1 / 15

Security Analysis of the Diebold AccuVote – TS Voting Machine

Security Analysis of the Diebold AccuVote – TS Voting Machine. Feldman, Halderman and Felten Presented by: Ryan Lehan. Outline. Overview of Diebold AccuVote-TS Voting Machine Vulnerability Points Hardware Software Classification of Attacks Delivery of Attacks Conclusion.

skrystal
Télécharger la présentation

Security Analysis of the Diebold AccuVote – TS Voting Machine

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Analysis of the Diebold AccuVote – TS Voting Machine Feldman, Halderman and Felten Presented by: Ryan Lehan CSC 682

  2. Outline • Overview of Diebold AccuVote-TS Voting Machine • Vulnerability Points • Hardware • Software • Classification of Attacks • Delivery of Attacks • Conclusion

  3. Diebold AccuVote-TS • Manufactured by Diebold Election Systems • Subsidiary of Diebold • Manufacturer of ATM • Now Premier Election Systems • DRE – Direct Recording Electronic Voting Machine • Voters use machine to record and cast vote • Machine is used to tally the votes • Custom Software (Ballot Station) ran on top of Windows CE

  4. Vulnerability Points- Hardware –Please turn to page 6 • Commonly used lightweight lock to secure access. • EPROM (E) – Replace EPROM w/ malware • PC Card Slot (S) – Used to replace existing software as well as load in malware • Flash Ext Slot (G) – Used to load in malware • Keyboard (R) & Mouse (U) Ports – Used to alter OS configuration • Serial Keypad Connector (O) – Open communication port. • Infrared Transmitter and Receiver (N) – Open communication port.

  5. Vulnerability Points- Software - • Boot Process • Software Updates • Scripting • Authenticity / Authorization

  6. Boot Process • Bootloader is loaded into memory • Location is determined by jumpers on the mainboard • EPROM (E) • Onboard flash memory (C) • Flash memory module in the “ext flash” slot • Looks at PC Card Slot for a memory card • Looks for specially named files • fboot.nb0 – Replacement bootloader, copied into onboard flash • nk.bin – Replacement operating system image file • EraseFFX.bsq – Erases file system area of the flash

  7. Boot Process- 2 - • OS (Windows CE) is decompressed, loaded into memory and then started. • OS uses a customized ‘taskman.exe’ • Automatically launch ‘BallotStation.exe’ • However, if memory card in PC Card slot is present • Contains a file called ‘explorer.glb’, then it will launch Windows Explorer instead of ‘BallotStation.exe’ • Searches for script files ending with ‘.ins’ and runs them (with user confirmation)

  8. Software Updates • Takes place in the boot loading process • Looks for specially named files on memory card • Overwrites existing files in the onboard flash memory • No confirmation is needed • Messages are printed on screen only

  9. Scripts • Scripts are loaded via a memory card in the PC Card slot • Execution of each script requires user confirmation • Found multiple stack-based buffer overflows in handling of the script files • Suggesting malformed .ins files could by-pass user confirmation.

  10. Authenticity / Authorization • At no time, during the boot loading or script execution, was there a check to validate the authenticity of any of the files on the memory card. • At no time was a user, supervisor, or admin asked to login into the machine. • Without authentication, authorization to perform updates and script execution is non-existent

  11. Classification of Attacks • Vote Stealing • Alter votes in favor of a politician, party, or issue. • Does not alter the count of votes (discredits ballot stuffing). • Denial of Service (DoS) • Prevents access to machine • To vote by the individual. • To access the voting results. • Purposeful Election Fraud • Make it look like the “other guy” did it, by forcing a 100% vote in favor of the “other guy”. • Creates distrust in the “other guy”.

  12. Delivery of Attack • EPROM • Attack code is created and placed on an EPROM chip • Attacker gains access into the voting machine and physically replaces the EPROM chip • Attacker changes the jumper settings so that the boot loader is loaded from the EPROM chip

  13. Delivery of Attack- 2 - • Memory Card via PC Card Slot • Initial Delivery • Attack code is placed on to the memory card, including a self replicating virus • Memory Card is inserted into PC card slot prior to booting voting machine • A malware boot loader is installed via specially named file: fboot.nb0 • The malware boot loader loads the OS in normal fashion as well as loads the attack code

  14. Delivery of Attack- 3 - • Memory Card via PC Card Slot (cont.) • Subsequent Delivery • When a non-infected memory card is inserted an infected machine, the attack code will copy itself from memory onto the memory card, thus infecting the memory card • When the infected memory card is removed and placed into a non-infected voting machine, the virus is copied onto the machine, infecting it as well.

  15. Conclusions • Diebold AccuVote – TS electronic voting machine is a single self-contained unit. • Weak Security • Single point of failure • Has no real time outside redundancies for recording votes and logs • Has multiple vulnerability points in both hardware and software • Single self-contained unit eliminates the need for a distributed attack against multiple machines simultaneously • No way to determine if an attack has taken place • Runs on general-purpose hardware and OS • Even though it was not mentioned, probably runs under Administrator privileges • Chain of Possession leaves the voting machine in an unsecure state. No fault of the machine.

More Related