Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/12/2009
04:27 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

E-Voting Machine Hack Steals Votes

University researchers fool an e-voting machine into swapping votes from one candidate to another

Electronic voting machine security suffered another blow as researchers this week showed how they were able to hack a machine and steal votes.

A team of computer scientists from University of California-San Diego, the University of Michigan, and Princeton University used an attack based on "return-oriented programming" to turn a Sequoia AVC Advantage e-voting machine against itself and shift votes from one candidate to another.

Return-oriented programming basically takes snippets of code from the application and totally reassembles it into something with no resemblance to the program -- akin to selecting words or phrases from a story and putting them together into a different paragraph that means something completely different, says Hovav Shacham, a professor of computer science at UC San Diego's Jacobs School of Engineering and one of the lead researchers in the hack. UCSD had previously shown how the technique could work on desktop machines.

The attack (PDF) doesn't require any new code, either: "The attacker reuses short snippets of the existing system and recombines them in such a way that the computation they perform is exactly the computation he wants to carry out," he says.

The researchers exploited a buffer-overflow vulnerability in the Sequoia voting machine, which has built-in defenses against code injection into its RAM. "This is exactly the defense that our use of return-oriented programming defeats," Schacham says.

Brian Chess, CTO of Fortify Software, says return-oriented programming is an effective attack technique. "The lesson here is that there's no substitute for good code," Chess says.

Unlike previous e-voting hacks that have been demonstrated, the UCSD, Princeton, and Michigan researchers didn't have source code or documentation on the machine. "We were able to reverse-engineer the hardware and software of the AVC Advantage using only the physical artifacts -- a voting machine and a memory cartridge -- that an attacker could obtain by stealing a machine left unattended at a polling place the night before an election," UCSD's Shacham says.

It took the researchers about 16 months of work and $100,000 to pull off the hack, he says. "It might take an attacker longer to reverse-engineer the machine without source, but even so, the total time and money it took for us to develop our attack was not very large," he says.

The researchers pooled their resources, with Princeton computer scientists reverse-engineering the hardware of the Sequoia AVC Advantage purchased via a government auction, and a memory cartridge they obtained. They then wrote an exploit using the return-oriented method that simulated an election. "But after the polls are closed, it shifts votes from one candidate to another," Shacham says.

Meanwhile, in an unrelated development, e-voting machine manufacturer Diebold/Premier Election Solutions has apparently patched a major bug in its vote-tabulation software, according to a published report. The flaw in a log auditing function could allow a fraudster to delete votes, for instance.

E-voting has been under fire by security researchers for some time. Fortify Software, for instance, last year ranked the most popular voting mechanisms by security and privacy: Hand-counted paper came out as the No. 1 safest method of voting. Optical scan was next, followed by absentee, and then e-voting, which came out ahead of only lever machine and punch card voting methods.

UCSD's Schacham says paper-method voting is the safest bet today given the vulnerabilities that have been exposed in e-voting. For e-voting machines to be secure, they have to be built to withstand all types of attacks that evolve during the lifetime of the machine.

"Engineering a machine that will resist unknown attacks seems like an extremely difficult problem," he says. "Other approaches, such as cryptographic end-to-end voting, may someday be practical, but at the moment a paper record in conjunction with statistical audits is the technology I am aware of that gives us the highest confidence in the outcome of an election."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9351
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
CVE-2020-9352
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
CVE-2020-9353
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
CVE-2020-9354
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
CVE-2020-9355
PUBLISHED: 2020-02-23
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.