Friday, July 27, 2007
Bowen's Red Team Compromises Each Voting System Tested
The big announcements will be next Friday, August 3, when California Secretary of State Debra Bowen will reveal decisions on certifications for the various "election machines" used in CA. She is holding a public comment session in Sacramento on Monday, and today issued a press release called "Independent Computer Expert Teams Release Findings in Top-to-Bottom Voting System Review Ordered by Secretary of State Debra Bowen." On the Secretary's website, this page has links to various different reports within the overall review. There are separate reports on the testing of Sequoia, Hart Intercivic, and Diebold, which is the only one I've read so far because it applies here in Humboldt County. The headline of this blog post says it all. I think this report is going to be as important as such landmark documents as the Hursti Hacks, and the Berkeley VSTAAB Report. Here are just a few assorted excerpts from the 17-page Diebold report:page 10
Our study was constrained by the short time allowed. The vulnerabilities identified in this report should be regarded as a minimal set of vulnerabilities. (emphasis in original)
...
still page 10
The GEMS server is on a local area network (LAN) with other Diebold components, and this LAN is supposed to be isolated. However, even Diebold documentation reports that this requirement is not always met. Therefore, attacks via Ethernet against the GEMS server could reasonably be executed by personnel with physical access to the networking components (hubs/switches) in the isolated LAN or— if the Diebold LAN were intentionally or unintentionally connected to a public internet connection—by remote attackersa. Windows Vulnerabilities
The Red Team performed vulnerability scans against the GEMS server. The results identified multiple vulnerabilities; primarily, these vulnerabilities existed because the Windows 2000 server (configured by the Diebold technicians) was not properly patched3. After noting these vulnerabilities, the Red Team was able to download an exploit from a free public repository of well-known and documented exploits. This exploit gave the Red Team access of a Windows Administrator on the GEMS server.3 Even if the Red Team had been expected to make other system configuration changes in order to make the GEMS server consistent with Diebold configuration documents, it would have been highly unreasonable for Diebold to expect the Red Team to patch Windows 2000 Server.
Additionally, the Red Team noted that most standard Windows logging capabilities were either disabled or enabled in very limited states in the configuration provided by Diebold. This means that most malicious actions taken by attackers would not be traceable. More detail on the auditing configuration of this system is available in the report prepared by the 2007 TTBR Diebold Documentation Review Team.
Finally, the Red Team uncovered evidence that Diebold technicians created a remotely-accessible Windows account that, by default configuration (according to the Diebold documentation), can be accessed without the need to supply a password. There is evidence to suggest that this account is intended to be used by TSx units for dial-in access at the close of polls on Election Day, but the documentation for election officials never mentions this particular account by name. An attentive system administrator would notice the account. However, the responsibility should not be on election officials to discover remotely-accessible Windows accounts and act appropriately to ensure those accounts are not inappropriately accessed. Devices, as delivered to customers, should only have accounts that are well-documented and remote access that is necessary for the needs of the particular county. Undocumented remotely-accessible logins are contrary to generally-accepted security practices.
b. GEMS Databases
The Red Team used Windows Administrator access on the GEMS server to manipulate and corrupt GEMS databases. These actions could result in manipulated vote totals or in the inability to read previously-generated ballot definitions if no valid database backups were available (whether because the backups were not made or because the backups had also been corrupted). On election night, the inability to read results from the deployed TSx and AV-OS devices could render an election impossible to complete electronically. In this case, a hand count of paper ballots and VVPAT records would be the only option for deducing the intent of the voters who turned out on Election Day.
c. GEMS Audit Logs
The Red Team found methods for executing actions from within the GEMS server that could not be tracked by the GEMS audit logs, allowing malicious GEMS users to conceal actions they had taken while logged in. Additionally, the Red Team noted that one of the standard functions offered by GEMS is the ability for a GEMS administrative user to change the username of her account. This is a non-standard computing practice, and it could potentially be used by a rogue administrator to implicate another GEMS user (i.e. other elections personnel).
...
page 12
2. GEMS Server Networking Components
Using information gained from access obtained as the Windows Administrator user, the Red Team was able to guess the authentication credentials for the networking hardware supplied by Diebold, and gain root access on these devices. These root accesses would provide sufficient access for an attacker to manipulate every setting on the networking devices and on the server. Additionally, the Red Team was able to use this access on the GEMS server to install the drivers for a USB wireless dongle. This small device was then planted on the back of the server, ensuring remote access to the GEMS server even
3 Precinct Count AV-OS
The Red Team was able to verify the findings of some previous studies on the AV-OS unit; the impact of these was to alter vote totals in order to change the vote results on that machine.
Everything about GEMS and the AV-OS applies to Humboldt County. There are a few items worth noting for the TSx touch screen machines used in other parts of the state.page 12
Well there you have it. Really nothing too surprising if you've been paying attention at all in the past several years. What is Bowen going to do? It seems unlikely she will compel the entire state to hand-count paper ballots, yet where is there room to compromise with the continued use of these so-called "election machines"?
4. TSx
a. TSx: Physical Security
The Red Team was able to violate the physical security of every aspect of the TSx unit, using only tools that could be found in a typical office. This guaranteed the access necessary to execute physical and electronic attacks.
b. TSx: Malware
The team verified previous findings regarding multiple avenues for overwriting system firmware and software as well as for the introduction of malware that would affect the current software. These avenues, when exploited, are a platform for altering vote totals to potentially change the outcome of an election. They could also be leveraged to violate voter privacy4 or enact a denial of service on affected devices.
Of potentially greater concern, the introduction of malware into a TSx unit could spread virally into the GEMS server via format string errors in the GEMS software as identified by the team. TSx units use PCMCIA cards to store and transport election definitions and vote totals. When those vote totals are communicated back to the GEMS server (either by physical transfer of the PCMCIA card into a TSx unit connected directly to the server’s LAN or over a dial-in connection), an exploited TSx could virally infect the GEMS server. Future TSx and AV-OS units connected to the GEMS server could likewise be infected as ballot definition files are transferred via serial or Ethernet connection.
...
page 14
g. TSx: PCMCIA card
The Red Team verified the results of other studies, which found that modifications to the contents of the PCMCIA card could affect the accuracy of vote totals.
...
page 17
VI. Conclusions
Although the Red Team did not have time to finish exploits for all of the vulnerabilities we discovered, nor to provide a complete evaluation of the Diebold GEMS 1.18.24/AccuVote system, we were able to discover attacks for the Diebold system that could compromise the accuracy, secrecy, and availability of the voting systems and their auditing mechanisms. That is, the Red Team has developed exploits that – absent procedural mitigation strategies – can alter vote totals, violate the privacy of individual voters, make systems unavailable, and delete audit trails.
By the way, San Francisco is one place that may already be closer to hand-counting than most people realize. Guest blogger Jane Allen has that story very shortly.
Permalink:
http://wedonotconsent.blogspot.com/2007/07/bowens-red-team-compromises-each-voting.html
Labels: Berkeley, Debra Bowen, Diebold, Hart Intercivic, Hursti, Red Team, Sequoia, VSTAAB
Read or Post a Comment
<< Home