Transcript Security Analysis of the Diebold AccuVote – TS Voting Machine

Security Analysis of the Diebold AccuVote
– TS Voting Machine
Feldman, Halderman and Felten
Presented by: Ryan Lehan
October 22, 2008
CSC 682
Outline


Overview of Diebold AccuVote-TS Voting
Machine
Vulnerability Points
Hardware
 Software




Classification of Attacks
Delivery of Attacks
Conclusion
Diebold AccuVote-TS

Manufactured by Diebold Election Systems

Subsidiary of Diebold



Now Premier Election Systems
DRE – Direct Recording Electronic Voting Machine



Manufacturer of ATM
Voters use machine to record and cast vote
Machine is used to tally the votes
Custom Software (Ballot Station) ran on top of
Windows CE
Vulnerability Points
- Hardware –
Please turn to page 6







Commonly used lightweight lock to secure access.
EPROM (E) – Replace EPROM w/ malware
PC Card Slot (S) – Used to replace existing software as well as
load in malware
Flash Ext Slot (G) – Used to load in malware
Keyboard (R) & Mouse (U) Ports – Used to alter OS
configuration
Serial Keypad Connector (O) – Open communication port.
Infrared Transmitter and Receiver (N) – Open communication
port.
Vulnerability Points
- Software 



Boot Process
Software Updates
Scripting
Authenticity / Authorization
Boot Process

Bootloader is loaded into memory

Location is determined by jumpers on the mainboard




EPROM (E)
Onboard flash memory (C)
Flash memory module in the “ext flash” slot
Looks at PC Card Slot for a memory card

Looks for specially named files



fboot.nb0 – Replacement bootloader, copied into onboard flash
nk.bin – Replacement operating system image file
EraseFFX.bsq – Erases file system area of the flash
Boot Process
-2

OS (Windows CE) is decompressed, loaded into
memory and then started.
OS uses a customized ‘taskman.exe’
Automatically launch ‘BallotStation.exe’
 However, if memory card in PC Card slot is present

Contains a file called ‘explorer.glb’, then it will launch
Windows Explorer instead of ‘BallotStation.exe’
 Searches for script files ending with ‘.ins’ and runs them
(with user confirmation)

Software Updates





Takes place in the boot loading process
Looks for specially named files on memory card
Overwrites existing files in the onboard flash
memory
No confirmation is needed
Messages are printed on screen only
Scripts



Scripts are loaded via a memory card in the PC
Card slot
Execution of each script requires user
confirmation
Found multiple stack-based buffer overflows in
handling of the script files

Suggesting malformed .ins files could by-pass user
confirmation.
Authenticity / Authorization


At no time, during the boot loading or script
execution, was there a check to validate the
authenticity of any of the files on the memory
card.
At no time was a user, supervisor, or admin
asked to login into the machine.

Without authentication, authorization to perform
updates and script execution is non-existent
Classification of Attacks

Vote Stealing



Alter votes in favor of a politician, party, or issue.
Does not alter the count of votes (discredits ballot stuffing).
Denial of Service (DoS)

Prevents access to machine



To vote by the individual.
To access the voting results.
Purposeful Election Fraud


Make it look like the “other guy” did it, by forcing a 100%
vote in favor of the “other guy”.
Creates distrust in the “other guy”.
Delivery of Attack

EPROM
Attack code is created and placed on an EPROM
chip
 Attacker gains access into the voting machine and
physically replaces the EPROM chip
 Attacker changes the jumper settings so that the
boot loader is loaded from the EPROM chip

Delivery of Attack
-2
Memory Card via PC Card Slot

Initial Delivery
Attack code is placed on to the memory card, including a
self replicating virus
 Memory Card is inserted into PC card slot prior to
booting voting machine
 A malware boot loader is installed via specially named file:
fboot.nb0
 The malware boot loader loads the OS in normal fashion
as well as loads the attack code

Delivery of Attack
-3
Memory Card via PC Card Slot (cont.)

Subsequent Delivery
When a non-infected memory card is inserted an infected
machine, the attack code will copy itself from memory
onto the memory card, thus infecting the memory card
 When the infected memory card is removed and placed
into a non-infected voting machine, the virus is copied
onto the machine, infecting it as well.

Conclusions

Diebold AccuVote – TS electronic voting machine is a single
self-contained unit.









Weak Security
Single point of failure
Has no real time outside redundancies for recording votes and logs
Has multiple vulnerability points in both hardware and software
Single self-contained unit eliminates the need for a distributed attack
against multiple machines simultaneously
No way to determine if an attack has taken place
Runs on general-purpose hardware and OS
Even though it was not mentioned, probably runs under
Administrator privileges
Chain of Possession leaves the voting machine in an unsecure
state. No fault of the machine.