1

Security Evaluation of the Sequoia Voting System

Sandhya Jognipalli

2

Outline

o Introduction

o Overview of Sequoia Voting System

o Known Issues

o Findings

o Attack Scenarios

o Conclusions

3

Introduction

o The use of computers in performing voting and tallying introduces serious concerns about the integrity and confidentiality of the voting process

o Testing assumes two classes of threats:

o Insiders

o Outsiderso System security depends upon proper application of procedures,

check the consequences of any failure to follow procedures

4

System Overview

o The Sequoia voting system collects votes in three ways: touchscreen machines, paper ballots scanned at polling places, and paper ballots scanned at election offices

o WinEDS, version 3.1.012o AVC Edge Model I, firmware version 5.0.24o AVC Edge Model II, firmware version 5.0.24o VeriVote Printero Optech 400-C/WinETP firmware version 1.12.4o Optech Insight, APX K2.10, HPX K1.42o Optech Insight Plus, APX K2.10, HPX K1.42o Card Activator, version 5.0.21o HAAT Model 50, version 1.0.69Lo Memory Pack Reader (MPR), firmware version 2.15o Various removable media:

o Results Cartridgeso USB flash driveso Voter Smartcardso Memory packs

5

Card Activator

InsightMemoryPackReceiver

Optech 400-C

Edge

HAAT

floppy disk

cartridge

MemoryPack

paper ballot

paper ballot

Voter Card

cartridge

Voter Card

USB stick

Voter

Voter

Voter

WinEDS

Polling placeElection Office

6

WinEDS

o WinEDS is the Election Database System

o WinEDS is a software program that runs on Windows PCs for entering, editing, collecting, and reporting on election information stored in a Microsoft SQL Server database

o Multiple computers running WinEDS all access a common database over a network on a computer running Microsoft SQL Server

7

WinEDS on a network

Microsoft SQL Server

WinEDS

WinEDS

WinEDS

? ?

Election Office Network

8

HAAT

o HAAT (Hybrid Activator, Accumulator and Transmitter) is a portable, shoe-box sized device, used primarily to activate Voter Cards used by the Edge DRE

o HAAT and Card Activator are devices used in polling places

9

Card Activator

o The Card Activator (CA) is a component of the AVC Edge, and serves as the voter’s access to the AVC Edge direct-record electronic touch-screen voting system

o A CA is used in place of the HAAT. The Card Activator is similar in size and shape to the HAAT

10

AVC Edge

o The Edge is a stand-alone Direct Recording Electronic (DRE).

o Edge is a touchscreen voting machine, accompanied by a Voter-Verified Paper Audit Trail (VVPAT) printer which provides a paper record of the vote for review by the voter

11

Optech 400-C

o Optech 400-C is a machine for quickly scanning large stacks of paper ballots at an election office

12

Optech Insight and Insight plus

o The Insight and Insight Plus are precinct-based optical scanners installed on top of a ballot box at a polling places

13

MemoryPack Receiver (MPR)

o MemoryPack Receiver is a device for reading and writing MemoryPacks

14

Removable Media

o SmartCards are simple, memory-constrained devices utilized as hardware tokens

o Authenticate a voter to an AVC Edgeo Authorize the voter to cast a single ballot

o Cartridges are used to carry election information and cast ballot records between WinEDS and the Edges

o MemoryPacks are used to carry ballot information and vote counts between WinEDS and the Insights

o Floppy disks are used to carry ballot information and vote counts between WinEDS and the Optech 400-Cs

o USB flash drives are used to transfer an election definition from WinEDS to a HAAT

15

Lines of code & languages in the Sequoia source code

Component Language Code Only Code and Comments

WinEDS 3.1

C

C++

PowerBuilder

SQL

Visual Basic

1038

121640

230027

86222

10260

1594

228765

355502

114249

16772

Edge (AVC Edge 5.0.24) C

x86 assembly

124043

99521

212731

124657

VeriVote (VVPAT 4.3) PIC assembly 245 353

ADA Audio Board 5.0 C 1328 1956

Card Activator (Card Activator 5.0) C 8907 14238

HAAT 50 (HAAT 1.0.69L) 8051 assembly

C

C++

C#

5368

535

2886

38648

5891

963

5640

120246

Insight (HPX 1.42, APX 2.10) Z80 assembly 24405 46452

MemoryPack Receiver (MPR 2.15) Z80 assembly 5679 9714

Optech 400-C (WinETP 1.12.4) C

C++

x86 assembly

561

45361

273

1007

83229

612

Total: 806947 1344571

16

Know Issues

o The Electronic Frontier Foundation (EFF) published a list of known problems

o The Alameda County Evaluation

o Multiple votes attack

o The Sequoia voting system was evaluated by Pacific Design Engineering for Alameda County and the problems found by them can be summarized as follows:

o The WinEDS and the other servers use non-encrypted text passwords when communicating

o The Edge uses constant hashes and DES encryption keys that can be discovered if somebody has physical access to a machine

17

Continuation…

o The Edge’s memory cartridge results are not bound together cryptographically, and therefore the content of one cartridge could be copied onto another

o The WinEDS system uses Windows and therefore inherits the vulnerabilities associated with that operating system

o Multiple Votes Attack:o An attack enabling a voter to vote multiple times without the need for an activated SmartCard has been reported

18

Findings

o Some important security issues:

o Arbitrary Code Execution: An attacker to overwrite an AVC Edge firmware with a malicious version

o The development of the exploit was made easier because the Edge runs a proprietary OS

o File Overwriting: The AVC Edge firmware is vulnerable to a directory traversal attack that can name, and overwrite the files containing the boot loader and the system firmware

o Accuracy Testing Mode Detection: In the case of the Edge, the pre-election correctness test is performed by switching the machine to a specific “Logic and Accuracy Test” (LAT) mode

o Execution of Modified Firmware: There is no way to determine which version of the firmware is running on an Edge device

19

Continuation…

o Availability of an Interpreter in Violation of Guidelines: The Edge firmware was discovered to include a shell-like scripting language interpreter

o This language includes, among others, several interesting commands:

o A command to set the protective counter of the machine, which was described by the Sequoia representatives as tamper-proof

o A command to set the machine’s serial number

o A command that can be used to overwrite arbitrary files on the internal compact flash drive, including the system firmware or audit trail

o Commands to reboot the machine at will

o Arbitrary Directory Creation Through Traversal Attack: The AVC Edge voting machine ballot loading logic is vulnerable to a directory traversal attack that leads to a denial of service

20

Continuation…

o Automatic Execution of Code: The WinEDS host operating system provided and configured by Sequoia is configured so that it will execute an “autorun” file whenever removable media is inserted

o Security of the MS SQL Server: In the documentation, it is stated that: “WinEDS currently does NOT utilize code outside of MS SQL Server and no connections or permissions are required on the server. The election data stored on the server can only be modified by authorized users only through the application.”

o Votes Encrypted Using Static Key: The contents of the Results Cartridge are not protected by any cryptographic signatures, and can easily be modified

21

Continuation…

o Possible Unsafe OS Choices: The WinEDS documentation states that Windows 98 could be used for the WinEDS client machine

o Windows versions provide no user-level security

o Physical Security: Serious concerns about the physical security of the different hardware components

o Reversible Password Hash: The password stored on the update cartridge is not stored as a password hash

o Forging Update Cards and Voter Cards: Voter SmartCards can be forged because the SmartCards are DES-encrypted using a static key

22

Successful Attack Scenarios

o Attack Scenario 1: An attacker drops a USB flash drive in the pool of USB drives used to initialize the HAAT systems

o When the drive is inserted in the computer on which WinEDS is running

o The cartridge is inserted in an Edge machine to load the ballots

o Modifies the ballot to give advantage to a certain candidate

o Attack Scenario 2: The malicious firmware takes advantage of “fleeing” voters

o The poll worker has no access to the content of the ballot

o The firmware records a modified vote

23

Continuation…

o Attack Scenario 3: In this case the firmware prints a copy of the voter’s actual choices

o The firmware displays “Please Wait, Recording Vote” for a few seconds

o “Thank you”, vote recorded but the machine prints “VOIDED” on the receipt

o Attack Scenario 4: After the machine prints “VOIDED”, instead of jumping back to the ballot, it completes the voting process by casting a modified vote

o Attack Scenario 5: An attacker replaces the firmware’s flashcard with one containing a malicious firmware

24

Continuation…o Attack Scenario 6: Attacker obtains access to the static key used to

encrypt the voter cards

o Creates a number of valid voter cards to vote multiple times

o Attack Scenario 7: Access to election functionality on a WinEDS workstation directly connects to the MS SQL Server running on a separate WinEDS server machine

o The attacker transfers a malicious program to the database, and installs the program on the WinEDS server

o The installed program can be left on the machine as a Trojan

25

Potential Attack Scenarios

o Attack Scenario 8: An authorized user gets access to a 400-C machine

o Reboots the PC with a bootable CD containing a different OS

o The attacker then installs a Trojan application on the Windows system installed on the PC

o It will start modifying the votes

o It is possible to hide the malicious behavior from the LAT procedures

26

Conclusion

o Vulnerabilities could be exploited by a determined attacker to modify the results of an election

o No knowledge of source code required

o The implementation of the attacks did not require access to the source code