Vulnerabilities / Threats
8/12/2009
04:27 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

E-Voting Machine Hack Steals Votes

University researchers fool an e-voting machine into swapping votes from one candidate to another

Electronic voting machine security suffered another blow as researchers this week showed how they were able to hack a machine and steal votes.

A team of computer scientists from University of California-San Diego, the University of Michigan, and Princeton University used an attack based on "return-oriented programming" to turn a Sequoia AVC Advantage e-voting machine against itself and shift votes from one candidate to another.

Return-oriented programming basically takes snippets of code from the application and totally reassembles it into something with no resemblance to the program -- akin to selecting words or phrases from a story and putting them together into a different paragraph that means something completely different, says Hovav Shacham, a professor of computer science at UC San Diego's Jacobs School of Engineering and one of the lead researchers in the hack. UCSD had previously shown how the technique could work on desktop machines.

The attack (PDF) doesn't require any new code, either: "The attacker reuses short snippets of the existing system and recombines them in such a way that the computation they perform is exactly the computation he wants to carry out," he says.

The researchers exploited a buffer-overflow vulnerability in the Sequoia voting machine, which has built-in defenses against code injection into its RAM. "This is exactly the defense that our use of return-oriented programming defeats," Schacham says.

Brian Chess, CTO of Fortify Software, says return-oriented programming is an effective attack technique. "The lesson here is that there's no substitute for good code," Chess says.

Unlike previous e-voting hacks that have been demonstrated, the UCSD, Princeton, and Michigan researchers didn't have source code or documentation on the machine. "We were able to reverse-engineer the hardware and software of the AVC Advantage using only the physical artifacts -- a voting machine and a memory cartridge -- that an attacker could obtain by stealing a machine left unattended at a polling place the night before an election," UCSD's Shacham says.

It took the researchers about 16 months of work and $100,000 to pull off the hack, he says. "It might take an attacker longer to reverse-engineer the machine without source, but even so, the total time and money it took for us to develop our attack was not very large," he says.

The researchers pooled their resources, with Princeton computer scientists reverse-engineering the hardware of the Sequoia AVC Advantage purchased via a government auction, and a memory cartridge they obtained. They then wrote an exploit using the return-oriented method that simulated an election. "But after the polls are closed, it shifts votes from one candidate to another," Shacham says.

Meanwhile, in an unrelated development, e-voting machine manufacturer Diebold/Premier Election Solutions has apparently patched a major bug in its vote-tabulation software, according to a published report. The flaw in a log auditing function could allow a fraudster to delete votes, for instance.

E-voting has been under fire by security researchers for some time. Fortify Software, for instance, last year ranked the most popular voting mechanisms by security and privacy: Hand-counted paper came out as the No. 1 safest method of voting. Optical scan was next, followed by absentee, and then e-voting, which came out ahead of only lever machine and punch card voting methods.

UCSD's Schacham says paper-method voting is the safest bet today given the vulnerabilities that have been exposed in e-voting. For e-voting machines to be secure, they have to be built to withstand all types of attacks that evolve during the lifetime of the machine.

"Engineering a machine that will resist unknown attacks seems like an extremely difficult problem," he says. "Other approaches, such as cryptographic end-to-end voting, may someday be practical, but at the moment a paper record in conjunction with statistical audits is the technology I am aware of that gives us the highest confidence in the outcome of an election."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: nice post
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1750
Published: 2015-07-01
Open redirect vulnerability in nokia-mapsplaces.php in the Nokia Maps & Places plugin 1.6.6 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the href parameter to page/place.html. NOTE: this was originally reported as cross-sit...

CVE-2014-1836
Published: 2015-07-01
Absolute path traversal vulnerability in htdocs/libraries/image-editor/image-edit.php in ImpressCMS before 1.3.6 allows remote attackers to delete arbitrary files via a full pathname in the image_path parameter in a cancel action.

CVE-2015-0848
Published: 2015-07-01
Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted BMP image.

CVE-2015-1330
Published: 2015-07-01
unattended-upgrades before 0.86.1 does not properly authenticate packages when the (1) force-confold or (2) force-confnew dpkg options are enabled in the DPkg::Options::* apt configuration, which allows remote man-in-the-middle attackers to upload and execute arbitrary packages via unspecified vecto...

CVE-2015-1950
Published: 2015-07-01
IBM PowerVC Standard Edition 1.2.2.1 through 1.2.2.2 does not require authentication for access to the Python interpreter with nova credentials, which allows KVM guest OS users to discover certain PowerVC credentials and bypass intended access restrictions via unspecified Python code.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report