1 Security Evaluation of the Sequoia Voting System Sandhya Jognipalli

2 Outline o Introduction o Overview of Sequoia Voting System o Known Issues o Findings o Attack Scenarios o Conclusions

3 Introduction o The use of computers in performing voting and tallying introduces serious concerns about the integrity and confidentiality of the voting process o Testing assumes two classes of threats: o Insiders o Outsiders o System security depends upon proper application of procedures, check the consequences of any failure to follow procedures

4 System Overview o The Sequoia voting system collects votes in three ways: touchscreen machines, paper ballots scanned at polling places, and paper ballots scanned at election offices o WinEDS, version o AVC Edge Model I, firmware version o AVC Edge Model II, firmware version o VeriVote Printer o Optech 400-C/WinETP firmware version o Optech Insight, APX K2.10, HPX K1.42 o Optech Insight Plus, APX K2.10, HPX K1.42 o Card Activator, version o HAAT Model 50, version L o Memory Pack Reader (MPR), firmware version 2.15 o Various removable media: o Results Cartridges o USB flash drives o Voter Smartcards o Memory packs

5 Card Activator Insight MemoryPack Receiver Optech 400-C Edge HAAT floppy disk cartridge MemoryPack paper ballot Voter Card cartridge Voter Card USB stick Voter WinEDS Polling placeElection Office

6 WinEDS o WinEDS is the Election Database System o WinEDS is a software program that runs on Windows PCs for entering, editing, collecting, and reporting on election information stored in a Microsoft SQL Server database o Multiple computers running WinEDS all access a common database over a network on a computer running Microsoft SQL Server

7 WinEDS on a network Microsoft SQL Server WinEDS ? ? Election Office Network

8 HAAT o HAAT (Hybrid Activator, Accumulator and Transmitter) is a portable, shoe-box sized device, used primarily to activate Voter Cards used by the Edge DRE o HAAT and Card Activator are devices used in polling places

9 Card Activator o The Card Activator (CA) is a component of the AVC Edge, and serves as the voters access to the AVC Edge direct-record electronic touch-screen voting system o A CA is used in place of the HAAT. The Card Activator is similar in size and shape to the HAAT

10 AVC Edge o The Edge is a stand-alone Direct Recording Electronic (DRE). o Edge is a touchscreen voting machine, accompanied by a Voter-Verified Paper Audit Trail (VVPAT) printer which provides a paper record of the vote for review by the voter

11 Optech 400-C o Optech 400-C is a machine for quickly scanning large stacks of paper ballots at an election office

12 Optech Insight and Insight plus o The Insight and Insight Plus are precinct-based optical scanners installed on top of a ballot box at a polling places

13 MemoryPack Receiver (MPR) o MemoryPack Receiver is a device for reading and writing MemoryPacks

14 Removable Media o SmartCards are simple, memory-constrained devices utilized as hardware tokens o Authenticate a voter to an AVC Edge o Authorize the voter to cast a single ballot o Cartridges are used to carry election information and cast ballot records between WinEDS and the Edges o MemoryPacks are used to carry ballot information and vote counts between WinEDS and the Insights o Floppy disks are used to carry ballot information and vote counts between WinEDS and the Optech 400-Cs o USB flash drives are used to transfer an election definition from WinEDS to a HAAT

15 Lines of code & languages in the Sequoia source code ComponentLanguageCode OnlyCode and Comments WinEDS 3.1C C++ PowerBuilder SQL Visual Basic Edge (AVC Edge )C x86 assembly VeriVote (VVPAT 4.3)PIC assembly ADA Audio Board 5.0C Card Activator (Card Activator 5.0)C HAAT 50 (HAAT L)8051 assembly C C++ C# Insight (HPX 1.42, APX 2.10)Z80 assembly MemoryPack Receiver (MPR 2.15)Z80 assembly Optech 400-C (WinETP )C C++ x86 assembly Total:

16 Know Issues o The Electronic Frontier Foundation (EFF) published a list of known problems o The Alameda County Evaluation o Multiple votes attack o The Sequoia voting system was evaluated by Pacific Design Engineering for Alameda County and the problems found by them can be summarized as follows: o The WinEDS and the other servers use non-encrypted text passwords when communicating o The Edge uses constant hashes and DES encryption keys that can be discovered if somebody has physical access to a machine

17 Continuation… o The Edges memory cartridge results are not bound together cryptographically, and therefore the content of one cartridge could be copied onto another o The WinEDS system uses Windows and therefore inherits the vulnerabilities associated with that operating system o Multiple Votes Attack: o An attack enabling a voter to vote multiple times without the need for an activated SmartCard has been reported

18 Findings o Some important security issues: o Arbitrary Code Execution: An attacker to overwrite an AVC Edge firmware with a malicious version o The development of the exploit was made easier because the Edge runs a proprietary OS o File Overwriting: The AVC Edge firmware is vulnerable to a directory traversal attack that can name, and overwrite the files containing the boot loader and the system firmware o Accuracy Testing Mode Detection : In the case of the Edge, the pre- election correctness test is performed by switching the machine to a specific Logic and Accuracy Test (LAT) mode o Execution of Modified Firmware: There is no way to determine which version of the firmware is running on an Edge device

19 Continuation… o Availability of an Interpreter in Violation of Guidelines: The Edge firmware was discovered to include a shell-like scripting language interpreter o This language includes, among others, several interesting commands: o A command to set the protective counter of the machine, which was described by the Sequoia representatives as tamper-proof o A command to set the machines serial number o A command that can be used to overwrite arbitrary files on the internal compact flash drive, including the system firmware or audit trail o Commands to reboot the machine at will o Arbitrary Directory Creation Through Traversal Attack: The AVC Edge voting machine ballot loading logic is vulnerable to a directory traversal attack that leads to a denial of service

20 Continuation… o Automatic Execution of Code: The WinEDS host operating system provided and configured by Sequoia is configured so that it will execute an autorun file whenever removable media is inserted o Security of the MS SQL Server: In the documentation, it is stated that: WinEDS currently does NOT utilize code outside of MS SQL Server and no connections or permissions are required on the server. The election data stored on the server can only be modified by authorized users only through the application. o Votes Encrypted Using Static Key: The contents of the Results Cartridge are not protected by any cryptographic signatures, and can easily be modified

21 Continuation… o Possible Unsafe OS Choices: The WinEDS documentation states that Windows 98 could be used for the WinEDS client machine o Windows versions provide no user-level security o Physical Security: Serious concerns about the physical security of the different hardware components o Reversible Password Hash: The password stored on the update cartridge is not stored as a password hash o Forging Update Cards and Voter Cards: Voter SmartCards can be forged because the SmartCards are DES-encrypted using a static key

22 Successful Attack Scenarios o Attack Scenario 1: An attacker drops a USB flash drive in the pool of USB drives used to initialize the HAAT systems o When the drive is inserted in the computer on which WinEDS is running o The cartridge is inserted in an Edge machine to load the ballots o Modifies the ballot to give advantage to a certain candidate o Attack Scenario 2: The malicious firmware takes advantage of fleeing voters o The poll worker has no access to the content of the ballot o The firmware records a modified vote

23 Continuation… o Attack Scenario 3: In this case the firmware prints a copy of the voters actual choices o The firmware displays Please Wait, Recording Vote for a few seconds o Thank you, vote recorded but the machine prints VOIDED on the receipt o Attack Scenario 4: After the machine prints VOIDED, instead of jumping back to the ballot, it completes the voting process by casting a modified vote o Attack Scenario 5: An attacker replaces the firmwares flashcard with one containing a malicious firmware

24 Continuation… o Attack Scenario 6: Attacker obtains access to the static key used to encrypt the voter cards o Creates a number of valid voter cards to vote multiple times o Attack Scenario 7: Access to election functionality on a WinEDS workstation directly connects to the MS SQL Server running on a separate WinEDS server machine o The attacker transfers a malicious program to the database, and installs the program on the WinEDS server o The installed program can be left on the machine as a Trojan

25 Potential Attack Scenarios o Attack Scenario 8: An authorized user gets access to a 400-C machine o Reboots the PC with a bootable CD containing a different OS o The attacker then installs a Trojan application on the Windows system installed on the PC o It will start modifying the votes o It is possible to hide the malicious behavior from the LAT procedures

26 Conclusion o Vulnerabilities could be exploited by a determined attacker to modify the results of an election o No knowledge of source code required o The implementation of the attacks did not require access to the source code