Transcript Attack Scenario 1

Security Evaluation of the Sequoia
Voting System
Sandhya Jognipalli
1
Outline
o
Introduction
o
Overview of Sequoia Voting System
o
Known Issues
o
Findings
o
Attack Scenarios
o
Conclusions
2
Introduction
o
The use of computers in performing voting and tallying introduces
serious concerns about the integrity and confidentiality of the voting
process
o
Testing assumes two classes of threats:
o
o
Insiders
o
Outsiders
System security depends upon proper application of procedures,
check the consequences of any failure to follow procedures
3
System Overview
o
The Sequoia voting system collects votes in three ways: touchscreen
machines, paper ballots scanned at polling places, and paper ballots
scanned at election offices
o
WinEDS, version 3.1.012
AVC Edge Model I, firmware version 5.0.24
AVC Edge Model II, firmware version 5.0.24
VeriVote Printer
Optech 400-C/WinETP firmware version 1.12.4
Optech Insight, APX K2.10, HPX K1.42
Optech Insight Plus, APX K2.10, HPX K1.42
Card Activator, version 5.0.21
HAAT Model 50, version 1.0.69L
Memory Pack Reader (MPR), firmware version 2.15
Various removable media:
o
o
o
o
o
o
o
o
o
o
Results Cartridges
USB flash drives
o Voter Smartcards
o Memory packs
o
o
4
Election Office
Polling place
USB stick
HAAT
cartridge
Card
Activator
Voter Card
Voter Card
Voter
Edge
cartridge
WinEDS
MemoryPack
Receiver
floppy disk
MemoryPack
Optech 400-C
Insight
paper ballot
paper ballot
Voter
Voter
5
WinEDS
o
WinEDS is the Election Database System
o
WinEDS is a software program that runs on Windows
PCs for entering, editing, collecting, and reporting on
election information stored in a Microsoft SQL Server
database
o
Multiple computers running WinEDS all access a
common database over a network on a computer running
Microsoft SQL Server
6
WinEDS on a network
Election Office Network
Microsoft
SQL Server
WinEDS
WinEDS
WinEDS
?
7
HAAT
o
HAAT (Hybrid Activator, Accumulator and Transmitter) is a
portable, shoe-box sized device, used primarily to
activate Voter Cards used by the Edge DRE
o
HAAT and Card Activator are devices used in polling
places
8
Card Activator
o
The Card Activator (CA) is a component of the AVC Edge,
and serves as the voter’s access to the AVC Edge directrecord electronic touch-screen voting system
o
A CA is used in place of the HAAT. The Card Activator is
similar in size and shape to the HAAT
9
AVC Edge
o
The Edge is a stand-alone Direct Recording Electronic
(DRE).
o
Edge is a touchscreen voting machine, accompanied by a
Voter-Verified Paper Audit Trail (VVPAT) printer which
provides a paper record of the vote for review by the voter
10
Optech 400-C
o
Optech 400-C is a machine for quickly scanning large
stacks of paper ballots at an election office
11
Optech Insight and Insight plus
o
The Insight and Insight Plus are precinct-based optical
scanners installed on top of a ballot box at a polling
places
12
MemoryPack Receiver (MPR)
o
MemoryPack Receiver is a device for reading and writing
MemoryPacks
13
Removable Media
o
SmartCards are simple, memory-constrained devices utilized as
hardware tokens
Authenticate a voter to an AVC Edge
o Authorize the voter to cast a single ballot
o
o
Cartridges are used to carry election information and cast ballot
records between WinEDS and the Edges
o
MemoryPacks are used to carry ballot information and vote counts
between WinEDS and the Insights
o
Floppy disks are used to carry ballot information and vote counts
between WinEDS and the Optech 400-Cs
o
USB flash drives are used to transfer an election definition from
WinEDS to a HAAT
14
Lines of code & languages in the Sequoia source code
Component
Language
WinEDS 3.1
C
C++
PowerBuilder
SQL
Visual Basic
1038
121640
230027
86222
10260
1594
228765
355502
114249
16772
Edge (AVC Edge 5.0.24)
C
x86 assembly
124043
99521
212731
124657
VeriVote (VVPAT 4.3)
PIC assembly
245
353
ADA Audio Board 5.0
C
1328
1956
Card Activator (Card Activator 5.0)
C
8907
14238
HAAT 50 (HAAT 1.0.69L)
8051 assembly
C
C++
C#
5368
535
2886
38648
5891
963
5640
120246
Insight (HPX 1.42, APX 2.10)
Z80 assembly
24405
46452
MemoryPack Receiver (MPR 2.15)
Z80 assembly
5679
9714
Optech 400-C (WinETP 1.12.4)
C
C++
x86 assembly
561
45361
273
1007
83229
612
806947
1344571
Total:
Code Only
Code and Comments
15
Know Issues
o
o
The Electronic Frontier Foundation (EFF) published a list of known
problems
o
The Alameda County Evaluation
o
Multiple votes attack
The Sequoia voting system was evaluated by Pacific Design
Engineering for Alameda County and the problems found by them
can be summarized as follows:
o
The WinEDS and the other servers use non-encrypted text passwords
when communicating
o
The Edge uses constant hashes and DES encryption keys that can be
discovered if somebody has physical access to a machine
16
Continuation…
The Edge’s memory cartridge results are not bound together
cryptographically, and therefore the content of one cartridge could be
copied onto another
o
The WinEDS system uses Windows and therefore inherits the
vulnerabilities associated with that operating system
o
o
Multiple Votes Attack:
o An
attack enabling a voter to vote multiple times without the need for an
activated SmartCard has been reported
17
Findings
o
Some important security issues:
o
Arbitrary Code Execution: An attacker to overwrite an AVC Edge
firmware with a malicious version
o
The development of the exploit was made easier because the Edge runs a
proprietary OS
o
File Overwriting: The AVC Edge firmware is vulnerable to a directory
traversal attack that can name, and overwrite the files containing the boot
loader and the system firmware
o
Accuracy Testing Mode Detection: In the case of the Edge, the preelection correctness test is performed by switching the machine to a specific
“Logic and Accuracy Test” (LAT) mode
o
Execution of Modified Firmware: There is no way to determine which
version of the firmware is running on an Edge device
18
Continuation…
o
Availability of an Interpreter in Violation of Guidelines: The Edge
firmware was discovered to include a shell-like scripting language interpreter
o
This language includes, among others, several interesting commands:
o A command
to set the protective counter of the machine, which was
described by the Sequoia representatives as tamper-proof
o A command
to set the machine’s serial number
o A command
that can be used to overwrite arbitrary files on the internal
compact flash drive, including the system firmware or audit trail
o
Commands to reboot the machine at will
o Arbitrary Directory Creation Through Traversal Attack: The AVC
Edge voting machine ballot loading logic is vulnerable to a directory traversal
attack that leads to a denial of service
19
Continuation…
o
Automatic Execution of Code: The WinEDS host operating system
provided and configured by Sequoia is configured so that it will
execute an “autorun” file whenever removable media is inserted
o
Security of the MS SQL Server: In the documentation, it is stated
that: “WinEDS currently does NOT utilize code outside of MS SQL
Server and no connections or permissions are required on the server.
The election data stored on the server can only be modified by
authorized users only through the application.”
o
Votes Encrypted Using Static Key: The contents of the Results
Cartridge are not protected by any cryptographic signatures, and can
easily be modified
20
Continuation…
o
Possible Unsafe OS Choices: The WinEDS documentation states
that Windows 98 could be used for the WinEDS client machine
o
Windows versions provide no user-level security
o
Physical Security: Serious concerns about the physical security of
the different hardware components
o
Reversible Password Hash: The password stored on the update
cartridge is not stored as a password hash
o
Forging Update Cards and Voter Cards: Voter SmartCards can be
forged because the SmartCards are DES-encrypted using a static
key
21
Successful Attack Scenarios
o
Attack Scenario 1: An attacker drops a USB flash drive in the pool of
USB drives used to initialize the HAAT systems
o
When the drive is inserted in the computer on which WinEDS is
running
o
The cartridge is inserted in an Edge machine to load the ballots
o
Modifies the ballot to give advantage to a certain candidate
o
Attack Scenario 2: The malicious firmware takes advantage of
“fleeing” voters
o
The poll worker has no access to the content of the ballot
o
The firmware records a modified vote
22
Continuation…
o
Attack Scenario 3: In this case the firmware prints a copy of the
voter’s actual choices
o
The firmware displays “Please Wait, Recording Vote” for a few
seconds
o
“Thank you”, vote recorded but the machine prints “VOIDED” on the
receipt
o
Attack Scenario 4: After the machine prints “VOIDED”, instead
of jumping back to the ballot, it completes the voting process by
casting a modified vote
o
Attack Scenario 5: An attacker replaces the firmware’s
flashcard with one containing a malicious firmware
23
Continuation…
o
Attack Scenario 6: Attacker obtains access to the static key used to
encrypt the voter cards
o
Creates a number of valid voter cards to vote multiple times
o
Attack Scenario 7: Access to election functionality on a WinEDS
workstation directly connects to the MS SQL Server running on a
separate WinEDS server machine
o
The attacker transfers a malicious program to the database, and
installs the program on the WinEDS server
o
The installed program can be left on the machine as a Trojan
24
Potential Attack Scenarios
o
Attack Scenario 8: An authorized user gets access to a 400-C
machine
o
Reboots the PC with a bootable CD containing a different OS
o
The attacker then installs a Trojan application on the Windows
system installed on the PC
o
It will start modifying the votes
o
It is possible to hide the malicious behavior from the LAT procedures
25
Conclusion
o
Vulnerabilities could be exploited by a determined
attacker to modify the results of an election
o
No knowledge of source code required
o
The implementation of the attacks did not require access
to the source code
26