October 22, 2008 CSC 682 Security Analysis of the Diebold AccuVote – TS Voting Machine Feldman, Halderman and Felten Presented by: Ryan Lehan

Outline Overview of Diebold AccuVote-TS Voting Machine Overview of Diebold AccuVote-TS Voting Machine Vulnerability Points Vulnerability Points Hardware Hardware Software Software Classification of Attacks Classification of Attacks Delivery of Attacks Delivery of Attacks Conclusion Conclusion

Diebold AccuVote-TS Manufactured by Diebold Election Systems Manufactured by Diebold Election Systems Subsidiary of Diebold Subsidiary of Diebold Manufacturer of ATM Manufacturer of ATM Now Premier Election Systems Now Premier Election Systems DRE – Direct Recording Electronic Voting Machine DRE – Direct Recording Electronic Voting Machine Voters use machine to record and cast vote Voters use machine to record and cast vote Machine is used to tally the votes Machine is used to tally the votes Custom Software (Ballot Station) ran on top of Windows CE Custom Software (Ballot Station) ran on top of Windows CE

Vulnerability Points - Hardware – Please turn to page 6 Commonly used lightweight lock to secure access. Commonly used lightweight lock to secure access. EPROM (E) – Replace EPROM w/ malware EPROM (E) – Replace EPROM w/ malware PC Card Slot (S) – Used to replace existing software as well as load in malware PC Card Slot (S) – Used to replace existing software as well as load in malware Flash Ext Slot (G) – Used to load in malware Flash Ext Slot (G) – Used to load in malware Keyboard (R) & Mouse (U) Ports – Used to alter OS configuration Keyboard (R) & Mouse (U) Ports – Used to alter OS configuration Serial Keypad Connector (O) – Open communication port. Serial Keypad Connector (O) – Open communication port. Infrared Transmitter and Receiver (N) – Open communication port. Infrared Transmitter and Receiver (N) – Open communication port.

Vulnerability Points - Software - Boot Process Boot Process Software Updates Software Updates Scripting Scripting Authenticity / Authorization Authenticity / Authorization

Boot Process Bootloader is loaded into memory Bootloader is loaded into memory Location is determined by jumpers on the mainboard Location is determined by jumpers on the mainboard EPROM (E) EPROM (E) Onboard flash memory (C) Onboard flash memory (C) Flash memory module in the “ext flash” slot Flash memory module in the “ext flash” slot Looks at PC Card Slot for a memory card Looks at PC Card Slot for a memory card Looks for specially named files Looks for specially named files fboot.nb0 – Replacement bootloader, copied into onboard flash fboot.nb0 – Replacement bootloader, copied into onboard flash nk.bin – Replacement operating system image file nk.bin – Replacement operating system image file EraseFFX.bsq – Erases file system area of the flash EraseFFX.bsq – Erases file system area of the flash

Boot Process OS (Windows CE) is decompressed, loaded into memory and then started. OS (Windows CE) is decompressed, loaded into memory and then started. OS uses a customized ‘taskman.exe’ OS uses a customized ‘taskman.exe’ Automatically launch ‘BallotStation.exe’ Automatically launch ‘BallotStation.exe’ However, if memory card in PC Card slot is present However, if memory card in PC Card slot is present Contains a file called ‘explorer.glb’, then it will launch Windows Explorer instead of ‘BallotStation.exe’ Contains a file called ‘explorer.glb’, then it will launch Windows Explorer instead of ‘BallotStation.exe’ Searches for script files ending with ‘.ins’ and runs them (with user confirmation) Searches for script files ending with ‘.ins’ and runs them (with user confirmation)

Software Updates Takes place in the boot loading process Takes place in the boot loading process Looks for specially named files on memory card Looks for specially named files on memory card Overwrites existing files in the onboard flash memory Overwrites existing files in the onboard flash memory No confirmation is needed No confirmation is needed Messages are printed on screen only Messages are printed on screen only

Scripts Scripts are loaded via a memory card in the PC Card slot Scripts are loaded via a memory card in the PC Card slot Execution of each script requires user confirmation Execution of each script requires user confirmation Found multiple stack-based buffer overflows in handling of the script files Found multiple stack-based buffer overflows in handling of the script files Suggesting malformed.ins files could by-pass user confirmation. Suggesting malformed.ins files could by-pass user confirmation.

Authenticity / Authorization At no time, during the boot loading or script execution, was there a check to validate the authenticity of any of the files on the memory card. At no time, during the boot loading or script execution, was there a check to validate the authenticity of any of the files on the memory card. At no time was a user, supervisor, or admin asked to login into the machine. At no time was a user, supervisor, or admin asked to login into the machine. Without authentication, authorization to perform updates and script execution is non-existent Without authentication, authorization to perform updates and script execution is non-existent

Classification of Attacks Vote Stealing Vote Stealing Alter votes in favor of a politician, party, or issue. Alter votes in favor of a politician, party, or issue. Does not alter the count of votes (discredits ballot stuffing). Does not alter the count of votes (discredits ballot stuffing). Denial of Service (DoS) Denial of Service (DoS) Prevents access to machine Prevents access to machine To vote by the individual. To vote by the individual. To access the voting results. To access the voting results. Purposeful Election Fraud Purposeful Election Fraud Make it look like the “other guy” did it, by forcing a 100% vote in favor of the “other guy”. Make it look like the “other guy” did it, by forcing a 100% vote in favor of the “other guy”. Creates distrust in the “other guy”. Creates distrust in the “other guy”.

Delivery of Attack EPROM EPROM Attack code is created and placed on an EPROM chip Attack code is created and placed on an EPROM chip Attacker gains access into the voting machine and physically replaces the EPROM chip Attacker gains access into the voting machine and physically replaces the EPROM chip Attacker changes the jumper settings so that the boot loader is loaded from the EPROM chip Attacker changes the jumper settings so that the boot loader is loaded from the EPROM chip

Delivery of Attack Memory Card via PC Card Slot Memory Card via PC Card Slot Initial Delivery Initial Delivery Attack code is placed on to the memory card, including a self replicating virus Attack code is placed on to the memory card, including a self replicating virus Memory Card is inserted into PC card slot prior to booting voting machine Memory Card is inserted into PC card slot prior to booting voting machine A malware boot loader is installed via specially named file: fboot.nb0 A malware boot loader is installed via specially named file: fboot.nb0 The malware boot loader loads the OS in normal fashion as well as loads the attack code The malware boot loader loads the OS in normal fashion as well as loads the attack code

Delivery of Attack Memory Card via PC Card Slot (cont.) Memory Card via PC Card Slot (cont.) Subsequent Delivery Subsequent Delivery When a non-infected memory card is inserted an infected machine, the attack code will copy itself from memory onto the memory card, thus infecting the memory card When a non-infected memory card is inserted an infected machine, the attack code will copy itself from memory onto the memory card, thus infecting the memory card When the infected memory card is removed and placed into a non-infected voting machine, the virus is copied onto the machine, infecting it as well. When the infected memory card is removed and placed into a non-infected voting machine, the virus is copied onto the machine, infecting it as well.

Conclusions Diebold AccuVote – TS electronic voting machine is a single self-contained unit. Diebold AccuVote – TS electronic voting machine is a single self-contained unit. Weak Security Weak Security Single point of failure Single point of failure Has no real time outside redundancies for recording votes and logs Has no real time outside redundancies for recording votes and logs Has multiple vulnerability points in both hardware and software Has multiple vulnerability points in both hardware and software Single self-contained unit eliminates the need for a distributed attack against multiple machines simultaneously Single self-contained unit eliminates the need for a distributed attack against multiple machines simultaneously No way to determine if an attack has taken place No way to determine if an attack has taken place Runs on general-purpose hardware and OS Runs on general-purpose hardware and OS Even though it was not mentioned, probably runs under Administrator privileges Even though it was not mentioned, probably runs under Administrator privileges Chain of Possession leaves the voting machine in an unsecure state. No fault of the machine. Chain of Possession leaves the voting machine in an unsecure state. No fault of the machine.