Security Evaluation of the Sequoia Voting System

1
Security Evaluation of the Sequoia Voting System

• Sandhya Jognipalli

2
Outline

• Introduction
• Overview of Sequoia Voting System
• Known Issues
• Findings
• Attack Scenarios
• Conclusions

3
Introduction

• The use of computers in performing voting and
  tallying introduces serious concerns about the
  integrity and confidentiality of the voting
  process
• Testing assumes two classes of threats
• Insiders
• Outsiders
• System security depends upon proper application
  of procedures, check the consequences of any
  failure to follow procedures

4
System Overview

• The Sequoia voting system collects votes in three
  ways touchscreen machines, paper ballots scanned
  at polling places, and paper ballots scanned at
  election offices
• WinEDS, version 3.1.012
• AVC Edge Model I, firmware version 5.0.24
• AVC Edge Model II, firmware version 5.0.24
• VeriVote Printer
• Optech 400-C/WinETP firmware version 1.12.4
• Optech Insight, APX K2.10, HPX K1.42
• Optech Insight Plus, APX K2.10, HPX K1.42
• Card Activator, version 5.0.21
• HAAT Model 50, version 1.0.69L
• Memory Pack Reader (MPR), firmware version 2.15
• Various removable media
• Results Cartridges
• USB flash drives
• Voter Smartcards
• Memory packs

5
Polling place
Election Office
HAAT
Voter Card
USB stick
Card Activator
cartridge
Voter Card
Voter
Edge
cartridge
WinEDS
Voter
MemoryPack
paper ballot
Insight
MemoryPack Receiver
Voter
paper ballot
Optech 400-C
floppy disk
6
WinEDS

• WinEDS is the Election Database System
• WinEDS is a software program that runs on Windows
  PCs for entering, editing, collecting, and
  reporting on election information stored in a
  Microsoft SQL Server database
• Multiple computers running WinEDS all access a
  common database over a network on a computer
  running Microsoft SQL Server

7
WinEDS on a network
Election Office Network
Microsoft SQL Server
WinEDS
WinEDS
WinEDS
?
8
HAAT

• HAAT (Hybrid Activator, Accumulator and
  Transmitter) is a portable, shoe-box sized
  device, used primarily to activate Voter Cards
  used by the Edge DRE
• HAAT and Card Activator are devices used in
  polling places

9
Card Activator

• The Card Activator (CA) is a component of the AVC
  Edge, and serves as the voters access to the AVC
  Edge direct-record electronic touch-screen voting
  system
• A CA is used in place of the HAAT. The Card
  Activator is similar in size and shape to the
  HAAT

10
AVC Edge

• The Edge is a stand-alone Direct Recording
  Electronic (DRE).
• Edge is a touchscreen voting machine, accompanied
  by a Voter-Verified Paper Audit Trail (VVPAT)
  printer which provides a paper record of the vote
  for review by the voter

11
Optech 400-C

• Optech 400-C is a machine for quickly scanning
  large stacks of paper ballots at an election
  office

12
Optech Insight and Insight plus

• The Insight and Insight Plus are precinct-based
  optical scanners installed on top of a ballot box
  at a polling places

13
MemoryPack Receiver (MPR)

• MemoryPack Receiver is a device for reading and
  writing MemoryPacks

14
Removable Media

• SmartCards are simple, memory-constrained devices
  utilized as hardware tokens
• Authenticate a voter to an AVC Edge
• Authorize the voter to cast a single ballot
• Cartridges are used to carry election information
  and cast ballot records between WinEDS and the
  Edges
• MemoryPacks are used to carry ballot information
  and vote counts between WinEDS and the Insights
• Floppy disks are used to carry ballot information
  and vote counts between WinEDS and the Optech
  400-Cs
• USB flash drives are used to transfer an election
  definition from WinEDS to a HAAT

15
Lines of code languages in the Sequoia source
code
16
Know Issues

• The Electronic Frontier Foundation (EFF)
  published a list of known problems
• The Alameda County Evaluation
• Multiple votes attack
• The Sequoia voting system was evaluated by
  Pacific Design Engineering for Alameda County and
  the problems found by them can be summarized as
  follows
• The WinEDS and the other servers use
  non-encrypted text passwords when communicating
• The Edge uses constant hashes and DES encryption
  keys that can be discovered if somebody has
  physical access to a machine

17
Continuation

• The Edges memory cartridge results are not
  bound together cryptographically, and therefore
  the content of one cartridge could be copied onto
  another
• The WinEDS system uses Windows and therefore
  inherits the vulnerabilities associated with that
  operating system
• Multiple Votes Attack
• An attack enabling a voter to vote multiple
  times without the need for an activated SmartCard
  has been reported

18
Findings

• Some important security issues
• Arbitrary Code Execution An attacker to
  overwrite an AVC Edge firmware with a malicious
  version
• The development of the exploit was made easier
  because the Edge runs a proprietary OS
• File Overwriting The AVC Edge firmware is
  vulnerable to a directory traversal attack that
  can name, and overwrite the files containing the
  boot loader and the system firmware
• Accuracy Testing Mode Detection In the case of
  the Edge, the pre-election correctness test is
  performed by switching the machine to a specific
  Logic and Accuracy Test (LAT) mode
• Execution of Modified Firmware There is no way
  to determine which version of the firmware is
  running on an Edge device

19
Continuation

• Availability of an Interpreter in Violation of
  Guidelines The Edge firmware was discovered to
  include a shell-like scripting language
  interpreter
• This language includes, among others, several
  interesting commands
• A command to set the protective counter of the
  machine, which was described by the Sequoia
  representatives as tamper-proof
• A command to set the machines serial number
• A command that can be used to overwrite
  arbitrary files on the internal compact flash
  drive, including the system firmware or audit
  trail
• Commands to reboot the machine at will
• Arbitrary Directory Creation Through Traversal
  Attack The AVC Edge voting machine ballot
  loading logic is vulnerable to a directory
  traversal attack that leads to a denial of service

20
Continuation

• Automatic Execution of Code The WinEDS host
  operating system provided and configured by
  Sequoia is configured so that it will execute an
  autorun file whenever removable media is
  inserted
• Security of the MS SQL Server In the
  documentation, it is stated that WinEDS
  currently does NOT utilize code outside of MS SQL
  Server and no connections or permissions are
  required on the server. The election data stored
  on the server can only be modified by authorized
  users only through the application.
• Votes Encrypted Using Static Key The contents of
  the Results Cartridge are not protected by any
  cryptographic signatures, and can easily be
  modified

21
Continuation

• Possible Unsafe OS Choices The WinEDS
  documentation states that Windows 98 could be
  used for the WinEDS client machine
• Windows versions provide no user-level security
• Physical Security Serious concerns about the
  physical security of the different hardware
  components
• Reversible Password Hash The password stored on
  the update cartridge is not stored as a password
  hash
• Forging Update Cards and Voter Cards Voter
  SmartCards can be forged because the SmartCards
  are DES-encrypted using a static key

22
Successful Attack Scenarios

• Attack Scenario 1 An attacker drops a USB flash
  drive in the pool of USB drives used to
  initialize the HAAT systems
• When the drive is inserted in the computer on
  which WinEDS is running
• The cartridge is inserted in an Edge machine to
  load the ballots
• Modifies the ballot to give advantage to a
  certain candidate
• Attack Scenario 2 The malicious firmware takes
  advantage of fleeing voters
• The poll worker has no access to the content of
  the ballot
• The firmware records a modified vote

23
Continuation

• Attack Scenario 3 In this case the firmware
  prints a copy of the voters actual choices
• The firmware displays Please Wait, Recording
  Vote for a few seconds
• Thank you, vote recorded but the machine prints
  VOIDED on the receipt
• Attack Scenario 4 After the machine prints
  VOIDED, instead of jumping back to the ballot,
  it completes the voting process by casting a
  modified vote
• Attack Scenario 5 An attacker replaces the
  firmwares flashcard with one containing a
  malicious firmware

24
Continuation

• Attack Scenario 6 Attacker obtains access to the
  static key used to encrypt the voter cards
• Creates a number of valid voter cards to vote
  multiple times
• Attack Scenario 7 Access to election
  functionality on a WinEDS workstation directly
  connects to the MS SQL Server running on a
  separate WinEDS server machine
• The attacker transfers a malicious program to the
  database, and installs the program on the WinEDS
  server
• The installed program can be left on the machine
  as a Trojan

25
Potential Attack Scenarios

• Attack Scenario 8 An authorized user gets access
  to a 400-C machine
• Reboots the PC with a bootable CD containing a
  different OS
• The attacker then installs a Trojan application
  on the Windows system installed on the PC
• It will start modifying the votes
• It is possible to hide the malicious behavior
  from the LAT procedures

26
Conclusion

• Vulnerabilities could be exploited by a
  determined attacker to modify the results of an
  election
• No knowledge of source code required
• The implementation of the attacks did not require
  access to the source code