal’s firmware resulting in divergence from its prescribed operation: (i) the first bestows the terminal with a powerful memory card dumping functionality, (ii) the second enables the terminal to leak the ballot details through its serial port thus violating voter privacy during the election, (iii) the final third firmware manipulation is a proof of concept attack that swaps the votes of two candidates thus permanently destroying the election outcome in an undetectable fashion. This demonstrates the extent to which the firmware of the AV-OS can be modified with no insider knowledge or access to the source code. Our results underscore the importance of verifying the integrity of the firmware of electronic voting terminals accompanied by sound auditing procedures to maintain the candor of the electoral process. We also note that this work is performed solely with the purpose of security analysis of AV-OS, and the first and the second firmware manipulations we describe serve a dual purpose in assisting the technological audits of actual voting procedures conducted using AV-OS systems.
Download full paper: sac09.pdf