Security Evaluation of the Sequoia Voting System - PowerPoint PPT Presentation

About This Presentation
Title:

Security Evaluation of the Sequoia Voting System

Description:

The use of computers in performing voting and tallying introduces serious ... files on the internal compact flash drive, including the system firmware or audit trail ... – PowerPoint PPT presentation

Number of Views:72
Avg rating:3.0/5.0
Slides: 27
Provided by: sjog
Learn more at: https://www.cs.kent.edu
Category:

less

Transcript and Presenter's Notes

Title: Security Evaluation of the Sequoia Voting System


1
Security Evaluation of the Sequoia Voting System
  • Sandhya Jognipalli

2
Outline
  • Introduction
  • Overview of Sequoia Voting System
  • Known Issues
  • Findings
  • Attack Scenarios
  • Conclusions

3
Introduction
  • The use of computers in performing voting and
    tallying introduces serious concerns about the
    integrity and confidentiality of the voting
    process
  • Testing assumes two classes of threats
  • Insiders
  • Outsiders
  • System security depends upon proper application
    of procedures, check the consequences of any
    failure to follow procedures

4
System Overview
  • The Sequoia voting system collects votes in three
    ways touchscreen machines, paper ballots scanned
    at polling places, and paper ballots scanned at
    election offices
  • WinEDS, version 3.1.012
  • AVC Edge Model I, firmware version 5.0.24
  • AVC Edge Model II, firmware version 5.0.24
  • VeriVote Printer
  • Optech 400-C/WinETP firmware version 1.12.4
  • Optech Insight, APX K2.10, HPX K1.42
  • Optech Insight Plus, APX K2.10, HPX K1.42
  • Card Activator, version 5.0.21
  • HAAT Model 50, version 1.0.69L
  • Memory Pack Reader (MPR), firmware version 2.15
  • Various removable media
  • Results Cartridges
  • USB flash drives
  • Voter Smartcards
  • Memory packs

5
Polling place
Election Office
HAAT
Voter Card
USB stick
Card Activator
cartridge
Voter Card
Voter
Edge
cartridge
WinEDS
Voter
MemoryPack
paper ballot
Insight
MemoryPack Receiver
Voter
paper ballot
Optech 400-C
floppy disk
6
WinEDS
  • WinEDS is the Election Database System
  • WinEDS is a software program that runs on Windows
    PCs for entering, editing, collecting, and
    reporting on election information stored in a
    Microsoft SQL Server database
  • Multiple computers running WinEDS all access a
    common database over a network on a computer
    running Microsoft SQL Server

7
WinEDS on a network
Election Office Network
Microsoft SQL Server
WinEDS
WinEDS
WinEDS
?
8
HAAT
  • HAAT (Hybrid Activator, Accumulator and
    Transmitter) is a portable, shoe-box sized
    device, used primarily to activate Voter Cards
    used by the Edge DRE
  • HAAT and Card Activator are devices used in
    polling places

9
Card Activator
  • The Card Activator (CA) is a component of the AVC
    Edge, and serves as the voters access to the AVC
    Edge direct-record electronic touch-screen voting
    system
  • A CA is used in place of the HAAT. The Card
    Activator is similar in size and shape to the
    HAAT

10
AVC Edge
  • The Edge is a stand-alone Direct Recording
    Electronic (DRE).
  • Edge is a touchscreen voting machine, accompanied
    by a Voter-Verified Paper Audit Trail (VVPAT)
    printer which provides a paper record of the vote
    for review by the voter

11
Optech 400-C
  • Optech 400-C is a machine for quickly scanning
    large stacks of paper ballots at an election
    office

12
Optech Insight and Insight plus
  • The Insight and Insight Plus are precinct-based
    optical scanners installed on top of a ballot box
    at a polling places

13
MemoryPack Receiver (MPR)
  • MemoryPack Receiver is a device for reading and
    writing MemoryPacks

14
Removable Media
  • SmartCards are simple, memory-constrained devices
    utilized as hardware tokens
  • Authenticate a voter to an AVC Edge
  • Authorize the voter to cast a single ballot
  • Cartridges are used to carry election information
    and cast ballot records between WinEDS and the
    Edges
  • MemoryPacks are used to carry ballot information
    and vote counts between WinEDS and the Insights
  • Floppy disks are used to carry ballot information
    and vote counts between WinEDS and the Optech
    400-Cs
  • USB flash drives are used to transfer an election
    definition from WinEDS to a HAAT

15
Lines of code languages in the Sequoia source
code
16
Know Issues
  • The Electronic Frontier Foundation (EFF)
    published a list of known problems
  • The Alameda County Evaluation
  • Multiple votes attack
  • The Sequoia voting system was evaluated by
    Pacific Design Engineering for Alameda County and
    the problems found by them can be summarized as
    follows
  • The WinEDS and the other servers use
    non-encrypted text passwords when communicating
  • The Edge uses constant hashes and DES encryption
    keys that can be discovered if somebody has
    physical access to a machine

17
Continuation
  • The Edges memory cartridge results are not
    bound together cryptographically, and therefore
    the content of one cartridge could be copied onto
    another
  • The WinEDS system uses Windows and therefore
    inherits the vulnerabilities associated with that
    operating system
  • Multiple Votes Attack
  • An attack enabling a voter to vote multiple
    times without the need for an activated SmartCard
    has been reported

18
Findings
  • Some important security issues
  • Arbitrary Code Execution An attacker to
    overwrite an AVC Edge firmware with a malicious
    version
  • The development of the exploit was made easier
    because the Edge runs a proprietary OS
  • File Overwriting The AVC Edge firmware is
    vulnerable to a directory traversal attack that
    can name, and overwrite the files containing the
    boot loader and the system firmware
  • Accuracy Testing Mode Detection In the case of
    the Edge, the pre-election correctness test is
    performed by switching the machine to a specific
    Logic and Accuracy Test (LAT) mode
  • Execution of Modified Firmware There is no way
    to determine which version of the firmware is
    running on an Edge device

19
Continuation
  • Availability of an Interpreter in Violation of
    Guidelines The Edge firmware was discovered to
    include a shell-like scripting language
    interpreter
  • This language includes, among others, several
    interesting commands
  • A command to set the protective counter of the
    machine, which was described by the Sequoia
    representatives as tamper-proof
  • A command to set the machines serial number
  • A command that can be used to overwrite
    arbitrary files on the internal compact flash
    drive, including the system firmware or audit
    trail
  • Commands to reboot the machine at will
  • Arbitrary Directory Creation Through Traversal
    Attack The AVC Edge voting machine ballot
    loading logic is vulnerable to a directory
    traversal attack that leads to a denial of service

20
Continuation
  • Automatic Execution of Code The WinEDS host
    operating system provided and configured by
    Sequoia is configured so that it will execute an
    autorun file whenever removable media is
    inserted
  • Security of the MS SQL Server In the
    documentation, it is stated that WinEDS
    currently does NOT utilize code outside of MS SQL
    Server and no connections or permissions are
    required on the server. The election data stored
    on the server can only be modified by authorized
    users only through the application.
  • Votes Encrypted Using Static Key The contents of
    the Results Cartridge are not protected by any
    cryptographic signatures, and can easily be
    modified

21
Continuation
  • Possible Unsafe OS Choices The WinEDS
    documentation states that Windows 98 could be
    used for the WinEDS client machine
  • Windows versions provide no user-level security
  • Physical Security Serious concerns about the
    physical security of the different hardware
    components
  • Reversible Password Hash The password stored on
    the update cartridge is not stored as a password
    hash
  • Forging Update Cards and Voter Cards Voter
    SmartCards can be forged because the SmartCards
    are DES-encrypted using a static key

22
Successful Attack Scenarios
  • Attack Scenario 1 An attacker drops a USB flash
    drive in the pool of USB drives used to
    initialize the HAAT systems
  • When the drive is inserted in the computer on
    which WinEDS is running
  • The cartridge is inserted in an Edge machine to
    load the ballots
  • Modifies the ballot to give advantage to a
    certain candidate
  • Attack Scenario 2 The malicious firmware takes
    advantage of fleeing voters
  • The poll worker has no access to the content of
    the ballot
  • The firmware records a modified vote

23
Continuation
  • Attack Scenario 3 In this case the firmware
    prints a copy of the voters actual choices
  • The firmware displays Please Wait, Recording
    Vote for a few seconds
  • Thank you, vote recorded but the machine prints
    VOIDED on the receipt
  • Attack Scenario 4 After the machine prints
    VOIDED, instead of jumping back to the ballot,
    it completes the voting process by casting a
    modified vote
  • Attack Scenario 5 An attacker replaces the
    firmwares flashcard with one containing a
    malicious firmware

24
Continuation
  • Attack Scenario 6 Attacker obtains access to the
    static key used to encrypt the voter cards
  • Creates a number of valid voter cards to vote
    multiple times
  • Attack Scenario 7 Access to election
    functionality on a WinEDS workstation directly
    connects to the MS SQL Server running on a
    separate WinEDS server machine
  • The attacker transfers a malicious program to the
    database, and installs the program on the WinEDS
    server
  • The installed program can be left on the machine
    as a Trojan

25
Potential Attack Scenarios
  • Attack Scenario 8 An authorized user gets access
    to a 400-C machine
  • Reboots the PC with a bootable CD containing a
    different OS
  • The attacker then installs a Trojan application
    on the Windows system installed on the PC
  • It will start modifying the votes
  • It is possible to hide the malicious behavior
    from the LAT procedures

26
Conclusion
  • Vulnerabilities could be exploited by a
    determined attacker to modify the results of an
    election
  • No knowledge of source code required
  • The implementation of the attacks did not require
    access to the source code
Write a Comment
User Comments (0)
About PowerShow.com