Vulnerabilities / Threats
8/12/2009
04:27 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

E-Voting Machine Hack Steals Votes

University researchers fool an e-voting machine into swapping votes from one candidate to another

Electronic voting machine security suffered another blow as researchers this week showed how they were able to hack a machine and steal votes.

A team of computer scientists from University of California-San Diego, the University of Michigan, and Princeton University used an attack based on "return-oriented programming" to turn a Sequoia AVC Advantage e-voting machine against itself and shift votes from one candidate to another.

Return-oriented programming basically takes snippets of code from the application and totally reassembles it into something with no resemblance to the program -- akin to selecting words or phrases from a story and putting them together into a different paragraph that means something completely different, says Hovav Shacham, a professor of computer science at UC San Diego's Jacobs School of Engineering and one of the lead researchers in the hack. UCSD had previously shown how the technique could work on desktop machines.

The attack (PDF) doesn't require any new code, either: "The attacker reuses short snippets of the existing system and recombines them in such a way that the computation they perform is exactly the computation he wants to carry out," he says.

The researchers exploited a buffer-overflow vulnerability in the Sequoia voting machine, which has built-in defenses against code injection into its RAM. "This is exactly the defense that our use of return-oriented programming defeats," Schacham says.

Brian Chess, CTO of Fortify Software, says return-oriented programming is an effective attack technique. "The lesson here is that there's no substitute for good code," Chess says.

Unlike previous e-voting hacks that have been demonstrated, the UCSD, Princeton, and Michigan researchers didn't have source code or documentation on the machine. "We were able to reverse-engineer the hardware and software of the AVC Advantage using only the physical artifacts -- a voting machine and a memory cartridge -- that an attacker could obtain by stealing a machine left unattended at a polling place the night before an election," UCSD's Shacham says.

It took the researchers about 16 months of work and $100,000 to pull off the hack, he says. "It might take an attacker longer to reverse-engineer the machine without source, but even so, the total time and money it took for us to develop our attack was not very large," he says.

The researchers pooled their resources, with Princeton computer scientists reverse-engineering the hardware of the Sequoia AVC Advantage purchased via a government auction, and a memory cartridge they obtained. They then wrote an exploit using the return-oriented method that simulated an election. "But after the polls are closed, it shifts votes from one candidate to another," Shacham says.

Meanwhile, in an unrelated development, e-voting machine manufacturer Diebold/Premier Election Solutions has apparently patched a major bug in its vote-tabulation software, according to a published report. The flaw in a log auditing function could allow a fraudster to delete votes, for instance.

E-voting has been under fire by security researchers for some time. Fortify Software, for instance, last year ranked the most popular voting mechanisms by security and privacy: Hand-counted paper came out as the No. 1 safest method of voting. Optical scan was next, followed by absentee, and then e-voting, which came out ahead of only lever machine and punch card voting methods.

UCSD's Schacham says paper-method voting is the safest bet today given the vulnerabilities that have been exposed in e-voting. For e-voting machines to be secure, they have to be built to withstand all types of attacks that evolve during the lifetime of the machine.

"Engineering a machine that will resist unknown attacks seems like an extremely difficult problem," he says. "Other approaches, such as cryptographic end-to-end voting, may someday be practical, but at the moment a paper record in conjunction with statistical audits is the technology I am aware of that gives us the highest confidence in the outcome of an election."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0640
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authenticated users to bypass intended restrictions on resource access via unspecified vectors.

CVE-2014-0641
Published: 2014-08-20
Cross-site request forgery (CSRF) vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to hijack the authentication of arbitrary users.

CVE-2014-2505
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to trigger the download of arbitrary code, and consequently change the product's functionality, via unspecified vectors.

CVE-2014-2511
Published: 2014-08-20
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop before 6.7 SP1 P28 and 6.7 SP2 before P14 allow remote attackers to inject arbitrary web script or HTML via the (1) startat or (2) entryId parameter.

CVE-2014-2515
Published: 2014-08-20
EMC Documentum D2 3.1 before P24, 3.1SP1 before P02, 4.0 before P11, 4.1 before P16, and 4.2 before P05 does not properly restrict tickets provided by D2GetAdminTicketMethod and D2RefreshCacheMethod, which allows remote authenticated users to gain privileges via a request for a superuser ticket.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.