Embed Size (px)
Citation preview
October 22, 2008 CSC 682
Security Analysis of the Diebold Security Analysis of the Diebold AccuVote – TS Voting MachineAccuVote – TS Voting Machine
Feldman, Halderman and FeltenFeldman, Halderman and Felten
Presented by: Ryan LehanPresented by: Ryan Lehan
OutlineOutline
Overview of Diebold AccuVote-TS Overview of Diebold AccuVote-TS Voting MachineVoting Machine
Vulnerability PointsVulnerability Points HardwareHardware SoftwareSoftware
Classification of AttacksClassification of Attacks Delivery of AttacksDelivery of Attacks ConclusionConclusion
Diebold AccuVote-TSDiebold AccuVote-TS
Manufactured by Diebold Election SystemsManufactured by Diebold Election Systems Subsidiary of DieboldSubsidiary of Diebold
Manufacturer of ATMManufacturer of ATM Now Premier Election SystemsNow Premier Election Systems
DRE – Direct Recording Electronic Voting DRE – Direct Recording Electronic Voting MachineMachine Voters use machine to record and cast voteVoters use machine to record and cast vote Machine is used to tally the votesMachine is used to tally the votes
Custom Software (Ballot Station) ran on Custom Software (Ballot Station) ran on top of Windows CEtop of Windows CE
Vulnerability PointsVulnerability Points- Hardware –- Hardware –
Please turn to page 6Please turn to page 6
Commonly used lightweight lock to secure access.Commonly used lightweight lock to secure access. EPROM (E) – Replace EPROM w/ malwareEPROM (E) – Replace EPROM w/ malware PC Card Slot (S) – Used to replace existing PC Card Slot (S) – Used to replace existing
software as well as load in malwaresoftware as well as load in malware Flash Ext Slot (G) – Used to load in malwareFlash Ext Slot (G) – Used to load in malware Keyboard (R) & Mouse (U) Ports – Used to alter Keyboard (R) & Mouse (U) Ports – Used to alter
OS configurationOS configuration Serial Keypad Connector (O) – Open Serial Keypad Connector (O) – Open
communication port.communication port. Infrared Transmitter and Receiver (N) – Open Infrared Transmitter and Receiver (N) – Open
communication port.communication port.
Vulnerability PointsVulnerability Points- Software -- Software -
Boot ProcessBoot Process Software UpdatesSoftware Updates ScriptingScripting Authenticity / AuthorizationAuthenticity / Authorization
Boot ProcessBoot Process
Bootloader is loaded into memoryBootloader is loaded into memory Location is determined by jumpers on the Location is determined by jumpers on the
mainboardmainboard EPROM (E)EPROM (E) Onboard flash memory (C)Onboard flash memory (C) Flash memory module in the “ext flash” slotFlash memory module in the “ext flash” slot
Looks at PC Card Slot for a memory cardLooks at PC Card Slot for a memory card Looks for specially named filesLooks for specially named files
fboot.nb0 – Replacement bootloader, copied into fboot.nb0 – Replacement bootloader, copied into onboard flashonboard flash
nk.bin – Replacement operating system image filenk.bin – Replacement operating system image file EraseFFX.bsq – Erases file system area of the flashEraseFFX.bsq – Erases file system area of the flash
Boot ProcessBoot Process- 2 -- 2 -
OS (Windows CE) is decompressed, OS (Windows CE) is decompressed, loaded into memory and then started.loaded into memory and then started.
OS uses a customized ‘taskman.exe’ OS uses a customized ‘taskman.exe’ Automatically launch ‘BallotStation.exe’Automatically launch ‘BallotStation.exe’ However, if memory card in PC Card slot is However, if memory card in PC Card slot is
presentpresent Contains a file called ‘explorer.glb’, then it will Contains a file called ‘explorer.glb’, then it will
launch Windows Explorer instead of launch Windows Explorer instead of ‘BallotStation.exe’‘BallotStation.exe’
Searches for script files ending with ‘.ins’ and Searches for script files ending with ‘.ins’ and runs them (with user confirmation)runs them (with user confirmation)
Software UpdatesSoftware Updates
Takes place in the boot loading Takes place in the boot loading processprocess
Looks for specially named files on Looks for specially named files on memory cardmemory card
Overwrites existing files in the Overwrites existing files in the onboard flash memoryonboard flash memory
No confirmation is neededNo confirmation is needed Messages are printed on screen onlyMessages are printed on screen only
ScriptsScripts
Scripts are loaded via a memory Scripts are loaded via a memory card in the PC Card slotcard in the PC Card slot
Execution of each script requires Execution of each script requires user confirmationuser confirmation
Found multiple stack-based buffer Found multiple stack-based buffer overflows in handling of the script overflows in handling of the script filesfiles Suggesting malformed .ins files could Suggesting malformed .ins files could
by-pass user confirmation.by-pass user confirmation.
Authenticity / Authenticity / AuthorizationAuthorization
At no time, during the boot loading or At no time, during the boot loading or script execution, was there a check to script execution, was there a check to validate the authenticity of any of the validate the authenticity of any of the files on the memory card.files on the memory card.
At no time was a user, supervisor, or At no time was a user, supervisor, or admin asked to login into the machine.admin asked to login into the machine. Without authentication, authorization to Without authentication, authorization to
perform updates and script execution is perform updates and script execution is non-existentnon-existent
Classification of AttacksClassification of Attacks Vote StealingVote Stealing
Alter votes in favor of a politician, party, or issue.Alter votes in favor of a politician, party, or issue. Does not alter the count of votes (discredits ballot Does not alter the count of votes (discredits ballot
stuffing).stuffing). Denial of Service (DoS)Denial of Service (DoS)
Prevents access to machinePrevents access to machine To vote by the individual.To vote by the individual. To access the voting results.To access the voting results.
Purposeful Election FraudPurposeful Election Fraud Make it look like the “other guy” did it, by forcing Make it look like the “other guy” did it, by forcing
a 100% vote in favor of the “other guy”.a 100% vote in favor of the “other guy”. Creates distrust in the “other guy”.Creates distrust in the “other guy”.
Delivery of AttackDelivery of Attack
EPROMEPROM Attack code is created and placed on an Attack code is created and placed on an
EPROM chipEPROM chip Attacker gains access into the voting Attacker gains access into the voting
machine and physically replaces the machine and physically replaces the EPROM chipEPROM chip
Attacker changes the jumper settings so Attacker changes the jumper settings so that the boot loader is loaded from the that the boot loader is loaded from the EPROM chipEPROM chip
Delivery of AttackDelivery of Attack- 2 -- 2 -
Memory Card via PC Card SlotMemory Card via PC Card Slot Initial DeliveryInitial Delivery
Attack code is placed on to the memory Attack code is placed on to the memory card, including a self replicating viruscard, including a self replicating virus
Memory Card is inserted into PC card slot Memory Card is inserted into PC card slot prior to booting voting machineprior to booting voting machine
A malware boot loader is installed via A malware boot loader is installed via specially named file: fboot.nb0specially named file: fboot.nb0
The malware boot loader loads the OS in The malware boot loader loads the OS in normal fashion as well as loads the attack normal fashion as well as loads the attack codecode
Delivery of AttackDelivery of Attack- 3 -- 3 -
Memory Card via PC Card Slot (cont.)Memory Card via PC Card Slot (cont.) Subsequent DeliverySubsequent Delivery
When a non-infected memory card is inserted When a non-infected memory card is inserted an infected machine, the attack code will copy an infected machine, the attack code will copy itself from memory onto the memory card, thus itself from memory onto the memory card, thus infecting the memory cardinfecting the memory card
When the infected memory card is removed When the infected memory card is removed and placed into a non-infected voting machine, and placed into a non-infected voting machine, the virus is copied onto the machine, infecting the virus is copied onto the machine, infecting it as well.it as well.
ConclusionsConclusions Diebold AccuVote – TS electronic voting machine is a Diebold AccuVote – TS electronic voting machine is a
single self-contained unit.single self-contained unit. Weak SecurityWeak Security Single point of failureSingle point of failure Has no real time outside redundancies for recording votes Has no real time outside redundancies for recording votes
and logsand logs Has multiple vulnerability points in both hardware and Has multiple vulnerability points in both hardware and
softwaresoftware Single self-contained unit eliminates the need for a Single self-contained unit eliminates the need for a
distributed attack against multiple machines simultaneouslydistributed attack against multiple machines simultaneously No way to determine if an attack has taken placeNo way to determine if an attack has taken place
Runs on general-purpose hardware and OSRuns on general-purpose hardware and OS Even though it was not mentioned, probably runs Even though it was not mentioned, probably runs
under Administrator privilegesunder Administrator privileges Chain of Possession leaves the voting machine in an Chain of Possession leaves the voting machine in an
unsecure state. No fault of the machine.unsecure state. No fault of the machine.
