Slashdot Mirror
Voting Machine Attacks Proven To Be Practical
An anonymous reader writes "Every time a bunch of academics show vulnerabilities in electronic voting machines, critics complain that the attacks aren't realistic, that attackers won't have access to source code, or design documents, or be able to manipulate the hardware, etc. So this time a bunch of computer scientists from UCSD, Michigan, and Princeton offered a rebuttal. They completely own the AVC Advantage using no access to source code or design documents (PDF), and deliver a complete working attack in a plug-in cartridge that could be used by anyone with a few private minutes with the machine. Moreover, they came up with some cool tricks to do this on a machine protected against traditional code injection attacks (the AVC processor will only execute instructions from ROM). The research was presented at this week's USENIX EVT."
Or people can listen to a whistleblower who programmed voting machines that easily allowed fraud without a trace.
If you have something that you dont want anyone to know, maybe you shouldnt be doing it in the first place -Eric Schmidt
Copy/paste, some formatting, no tables. Extra carriage returns (sorry)... "Implementing the gadgets" section stripped off...
Abstract
A secure voting machine design must withstand new attacks
devised throughout its multi-decade service lifetime.
In this paper, we give a case study of the longterm
security of a voting machine, the Sequoia AVC
Advantage, whose design dates back to the early 80s.
The AVC Advantage was designed with promising security
features: its software is stored entirely in read-only
memory and the hardware refuses to execute instructions
fetched from RAM. Nevertheless, we demonstrate that an
attacker can induce the AVC Advantage to misbehave
in arbitrary ways--including changing the outcome of
an election--by means of a memory cartridge containing
a specially-formatted payload. Our attack makes essential
use of a recently-invented exploitation technique
called return-oriented programming, adapted here to the
Z80 processor. In return-oriented programming, short
snippets of benign code already present in the system
are combined to yield malicious behavior. Our results
demonstrate the relevance of recent ideas from systems
security to voting machine research, and vice versa. We
had no access either to source code or documentation beyond
that available on Sequoia's web site. We have created
a complete vote-stealing demonstration exploit and
verified that it works correctly on the actual hardware.
1 Introduction
A secure voting machine design must withstand not only
the attacks known when it is created but also those invented
through the design's service lifetime. Because
the development, certification, and procurement cycle for
voting machines is unusually slow, the service lifetime
can be twenty or thirty years. It is unrealistic to hope
that any design, however good, will remain secure for so
long.1
In this paper, we give a case study of the long-term
security of a voting machine, the Sequoia AVC Advantage.
The hardware design of the AVC Advantage dates
back to the early 80s; recent variants, whose hardware
differs mainly in featuring a daughterboard enabling audio
voting for the blind [3], are still used in New Jersey,
Louisiana, and elsewhere. We study the 5.00D version
The AVC Advantage voting machine we studied.
(which does not include the daughterboard) in machines
decommissioned by Buncombe County, North Carolina,
and purchased by Andrew Appel through a government
auction site [2].
The AVC Advantage appears, in some respects, to offer
better security features than many of the other directrecording
electronic (DRE) voting machines that have
been studied in recent years. The hardware and software
were custom-designed and are specialized for use in a
DRE. The entire machine firmware (for version 5.00D)
fits on three 64kB EPROMs. The interface to voters
lacks the touchscreen and memory card reader common
in more recent designs. The software appears to contain
fewer memory errors, such as buffer overflows, than
some competing systems. Most interestingly, the AVC
Advantage motherboard contains circuitry disallowing
instruction fetches from RAM, making the AVC Advantage
a true Harvard-architecture machine.2
Nevertheless, we demonstrate that the AVC Advantage
can be induced to undertake arbitrary, attackerchosen
behavior by means of a memory cartridge containing
a specially-formatted payload. An attacker who
has access to the machine the night before an election can
use our techniques to affect the outcome of an election by
replacing the election program with another whose visible
behavior is nearly indistinguishable from the legitimate
program but that adds, removes, or changes votes
as the attacker wishes. Unlike those attacks described
1
in the (contemporaneous, independent) study by Appel
et al. [3, 4] that allow arbitrary computation to be induced,
our attack
The only problem with this is that you aren't going to get a few "private minutes" with the machine and that any competent election authority is going to seal the machine with tamper-evident seals.
I've worked as an elections inspector (poll worker) in the state of New York for the last five years. Every aspect of the machine (both the old style lever machines and the new optical scanning machines) that could be tampered with is sealed with numbered tamper evident devices. If the numbers on the seals don't match up with the records retained by the Board of Elections then you know the machine has been tampered with. This isn't rocket science people.
Our new machines go even further than that. They both retain the actual ballots themselves in a locked ballot box and retain a scanned image of those ballots on a memory card. The memory card is removed from the machine at the end of the election and hand delivered to the Board of Elections. It is designed to serve as a backup in the event that the machine is destroyed (i.e: building burns down) and the ballots are lost. The ballots themselves are only scanned by the machine and not marked in any way. In the event of an issue with the machine there is nothing stopping you from counting each ballot by hand with the Mark I human eyeball.
If you can find a way to rig an election in the State of New York then I'd be real interested in knowing about it. I've worked behind the scenes here for a long time and I haven't seen any vulnerabilities in the system. The only voting technology that I'd be concerned about is DRE (direct electronic record) -- but thankfully my state wasn't stupid enough to go that route.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
From TFA:
"The attacker does not need to remove any tamper-evident seals; in particular, he does not need to remove the circuit-board cover."
(CAPTCHA: counted)
I make no claim, one way or the other, about the presence or absence of American electoral fraud; but your point doesn't really follow. Fraud isn't a binary condition(well, in the strictest sense it is; but in a practical sense it isn't). A perfect fraudster could dictate the outcome of every vote cast, without outcry. A wholly impotent fraudster could dictate the outcome of zero votes cast. Actual frauds are somewhere in the middle. If, say, you can manage a 5% nudge without drawing excessive attention, your party will win more than it deserves(probably substantially so, given the fairly low margins by which elections are often won); but a really bad electoral cycle would be beyond your power to change.
The absence of perfect fraud does not indicate the absence of fraud.