Malicious Takeover of Voting Systems: Arbitrary Code Execution on Optical Scan Voting Terminals

Posted: March 22nd, 2013 | Author: | Filed under: Other Publications | Tags: , , , ,

Malicious Takeover of Voting Systems: Arbitrary Code Execution on Optical Scan Voting Terminals
Russell J. Jancewicz, Aggelos Kiayias, Laurent D. Michel, Alexander C. Russell and Alexander A. Shvartsman
In Proceedings of the 28th Symposium On Applied Computing (SAC 2013)
March 18-22, 2013, Coimbra, Portugal www.acm.org/conferences/sac/sac2013/

Abstract
This work focuses on the AccuVote Optical Scan voting terminal (AV-OS) that is widely used in US elections. We present a new attack that can be delivered without opening the system enclosure, and without changing a single bit of the system’s firmware. The attack is launched by inserting a maliciously programmed AV-OS memory card into the terminal. The card contains binary code that exploits careless runtime memory management in the system’s firmware to transfer control to alternate routines stored in the memory card. Once the control is taken by the injected code, the voting system is forced to operate according to the wishes of the attacker. In particular, given that the attack results in the execution of the arbitrary code, an attacker can completely take over AV-OS operation and compromise the results of an election. It is also noteworthy that once a memory card is compromised it can be duplicated using the native function of the voting terminal. In some past elections it was observed that up to 6% of all memory cards were involved in card duplication. There exists a non-trivial possibility that the infection on one memory card can propagate virally to other cards in a given election. This development was performed without access to the source code of the AV-OS system and without access to any internal vendor documentation. We note that this work is performed solely with the purpose of security analysis of AV-OS.

Download full paper:: abstract-acmsac2013.pdf


Integrity of Electronic Voting Systems: Fallacious Use of Cryptography

Posted: March 30th, 2012 | Author: | Filed under: Other Publications | Tags: , , , ,

Integrity of Electronic Voting Systems: Fallacious Use of Cryptography
Seda Davtyan, Aggelos Kiayias, Laurent Michel, Alexander Russell and Alexander Shvartsman
In Proceedings of the 27th Symposium On Applied Computing (SAC 2012)
March 26-30, 2012, Riva del Garda (Trento), Italy www.acm.org/conferences/sac/sac2012/

Abstract
In recent years, electronic voting systems have been deployed in all U.S. elections. Despite the fact that cryptographic integrity checks are used in most such systems, several reports have documented serious security vulnerabilities of electronic voting terminals. We present an overview of the typical security and election vulnerabilities found in most, if not all, electronic election systems, and present a case study that illustrates such vulnerabilities. Our hands-on security analysis of the AccuVote TSx voting terminal — used by more than 12 million voters in over 350 jurisdictions in the U.S. — demonstrates certain new integrity vulnerabilities that are present in the system. We present two attacks based on these vulnerabilities: one attack swaps the votes of two candidates and another erases the name of one candidate from the slate. These attacks do not require modification of the operating system of the voting terminal (as was the case in a number of previous attacks) and are able to circumvent the cryptographic integrity checks implemented in the terminal. The attacks can be launched in a matter of minutes and require only a computer with the capability to mount a PCMCIA card file system (a default capability in most current operating systems). The attacks presented here were discovered through direct experimentation with the voting terminal and without access to any internal documentation or the source code from the manufacturer.

Download full paper:: sac2012.pdf


An Authentication and Ballot Layout Attack against an Optical Scan Voting Terminal

Posted: August 6th, 2007 | Author: | Filed under: Other Publications | Tags: , , , , , ,

An Authentication and Ballot Layout Attack against an Optical Scan Voting Terminal
Aggelos Kiayias, Laurent Michel, Alexander Russell, Narasimha Shashidhar, Andrew See and Alexander A. Shvartsman
In Proceedings of the 2007 USENIX/ACCURATE Electronic Voting Workshop (EVT 07)
August 6, 2007, Boston, MA, USA www.usenix.org/events/evt07/

Abstract
Recently, two e-voting technologies have been introduced and used extensively in election procedures: direct recording electronic (DRE) systems and optical scanners. The latter are typically deemed safer as many recent security reports have discovered substantial vul- nerabilities in a variety of DRE systems. In this paper we present an attack against the Diebold Accuvote optical scan voting terminal (AV-OS). Previously known attacks direct to the AV-OS required physical access to the memory card and use of difficult to find hardware (card reader/writer).
Our attack bypasses these issues by using the serial port of the AV-OS terminal and reverse engineering the communication protocol, in essence, using the terminal itself as a reader/writer. Our analysis is based solely on reverse-engineering. We demonstrate how an attacker can exploit the serious security vulnerability of weak (non-cryptographic) authentication properties of the terminal. The attack payload delivers a tampered ballot layout that, depending on the scenario, allows swapping of candidate votes, neutralizing votes, or even shifting votes from one candidate to another.

Download full paper: evt07.pdf


State of Connecticut Security Procedures

Posted: October 30th, 2006 | Author: | Filed under: Other Publications | Tags: , , ,

State of Connecticut’s Moderator’s Handbook (2006)


APPENDIX F
Security, Storage & Transportation of Ballots & Tabulators to and from Polls

  1. IMPORTANT REMINDER

    From the time the tabulators, memory card and ballots are received, they should be stored in a locked storage location not generally accessible. A log should be maintained of all persons having access to that storage location. The log should show the names dates times and purposes for all persons having access to that storage location.

  2. Pre-election testing and sealing of memory card & tabulator

    At the conclusion of the pre-election testing of machines, the memory card should be inserted in each tabulator and secured with a numbered seal. That number should be recorded on the pre-election testing report. A copy that report should be given to Town Clerk. The Clerk should give a copy of this report, including the number of the memory card seal number, to the Moderator when she picks up her supplies the day before the election.
    The tabulator should be place in the bag in which it will transported to the polls. A second numbered seal should be attached to the bag. The bag should also have a label identifying the polling place to which it is assigned.

  3. Read the rest of this entry »