Security Analysis of the Diebold AccuVote TS Voting Machine

1
Security Analysis of the Diebold AccuVote TS
Voting Machine

• Feldman, Halderman and Felten
• Presented by Ryan Lehan

2
Outline

• Overview of Diebold AccuVote-TS Voting Machine
• Vulnerability Points
• Hardware
• Software
• Classification of Attacks
• Delivery of Attacks
• Conclusion

3
Diebold AccuVote-TS

• Manufactured by Diebold Election Systems
• Subsidiary of Diebold
• Manufacturer of ATM
• Now Premier Election Systems
• DRE Direct Recording Electronic Voting Machine
• Voters use machine to record and cast vote
• Machine is used to tally the votes
• Custom Software (Ballot Station) ran on top of
  Windows CE

4
Vulnerability Points- Hardware Please turn to
page 6

• Commonly used lightweight lock to secure access.
• EPROM (E) Replace EPROM w/ malware
• PC Card Slot (S) Used to replace existing
  software as well as load in malware
• Flash Ext Slot (G) Used to load in malware
• Keyboard (R) Mouse (U) Ports Used to alter OS
  configuration
• Serial Keypad Connector (O) Open communication
  port.
• Infrared Transmitter and Receiver (N) Open
  communication port.

5
Vulnerability Points- Software -

• Boot Process
• Software Updates
• Scripting
• Authenticity / Authorization

6
Boot Process

• Bootloader is loaded into memory
• Location is determined by jumpers on the
  mainboard
• EPROM (E)
• Onboard flash memory (C)
• Flash memory module in the ext flash slot
• Looks at PC Card Slot for a memory card
• Looks for specially named files
• fboot.nb0 Replacement bootloader, copied into
  onboard flash
• nk.bin Replacement operating system image file
• EraseFFX.bsq Erases file system area of the
  flash

7
Boot Process- 2 -

• OS (Windows CE) is decompressed, loaded into
  memory and then started.
• OS uses a customized taskman.exe
• Automatically launch BallotStation.exe
• However, if memory card in PC Card slot is
  present
• Contains a file called explorer.glb, then it
  will launch Windows Explorer instead of
  BallotStation.exe
• Searches for script files ending with .ins and
  runs them (with user confirmation)

8
Software Updates

• Takes place in the boot loading process
• Looks for specially named files on memory card
• Overwrites existing files in the onboard flash
  memory
• No confirmation is needed
• Messages are printed on screen only

9
Scripts

• Scripts are loaded via a memory card in the PC
  Card slot
• Execution of each script requires user
  confirmation
• Found multiple stack-based buffer overflows in
  handling of the script files
• Suggesting malformed .ins files could by-pass
  user confirmation.

10
Authenticity / Authorization

• At no time, during the boot loading or script
  execution, was there a check to validate the
  authenticity of any of the files on the memory
  card.
• At no time was a user, supervisor, or admin asked
  to login into the machine.
• Without authentication, authorization to perform
  updates and script execution is non-existent

11
Classification of Attacks

• Vote Stealing
• Alter votes in favor of a politician, party, or
  issue.
• Does not alter the count of votes (discredits
  ballot stuffing).
• Denial of Service (DoS)
• Prevents access to machine
• To vote by the individual.
• To access the voting results.
• Purposeful Election Fraud
• Make it look like the other guy did it, by
  forcing a 100 vote in favor of the other guy.
• Creates distrust in the other guy.

12
Delivery of Attack

• EPROM
• Attack code is created and placed on an EPROM
  chip
• Attacker gains access into the voting machine and
  physically replaces the EPROM chip
• Attacker changes the jumper settings so that the
  boot loader is loaded from the EPROM chip

13
Delivery of Attack- 2 -

• Memory Card via PC Card Slot
• Initial Delivery
• Attack code is placed on to the memory card,
  including a self replicating virus
• Memory Card is inserted into PC card slot prior
  to booting voting machine
• A malware boot loader is installed via specially
  named file fboot.nb0
• The malware boot loader loads the OS in normal
  fashion as well as loads the attack code

14
Delivery of Attack- 3 -

• Memory Card via PC Card Slot (cont.)
• Subsequent Delivery
• When a non-infected memory card is inserted an
  infected machine, the attack code will copy
  itself from memory onto the memory card, thus
  infecting the memory card
• When the infected memory card is removed and
  placed into a non-infected voting machine, the
  virus is copied onto the machine, infecting it as
  well.

15
Conclusions

• Diebold AccuVote TS electronic voting machine
  is a single self-contained unit.
• Weak Security
• Single point of failure
• Has no real time outside redundancies for
  recording votes and logs
• Has multiple vulnerability points in both
  hardware and software
• Single self-contained unit eliminates the need
  for a distributed attack against multiple
  machines simultaneously
• No way to determine if an attack has taken place
• Runs on general-purpose hardware and OS
• Even though it was not mentioned, probably runs
  under Administrator privileges
• Chain of Possession leaves the voting machine in
  an unsecure state. No fault of the machine.