Security Failures in Electronic Voting Machines

1
Security Failures in Electronic Voting Machines

• Ariel Feldman Alex Halderman Edward Felten
• Center for Information Technology Policy
• Department of Computer Science
• Princeton University

2
http//itpolicy.princeton.edu
3
(No Transcript)
4
(No Transcript)
5
2000 Recount Debacle Legislative
response Help America Vote Act Provided 3.9
billion to statesto upgrade voting machines by
November 2006
6
DREs to the Rescue?

• Direct Recording Electronic Store votes in
  internal memory

7
DREs are Computers
Rootkits
Viruses
Attacks
Bugs
8
(No Transcript)
9
(No Transcript)
10
Diebolds History of Secrecy

• Uses NDAs to prevent states from allowing
  independent security audits
• Source code leaked in 2003, researchers at Johns
  Hopkins found major flaws
• Diebold responded with vague legal
  threats,personal attacks, disinformation
  campaign
• Internal emails leaked in 2003 reveal poor
  security practices by developers
• Diebold tried to suppress sites with legal threats

11
We Get a Machine(2006)

• Obtained legally from an anonymous private party
• Software is 2002 version, but certified and used
  in actual elections
• First complete, public, independent security
  audit of a DRE

12
Research Goals

• Conduct independent security audit
• Confirm findings of previous researchers(Hursti,
  Kohno et al.)
• Verify threats by implementing attack demos

Who wants to know? Voters, candidates,
election officials, policy makers, researchers
13
SH3 CPU
32 MB SDRAM
128 KB EPROM
16 MB Flash
Removable Flash Memory Card
14
BallotStation
(Internal Flash)
WinCE 3.0 Kernel
(Internal Flash)
Bootloader
(Internal Flash or EPROM)
15
(No Transcript)
16
Our Findings

• Malicious software running on the machine can
  steal votes undetectably, altering all backups
  and logs
• Anyone with physical access to the machine or
  memory card can install malicious code in as
  little as one minute
• Malicious code can spread automatically and
  silently from machine to machine in the form of a
  voting machine virus

17
Vulnerabilities

• Malicious software running on the machine can
  steal votes undetectably, altering all backups
  and logs
• Anyone with physical access to the machine or
  memory card can install malicious code in as
  little as one minute
• Malicious code can spread automatically and
  silently from machine to machine in the form of a
  voting machine virus

18
(Video Demonstration)
19
Correct result George 5, Benedict 0
20
(No Transcript)
21
BallotStation
Stuffer
WinCE 3.0 Kernel
Bootloader
22
Stealing Votes
Primary Vote Record
Backup Vote Record
Audit Log
(President George) (President
Benedict) (President George)
(President Benedict) (President
Benedict) (President George)
Stuffer
23
(No Transcript)
24
Vulnerabilities

• Malicious software running on the machine can
  steal votes undetectably, altering all backups
  and logs
• Anyone with physical access to the machine or
  memory card can install malicious code in as
  little as one minute
• Malicious code can spread automatically and
  silently from machine to machine in the form of a
  voting machine virus

25
(No Transcript)
26
EXPLORER.GLB
27
BallotStation
WinCE 3.0 Kernel
EBOOT.NB0
Bootloader
28
BallotStation
WinCE 3.0 Kernel
EBOOT.NB0
Bootloader
29
128 KB EPROM
EBOOT.NB0
Jumper Table
30
Weakness in Depth

• Manually install using Explorer
• Replace boot firmware
• Replace boot EPROM

31
(No Transcript)
32
The Key
33
(No Transcript)
34
Weakness in Depth

• Key Commonly Available
• Lock Easy-to-Pick
• Key Pictured on Web Site

35
Tamper-Evident Seals?
36
Vulnerabilities

• Malicious software running on the machine can
  steal votes undetectably, altering all backups
  and logs
• Anyone with physical access to the machine or
  memory card can install malicious code in as
  little as one minute
• Malicious code can spread automatically and
  silently from machine to machine in the form of a
  voting machine virus

37
The Viral Lifecycle Infection
ÿ
EBOOT.NB0
VIRUS.EXE
EBOOT.NB0
VIRUS.EXE
38
The Viral Lifecycle Propagation
EBOOT.NB0
VIRUS.EXE

• What if the viral firmware sees EBOOT.NB0?
• Hidden ? Ignore it
• Non-hidden ? Fake a firmware update

39
Voting Machine Virus
40
Viral Spread
41
Are all DREs this bad?
42
(No Transcript)
43
(No Transcript)
44
Memory Organization

• Diebold AccuVote

Sequoia AVC
Firmware
Firmware Ballots Votes
EPROM (RO)
Flash Memory (RW)
Ballots Votes
NV-RAM (RW)
45
We can do better!
46
Why Vote Electronically?

• Voters prefer it
• Faster reporting
• Fewer undervotes
• Improved accessibility
• Potentially increased security

47
Low-Tech vs. High-Tech

• Paper Ballots
• Low-cost cheating(ballot stuffing)
• Small scale tampering(individual precincts)

• Electronic Voting
• High-cost cheating(viral attacks)
• Large scale tampering(counties or states)

Leverage these complementary failure modes for
greater security.
48
Paper to the Rescue

• Voter-Verified Paper Audit Trails (VVPAT)
• DRE prints a paper ballot, voter verifies and
  places in a ballot box
• At a few random precincts, paper ballots counted
  to ensure machines totals are accurate
• If discrepancies found, paper ballots can be
  counted more widely

49
Software Independence
A voting system is software-independent if an
undetected change or error in its software cannot
cause an undetectable change or error in an
election outcome.
Ron Rivest and John Wack

• DREs VVPATs
• Electronic Ballot Marking systems
• Optical Scan systems
• Cryptographic schemes

50
Proposed Legislation

• H.R. 811 Voter Confidence and IncreasedAccessibi
  lity Act (Rush Holt, D-NJ)
• Amends HAVA to require VVPATs
• Paper ballots would be the official record
• Random manual recounts in 3 of precincts
• Opens voting software and source code to public
  inspection
• Additional 300 million for states

51
Future Work

• Retrofits for existing systems
• Improved procedural safeguards
• Policies for recovering from failures
• Hardware-assisted security
• Cryptographically assured voting
• Techniques for ballot secrecy

52
http//itpolicy.princeton.edu/voting