1 / 18

Nicolas Nicolaou Voting Technology Research ( VoTeR ) Center

24th Annual ACM Symposium on Applied Computing SAC 2009, Honolulu, Hawaii. Taking Total Control of Voting Systems: Firmware Manipulations on an Optical Scan Voting Terminal. Joint work with: Seda Davtyan, Sotiris Kentros, Aggelos Kiayias, Laurent Michel,

juro
Download Presentation

Nicolas Nicolaou Voting Technology Research ( VoTeR ) Center

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 24th Annual ACM Symposium on Applied Computing SAC 2009, Honolulu, Hawaii Taking Total Control of Voting Systems: Firmware Manipulations on an Optical Scan Voting Terminal Joint work with: Seda Davtyan, Sotiris Kentros, Aggelos Kiayias, Laurent Michel, Alexander Russell, Narasimha Shashidhar, Andrew See and Alexander A. Shvartsman Nicolas Nicolaou Voting Technology Research (VoTeR) Center Department of Computer Science and Engineering University of Connecticut http://voter.engr.uconn.edu

  2. Motivation • Electronic Voting Technologies • Direct Recording Electronic (DRE) • Touch Screen w/ or w/out printer, not directly voter-verifiable • Optical Scan (OS) tabulator • VVPAT – Voter Verifiable Paper Audit Trail • Used in over 50% of counties in 2008 • Case Study, Premier AccuVote-OS (AVOS): • Wide use in US elections, but… • Can be tampered with if memory card is removed [Hursti’05] • Can be tampered with if memory card is sealed in [EVT’07] • Reports by other workers and CA, CT, FL, AL,… • Safe-use procedures can be followed, but all under the assumption that firmware is trusted VoTeR Center – SAC’09

  3. Question Can the Firmware of Voting Machines be Trusted? In particular: Can the Firmware of AccuVote tabulator be Trusted? Work performed by the UConn VoTeR Center on request of the Connecticut Secretary of the State as a part of the overall effort to evaluate voting equipment, and to enable and perform effective technological audits, pre- and post-election. VoTeR Center – SAC’09

  4. Our Findings • Firmware of AVOS can be analyzed • Without access to vendor specifications or source code • Using off-the-shelf third party tools (<$300) • Under the contractual right to “display or disseminate all information and data related to election results” • Three firmware manipulations targeting: • Enabling Effective Auditing: • Faithful and fast memory dumping • Audit Improvement (also potential Privacy Violation): • “Leak” Ballot Contents • Revealing Weaknesses: Alteration of Election Result • Swapping candidate counters VoTeR Center – SAC’09

  5. Understanding the System • Election Management System (GEMS): • Ballot Design and Central Tabulation • Serial port communication with AVOS • Transferred data stored on the AVOS memory card • AVOS Terminal: • Hardware Components • Software Components • Firmware • Memory Card Contents VoTeR Center – SAC’09

  6. Hardware • External • LCD • Dot Matrix Printer • Ballot Reader • Input Buttons • 128K 40 Pin Epson Memory Card • Internal • 8Mhz MicroController • Emulates an Intel 80186 • 128K SRAM • 128K Firmware EPROM VoTeR Center – SAC’09

  7. Software • Firmware • Version 1.96.6 • Stored in a UV light erasable 128K EPROM • Responsible for all the functions of the terminal • Unencrypted / Unauthenticated: the terminal will boot modified firmware without a single warning • Memory Card contents • Programmed through GEMS • Election-specific programming • Election Data and Control Flags depending on the Elections VoTeR Center – SAC’09

  8. Understanding Memory Card Format • Crucial for Auditing purposes • Memory Card can be divided in 5 major sections: • Header • Log • Election Data • Bytecode (AccuBasic) • Counters VoTeR Center – SAC’09

  9. Gaining Access: Serial Port • Control over the transmission • One way communication from terminal via a serial line • Identified AVOS communication Methodology • Place byte to be sent in a buffer • Unmask the serial transmission interrupt to place the byte from the byte on the wire. VoTeR Center – SAC’09

  10. Manipulation 1: AVOS as a Card Reader • Goal: Transmit MC data from AVOS to PC • Improve Auditing • Obtain clean and faithful image of the card contents • Enable auditing of large number of cards • Motivation • AVOS built-in dumping procedure • Unfaithful transmission of the contents • Potential modification of the audit log • Too slow for mass auditing ( ~2min per card) • Card Reader/Writer are very hard to find and are slow • This type of memory cards discontinued ca. 1998 • Even if available, the commercial reader can take 1/2 hour VoTeR Center – SAC’09

  11. Manipulation 1: AVOS as a Card Reader • Delivery of Memory Card Data: • Inject a function to read the memory card contents • Utilizing Memory Card access control • Transmit one byte at a time to the serial line • Utilizing Serial Port access control • Speeding Up Card Dumping: • Implemented standard Run Lengths Encoding algorithm • Large part of card data contains sequences of identical values • Reduced card dumping from 2min to 20sec • Enabled the dump and inspection of large number of cards • Avoid alteration of card contents, e.g., audit log VoTeR Center – SAC’09

  12. Manipulation 2: Leaking Ballot Data • Dual Significance of the Result: • Benign alteration of firmware: Enhance Hand Count Audit • Potential malicious alteration:Violation of Voter Privacy • Implementation • AVOS side: • Transmit the candidate counters after each ballot cast • PC side: • Wait for incoming counters • Upon receipt of counters compute the difference of current counter image and the locally stored counter image • Counter difference reveal the ballot votes VoTeR Center – SAC’09

  13. Manipulation 2: Leaking Ballot Data • Used in Hand Count Audit • Ballot as read by AVOS presented on the screen • Poll worker may verify validity of the ballot • Reduces audit time • Reduces audit errors • Reveals ballot read errors • Demonstrates Possible Violation of Voter Privacy • Using the same technique during the election • Extract order of the ballots cast • Next: Hybrid OS terminal that displays votes as cast • Voter could verify their votes as recorded by the machine VoTeR Center – SAC’09

  14. Manipulation 3: Swapping Candidate Counters • Time Bomb Attack during Election • Behave “nicely” during pre-election testing • “Hit” during the actual elections • Implementing vote swapping: • Swap votes for predefined candidates • If votes < threshold do not swap • Also avoids pre-election testing detection • Otherwise swap after the elections are closed • Swap is done at the closing of elections and before the election report is printed. VoTeR Center – SAC’09

  15. Manipulation 3: Swapping Candidate Counters • Demonstration T=10: Pre-Election Testing Modified Firmware Original Firmware VoTeR Center – SAC’09

  16. Manipulation 3: Swapping Candidate Counters • Demonstration T=10: At Poll Closing Modified Firmware Original Firmware VoTeR Center – SAC’09

  17. Conclusions and Discussion • Demonstrated 3 AVOS firmware manipulations • Used for: Fast and Faithful Memory Card dumping • Potential for: Leaking Ballot Data • Potential for: Swapping Candidate Counters • Our results underscore the need for • Pre and Post election audits • Incorporation of firmware cryptographic integrity check at the hardware level • Answer to our question: • Firmware of an e-voting terminal is not necessarily trustworthy VoTeR Center – SAC’09

  18. Thank you!Questions? VoTeR Center – SAC’09

More Related