Vulnerabilities / Threats
8/12/2009
04:27 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

E-Voting Machine Hack Steals Votes

University researchers fool an e-voting machine into swapping votes from one candidate to another

Electronic voting machine security suffered another blow as researchers this week showed how they were able to hack a machine and steal votes.

A team of computer scientists from University of California-San Diego, the University of Michigan, and Princeton University used an attack based on "return-oriented programming" to turn a Sequoia AVC Advantage e-voting machine against itself and shift votes from one candidate to another.

Return-oriented programming basically takes snippets of code from the application and totally reassembles it into something with no resemblance to the program -- akin to selecting words or phrases from a story and putting them together into a different paragraph that means something completely different, says Hovav Shacham, a professor of computer science at UC San Diego's Jacobs School of Engineering and one of the lead researchers in the hack. UCSD had previously shown how the technique could work on desktop machines.

The attack (PDF) doesn't require any new code, either: "The attacker reuses short snippets of the existing system and recombines them in such a way that the computation they perform is exactly the computation he wants to carry out," he says.

The researchers exploited a buffer-overflow vulnerability in the Sequoia voting machine, which has built-in defenses against code injection into its RAM. "This is exactly the defense that our use of return-oriented programming defeats," Schacham says.

Brian Chess, CTO of Fortify Software, says return-oriented programming is an effective attack technique. "The lesson here is that there's no substitute for good code," Chess says.

Unlike previous e-voting hacks that have been demonstrated, the UCSD, Princeton, and Michigan researchers didn't have source code or documentation on the machine. "We were able to reverse-engineer the hardware and software of the AVC Advantage using only the physical artifacts -- a voting machine and a memory cartridge -- that an attacker could obtain by stealing a machine left unattended at a polling place the night before an election," UCSD's Shacham says.

It took the researchers about 16 months of work and $100,000 to pull off the hack, he says. "It might take an attacker longer to reverse-engineer the machine without source, but even so, the total time and money it took for us to develop our attack was not very large," he says.

The researchers pooled their resources, with Princeton computer scientists reverse-engineering the hardware of the Sequoia AVC Advantage purchased via a government auction, and a memory cartridge they obtained. They then wrote an exploit using the return-oriented method that simulated an election. "But after the polls are closed, it shifts votes from one candidate to another," Shacham says.

Meanwhile, in an unrelated development, e-voting machine manufacturer Diebold/Premier Election Solutions has apparently patched a major bug in its vote-tabulation software, according to a published report. The flaw in a log auditing function could allow a fraudster to delete votes, for instance.

E-voting has been under fire by security researchers for some time. Fortify Software, for instance, last year ranked the most popular voting mechanisms by security and privacy: Hand-counted paper came out as the No. 1 safest method of voting. Optical scan was next, followed by absentee, and then e-voting, which came out ahead of only lever machine and punch card voting methods.

UCSD's Schacham says paper-method voting is the safest bet today given the vulnerabilities that have been exposed in e-voting. For e-voting machines to be secure, they have to be built to withstand all types of attacks that evolve during the lifetime of the machine.

"Engineering a machine that will resist unknown attacks seems like an extremely difficult problem," he says. "Other approaches, such as cryptographic end-to-end voting, may someday be practical, but at the moment a paper record in conjunction with statistical audits is the technology I am aware of that gives us the highest confidence in the outcome of an election."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

CVE-2014-3315
Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

CVE-2014-3316
Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.