1 J. Alex Halderman Security Failures in Electronic Voting Machines Ariel Feldman Alex Halderman Edward Felten Center for Information Technology Policy Department of Computer Science Princeton University
2 J. Alex Halderman
3 J. Alex Halderman
4 J. Alex Halderman
5 J. Alex Halderman 2000 Recount Debacle Legislative response: Help America Vote Act Provided $3.9 billion to states to upgrade voting machines by November 2006
6 J. Alex Halderman DREs to the Rescue? Direct Recording Electronic – Store votes in internal memory
7 J. Alex Halderman DREs are Computers Bugs Rootkits Viruses Attacks
8 J. Alex Halderman
9 J. Alex Halderman
10 J. Alex Halderman Diebold’s History of Secrecy Uses NDAs to prevent states from allowing independent security audits Source code leaked in 2003, researchers at Johns Hopkins found major flaws Diebold responded with vague legal threats, personal attacks, disinformation campaign Internal s leaked in 2003 reveal poor security practices by developers Diebold tried to suppress sites with legal threats
11 J. Alex Halderman We Get a Machine (2006) Obtained legally from an anonymous private party Software is 2002 version, but certified and used in actual elections First complete, public, independent security audit of a DRE
12 J. Alex Halderman Research Goals Conduct independent security audit Confirm findings of previous researchers (Hursti, Kohno et al.) Verify threats by implementing attack demos Who wants to know? Voters, candidates, election officials, policy makers, researchers
13 J. Alex Halderman 16 MB Flash 128 KB EPROM SH3 CPU32 MB SDRAM Removable Flash Memory Card
14 J. Alex Halderman Bootloader WinCE 3.0 Kernel BallotStation (Internal Flash or EPROM) (Internal Flash)
15 J. Alex Halderman
16 J. Alex Halderman Our Findings Malicious software running on the machine can steal votes undetectably, altering all backups and logs Anyone with physical access to the machine or memory card can install malicious code in as little as one minute Malicious code can spread automatically and silently from machine to machine in the form of a voting machine virus
17 J. Alex Halderman Vulnerabilities Malicious software running on the machine can steal votes undetectably, altering all backups and logs Anyone with physical access to the machine or memory card can install malicious code in as little as one minute Malicious code can spread automatically and silently from machine to machine in the form of a voting machine virus
18 J. Alex Halderman (Video Demonstration)
19 J. Alex Halderman Correct result: George 5, Benedict 0
20 J. Alex Halderman
21 J. Alex Halderman Bootloader WinCE 3.0 Kernel BallotStationStuffer
22 J. Alex Halderman Stealing Votes Stuffer Primary Vote RecordBackup Vote RecordAudit Log (President: George) (President: Benedict) (President: George) … (President: Benedict) (President: George) …
23 J. Alex Halderman
24 J. Alex Halderman Vulnerabilities Malicious software running on the machine can steal votes undetectably, altering all backups and logs Anyone with physical access to the machine or memory card can install malicious code in as little as one minute Malicious code can spread automatically and silently from machine to machine in the form of a voting machine virus
25 J. Alex Halderman
26 J. Alex Halderman EXPLORER.GLB
27 J. Alex Halderman Bootloader WinCE 3.0 Kernel BallotStation EBOOT.NB0
28 J. Alex Halderman Bootloader WinCE 3.0 Kernel BallotStation EBOOT.NB0
29 J. Alex Halderman 128 KB EPROM Jumper Table EBOOT.NB0
30 J. Alex Halderman Weakness in Depth Manually install using Explorer Replace boot firmware Replace boot EPROM
31 J. Alex Halderman
32 J. Alex Halderman The Key
33 J. Alex Halderman
34 J. Alex Halderman Weakness in Depth Key Commonly Available Lock Easy-to-Pick Key Pictured on Web Site
35 J. Alex Halderman Tamper-Evident Seals?
36 J. Alex Halderman Vulnerabilities Malicious software running on the machine can steal votes undetectably, altering all backups and logs Anyone with physical access to the machine or memory card can install malicious code in as little as one minute Malicious code can spread automatically and silently from machine to machine in the form of a voting machine virus
37 J. Alex Halderman EBOOT.NB0 The Viral Lifecycle: Infection VIRUS.EXE
38 J. Alex Halderman The Viral Lifecycle: Propagation EBOOT.NB0 VIRUS.EXE What if the viral firmware sees EBOOT.NB0? Hidden Ignore it Non-hidden Fake a firmware update
39 J. Alex Halderman Voting Machine Virus
40 J. Alex Halderman Viral Spread
41 J. Alex Halderman Are all DREs this bad?
42 J. Alex Halderman
43 J. Alex Halderman
44 J. Alex Halderman Memory Organization Diebold AccuVoteSequoia AVC Firmware Ballots Votes Ballots Votes Firmware EPROM (RO) Flash Memory (RW) NV-RAM (RW)
45 J. Alex Halderman We can do better!
46 J. Alex Halderman Why Vote Electronically? Voters prefer it Faster reporting Fewer undervotes Improved accessibility Potentially increased security*
47 J. Alex Halderman Low-Tech vs. High-Tech Paper Ballots Low-cost cheating (ballot stuffing) Small scale tampering (individual precincts) Electronic Voting High-cost cheating (viral attacks) Large scale tampering (counties or states) Leverage these complementary failure modes for greater security.
48 J. Alex Halderman Paper to the Rescue Voter-Verified Paper Audit Trails (VVPAT) DRE prints a paper ballot, voter verifies and places in a ballot box At a few random precincts, paper ballots counted to ensure machines totals are accurate If discrepancies found, paper ballots can be counted more widely
49 J. Alex Halderman Software Independence “A voting system is software-independent if an undetected change or error in its software cannot cause an undetectable change or error in an election outcome.” — Ron Rivest and John Wack DREs + VVPATs Electronic Ballot Marking systems Optical Scan systems Cryptographic schemes
50 J. Alex Halderman Proposed Legislation H.R. 811: Voter Confidence and Increased Accessibility Act (Rush Holt, D-NJ) Amends HAVA to require VVPATs –Paper ballots would be the official record –Random manual recounts in 3%+ of precincts Opens voting software and source code to public inspection Additional $300 million for states
51 J. Alex Halderman Future Work Retrofits for existing systems Improved procedural safeguards Policies for recovering from failures Hardware-assisted security Cryptographically assured voting Techniques for ballot secrecy
52 J. Alex Halderman