RSSThree E-Voting Systems Susceptible to Attack, California Team Finds
By Scott M. Fulton, III | Published July 30, 2007, 3:06 PM
A report released this morning by the University of California, Davis, which was contracted by the State to investigate the security integrity of three brands of electronic voting machines which the State uses, concludes that all three are susceptible to compromise and tampering, using any number of tools including Trojan Horse programs and simple screwdrivers.
The final report, written by principal investigator Matt Bishop, took great pains to refrain from casting any kind of condemnatory or similar attitude against the three manufacturers whose devices were tested. In fact, it went out of its way to be fair, at one point stating that in many cases, the integrity of the voting machines' software may only be as strong as that of the underlying operating system - which, in all three cases was Windows.
"As Windows is known to be vulnerable to many forms of attack," Bishop writes, "vendors should ensure that the underlying Windows system is locked down sufficiently to counter these threats. If an attacker can gain privileged access to the underlying operating system, they can control the election management system."
That said, the biggest vulnerability any of these systems could possibly face is the overwriting of their firmware, through a Trojan file or other means; and in all three cases, UC's "red teams" were able to accomplish this.
But the relative degree of cooperation between the red teams and the manufacturers - which the report and its three test-specific supplements indicate was not all that great - may raise questions as to whether the teams' experiences and those of actual customers would be similar. Manufacturers may have been reluctant to cooperate fully with red teams, under the theory that "hackers" may not themselves enjoy a similar level of access. Of course, that presumes that those seeking to actually break into a voting system to rig an election, and those who run the election, are in all cases different people.
Nonetheless, one UC red team discovered their supposedly new Diebold GEMS/AccuVote system, which is managed by a Dell server, was shipped with Windows 2000 as its operating system - and an unpatched version, at that. "After noting these vulnerabilities, the Red Team was able to download an exploit from a free public repository of well-known and documented exploits," reads the Diebold red team's report. "This exploit gave the Red Team access of a Windows Administrator on the GEMS server."
What's more, patches and logging utilities that were shipped with the GEMS server were either not activated or being run in a limited capacity. If actual customers received a system with a similar installation, the team noted, actions taken by malicious users would not be traceable. The implication there is, even if those mitigation features were activated, it may be an academic thing for someone with access to the administrative software to turn them off.
A close examination of Diebold's GEMS server revealed evidence that the company's own programmers created their own password bypass mechanism - a way to attain a Windows account with privileges without supplying a password. Theoretically, this is how a central management system calls up remote servers at the end of election day to acquire their final tallies.
In one of the team's brief moments of conclusive advice, it writes, "The responsibility should not be on election officials to discover remotely-accessible Windows accounts and act appropriately to ensure those accounts are not inappropriately accessed."
Last year, Diebold's TSx voting systems were the subject of a Princeton University study that revealed malicious software could be injected into the systems by means of an ordinary memory card. Breaking the seals to gain access to the memory card slot was child's play, that study found; and the UC Davis team came to a similar conclusion.
"The Red Team was able to violate the physical security of every aspect of the TSx unit, using only tools that could be found in a typical office," reads its report. "This guaranteed the access necessary to execute physical and electronic attacks. The team was also able to jam the locks, which would not only provide evidence of election tampering (the effects of which are unclear and would depend on county procedures) but which could also potentially render devices inoperable for future elections, let alone for the retrieval of election data already loaded on the device at the time of attack."
The Hart InterCivic Election Management System gives its customers the freedom to install any version of Windows on its server, and deploy its management software there. But that freedom gives administrators the ability to deploy older, potentially more vulnerable versions of Windows, noted the red team testing the Hart system. Its report conceded it was unable to test the integrity of a preferred Windows installation for the InterCivic software, citing that there didn't actually appear to be one.
"The fact that Hart does not specify how the underlying operating system should be configured means that county configurations are unpredictable and are likely to vary," writes the Hart red team. "The team does not assume that customers will harden their systems appropriately, nor that Hart EMS servers will be free of vulnerabilities - even well-known or easily exploited vulnerabilities."
A red team from UC Santa Barbara examined the Sequoia Voting System, which also found itself having fun with ordinary hand tools. "The testers were able to gain access to the internals of the systems," writes Matt Bishop, "by, for example, unscrewing screws to bypass locks. The screws were not protected by seals. Similarly, plastic covers that were protected by seals could be pried open enough to insert tools that could manipulate the protected buttons without damaging the seals or leaving any evidence that the security of the system had been compromised."
The Santa Barbara team uncovered what appeared to be evidence that Sequoia's security hardening consisted in large part of a customer relations campaign to allay fears that tampering would be a problem. It cited Sequoia literature that actually explained to customers that since its software doesn't access any other libraries besides Microsoft SQL Server, no one else could possibly have remote or unauthorized access to its SQL Server database. That whole notion is fundamentally flawed, the Sequoia red team pointed out, adding that it was able to execute arbitrary commands on the Sequoia database using ordinary SQL Server queries.
Like the Hart system, Sequoia leaves the choice of Windows version installation to its customers, particularly for its client-side voting systems. Sequoia's documentation recommends Windows 98 and Windows ME, probably for lower profiles or less expensive, older equipment. "This is a problem," writes the Sequoia red team, "because those Windows versions provide no user-level security."
The final report for the California Secretary of State paints a picture of a trio of information systems whose security integrity is either fragile or non-existent. In some cases, it seems to indicate that the job of reinforcing security may have, for at least one manufacturer, been assigned to its public relations department.
But the report also gives the manufacturers an unexpected line of defense: They can claim they had reason not to cooperate with these tests, so the teams' complaints that they had little to work with or were pinched for time may be invalid - as a malicious user may be faced with similar circumstances. They can also pass on responsibility for vulnerabilities to Microsoft, whose own operating system security (especially the older versions) is publicly known to be woefully inadequate.
The fact that, with incomplete information and limited time, reasonably skillful researchers were able to craft malware the overwrote the system firmware of three brands of voting machines, and compromise their servers as well, will not sit well with election reformers. Suddenly "hanging chads" doesn't seem to have been that much of a problem.
I was so grateful for a summary of report, Thank you. I don't find the tampering with memory cards, physically, to be a typical probability. I think the "insiders" are at the Diebold manufacturers level; wherein, the firmware was accessed in the year 2000 or 2002, after the machines were certified (from my county clerk and written by a GuyWorld article). The technicians told the clerks they were changing the clocks on the firmware---yeah, right! All these clerks should be asked to resign, due to this negligence. No telling what was encoded for typical President and Vice President categories/Republican, Democrat categories using "integer overflow" systems of reverse counting, etc. I.E. Where Gore's votes began to recede late at night, despite the major networks touting his eventual win.
Also, could the memory cards, or the interpreter on the OS counter, as the study infers, have hidden code demands. I think of the vast space on my PageMaker page, where it is hard to find the piece I was working on, due to the sheer size. Could code be hidden on the memory card without the clerk aware of it?
Also, Black Box talks of the non-security of the telphone jacks (non-sealed) wherein, an infiltrator could send a Trojan Horse, electronically through, during the hour and one-half when the GEMS mother machine is receiving vote reports from the various precincts.
Was this in the study?
One major legislation which should also be proposed is the increase of the percentage of hand-count for all races and initiatives---from the 1% audit to at least 9% (according to ITAs). This may catch fraud attempts, whereas, 1% won't show anything.
Score: 0
What this article did not state is that the people who run local elections usually consist of one or two people and then a large group of volunteers. The election officials want to get the equipment to the polls, have it easily set up -- usually by volunteers, and run correctly. There's usually no local election budget for multiple system admins to set up and configure these machines so that they are properly locked down with all of the latest and greatest Microsoft patches to ensure security. These votiing machine companies know how insecure the Microsoft OS is and chose it as their base operating system requardless of those insecurities. That was a stratigic error on their part. Any State that is going to take the election process seriously will not and should not allow any voting machine that can be compromised and that doesn't generate paper verification of the votes that were cast.
Score: 0
we know that Systems Susceptible to Attack
look at the United States Congress
Score: 0
"Of course, that presumes that those seeking to actually break into a voting system to rig an election, and those who run the election, are in all cases different people."
I like your sense of irony, Scott ... :D
This is good too:
"In some cases, it seems to indicate that the job of reinforcing security may have, for at least one manufacturer, been assigned to its public relations department."
By the way, this article makes you think: "Well ... maybe those butterfly ballots weren't so s***y after all ..." :)
Score: 0
They are using Windows on such a critical and important machine.
http://www.vanwensveen.n.../microsoft/IhateMS.html
It's a long but good look at Windows OS's.
What a bone head move.
Score: 0
Seriously--why do people believe everything they read on blogs? My guess is that the IhateMS.html file might be ever so slightly slanted against Microsoft--but I could be wrong.
After saying that, anyone running an unpatched version of Windows 2000 is either an idiot, runs "deep freeze" type software, or never connects to the web.
Windows 2000 Server w/sp4 and with SRP1a installed shouldn't be easy to exploit, however, particularly if it does not use Internet explorer when logged on locally or uses IE only with basic user rights as MS suggests.
Score: 0
I don't, but just about everything on this blog can be looked up and verified. I even remember in my almost 32 years of computing fun a lot of what is said to have happened, and then some.
Windows is too poorly written and throughout the years just "code slapped together" to ever really be secure.
No matter what the pr campaigns claim.
And just because the blogger hates Microsoft doesn't mean he couldn't be right.
Score: 0
"using any number of tools including Trojan Horse programs and simple screwdrivers."
As opposed to those complex screwdrivers, eh?
Score: 0
Maybe the complex ones use Orangina instead of just orange juice. :P
Score: 0