160 likes | 166 Vues
Security Analysis of the Diebold AccuVote – TS Voting Machine. Feldman, Halderman and Felten Presented by: Ryan Lehan. Outline. Overview of Diebold AccuVote-TS Voting Machine Vulnerability Points Hardware Software Classification of Attacks Delivery of Attacks Conclusion.
E N D
Security Analysis of the Diebold AccuVote – TS Voting Machine Feldman, Halderman and Felten Presented by: Ryan Lehan CSC 682
Outline • Overview of Diebold AccuVote-TS Voting Machine • Vulnerability Points • Hardware • Software • Classification of Attacks • Delivery of Attacks • Conclusion
Diebold AccuVote-TS • Manufactured by Diebold Election Systems • Subsidiary of Diebold • Manufacturer of ATM • Now Premier Election Systems • DRE – Direct Recording Electronic Voting Machine • Voters use machine to record and cast vote • Machine is used to tally the votes • Custom Software (Ballot Station) ran on top of Windows CE
Vulnerability Points- Hardware –Please turn to page 6 • Commonly used lightweight lock to secure access. • EPROM (E) – Replace EPROM w/ malware • PC Card Slot (S) – Used to replace existing software as well as load in malware • Flash Ext Slot (G) – Used to load in malware • Keyboard (R) & Mouse (U) Ports – Used to alter OS configuration • Serial Keypad Connector (O) – Open communication port. • Infrared Transmitter and Receiver (N) – Open communication port.
Vulnerability Points- Software - • Boot Process • Software Updates • Scripting • Authenticity / Authorization
Boot Process • Bootloader is loaded into memory • Location is determined by jumpers on the mainboard • EPROM (E) • Onboard flash memory (C) • Flash memory module in the “ext flash” slot • Looks at PC Card Slot for a memory card • Looks for specially named files • fboot.nb0 – Replacement bootloader, copied into onboard flash • nk.bin – Replacement operating system image file • EraseFFX.bsq – Erases file system area of the flash
Boot Process- 2 - • OS (Windows CE) is decompressed, loaded into memory and then started. • OS uses a customized ‘taskman.exe’ • Automatically launch ‘BallotStation.exe’ • However, if memory card in PC Card slot is present • Contains a file called ‘explorer.glb’, then it will launch Windows Explorer instead of ‘BallotStation.exe’ • Searches for script files ending with ‘.ins’ and runs them (with user confirmation)
Software Updates • Takes place in the boot loading process • Looks for specially named files on memory card • Overwrites existing files in the onboard flash memory • No confirmation is needed • Messages are printed on screen only
Scripts • Scripts are loaded via a memory card in the PC Card slot • Execution of each script requires user confirmation • Found multiple stack-based buffer overflows in handling of the script files • Suggesting malformed .ins files could by-pass user confirmation.
Authenticity / Authorization • At no time, during the boot loading or script execution, was there a check to validate the authenticity of any of the files on the memory card. • At no time was a user, supervisor, or admin asked to login into the machine. • Without authentication, authorization to perform updates and script execution is non-existent
Classification of Attacks • Vote Stealing • Alter votes in favor of a politician, party, or issue. • Does not alter the count of votes (discredits ballot stuffing). • Denial of Service (DoS) • Prevents access to machine • To vote by the individual. • To access the voting results. • Purposeful Election Fraud • Make it look like the “other guy” did it, by forcing a 100% vote in favor of the “other guy”. • Creates distrust in the “other guy”.
Delivery of Attack • EPROM • Attack code is created and placed on an EPROM chip • Attacker gains access into the voting machine and physically replaces the EPROM chip • Attacker changes the jumper settings so that the boot loader is loaded from the EPROM chip
Delivery of Attack- 2 - • Memory Card via PC Card Slot • Initial Delivery • Attack code is placed on to the memory card, including a self replicating virus • Memory Card is inserted into PC card slot prior to booting voting machine • A malware boot loader is installed via specially named file: fboot.nb0 • The malware boot loader loads the OS in normal fashion as well as loads the attack code
Delivery of Attack- 3 - • Memory Card via PC Card Slot (cont.) • Subsequent Delivery • When a non-infected memory card is inserted an infected machine, the attack code will copy itself from memory onto the memory card, thus infecting the memory card • When the infected memory card is removed and placed into a non-infected voting machine, the virus is copied onto the machine, infecting it as well.
Conclusions • Diebold AccuVote – TS electronic voting machine is a single self-contained unit. • Weak Security • Single point of failure • Has no real time outside redundancies for recording votes and logs • Has multiple vulnerability points in both hardware and software • Single self-contained unit eliminates the need for a distributed attack against multiple machines simultaneously • No way to determine if an attack has taken place • Runs on general-purpose hardware and OS • Even though it was not mentioned, probably runs under Administrator privileges • Chain of Possession leaves the voting machine in an unsecure state. No fault of the machine.