Three E-Voting Systems Susceptible to Attack, California Team Finds
A report released this morning by the University of California, Davis, which was contracted by the State to investigate the security integrity of three brands of electronic voting machines which the State uses, concludes that all three are susceptible to compromise and tampering, using any number of tools including Trojan Horse programs and simple screwdrivers.
The final report, written by principal investigator Matt Bishop, took great pains to refrain from casting any kind of condemnatory or similar attitude against the three manufacturers whose devices were tested. In fact, it went out of its way to be fair, at one point stating that in many cases, the integrity of the voting machines' software may only be as strong as that of the underlying operating system - which, in all three cases was Windows.
"As Windows is known to be vulnerable to many forms of attack," Bishop writes, "vendors should ensure that the underlying Windows system is locked down sufficiently to counter these threats. If an attacker can gain privileged access to the underlying operating system, they can control the election management system."
That said, the biggest vulnerability any of these systems could possibly face is the overwriting of their firmware, through a Trojan file or other means; and in all three cases, UC's "red teams" were able to accomplish this.
But the relative degree of cooperation between the red teams and the manufacturers - which the report and its three test-specific supplements indicate was not all that great - may raise questions as to whether the teams' experiences and those of actual customers would be similar. Manufacturers may have been reluctant to cooperate fully with red teams, under the theory that "hackers" may not themselves enjoy a similar level of access. Of course, that presumes that those seeking to actually break into a voting system to rig an election, and those who run the election, are in all cases different people.
Nonetheless, one UC red team discovered their supposedly new Diebold GEMS/AccuVote system, which is managed by a Dell server, was shipped with Windows 2000 as its operating system - and an unpatched version, at that. "After noting these vulnerabilities, the Red Team was able to download an exploit from a free public repository of well-known and documented exploits," reads the Diebold red team's report. "This exploit gave the Red Team access of a Windows Administrator on the GEMS server."
What's more, patches and logging utilities that were shipped with the GEMS server were either not activated or being run in a limited capacity. If actual customers received a system with a similar installation, the team noted, actions taken by malicious users would not be traceable. The implication there is, even if those mitigation features were activated, it may be an academic thing for someone with access to the administrative software to turn them off.
A close examination of Diebold's GEMS server revealed evidence that the company's own programmers created their own password bypass mechanism - a way to attain a Windows account with privileges without supplying a password. Theoretically, this is how a central management system calls up remote servers at the end of election day to acquire their final tallies.
In one of the team's brief moments of conclusive advice, it writes, "The responsibility should not be on election officials to discover remotely-accessible Windows accounts and act appropriately to ensure those accounts are not inappropriately accessed."
Last year, Diebold's TSx voting systems were the subject of a Princeton University study that revealed malicious software could be injected into the systems by means of an ordinary memory card. Breaking the seals to gain access to the memory card slot was child's play, that study found; and the UC Davis team came to a similar conclusion.
"The Red Team was able to violate the physical security of every aspect of the TSx unit, using only tools that could be found in a typical office," reads its report. "This guaranteed the access necessary to execute physical and electronic attacks. The team was also able to jam the locks, which would not only provide evidence of election tampering (the effects of which are unclear and would depend on county procedures) but which could also potentially render devices inoperable for future elections, let alone for the retrieval of election data already loaded on the device at the time of attack."
The Hart InterCivic Election Management System gives its customers the freedom to install any version of Windows on its server, and deploy its management software there. But that freedom gives administrators the ability to deploy older, potentially more vulnerable versions of Windows, noted the red team testing the Hart system. Its report conceded it was unable to test the integrity of a preferred Windows installation for the InterCivic software, citing that there didn't actually appear to be one.
"The fact that Hart does not specify how the underlying operating system should be configured means that county configurations are unpredictable and are likely to vary," writes the Hart red team. "The team does not assume that customers will harden their systems appropriately, nor that Hart EMS servers will be free of vulnerabilities - even well-known or easily exploited vulnerabilities."
A red team from UC Santa Barbara examined the Sequoia Voting System, which also found itself having fun with ordinary hand tools. "The testers were able to gain access to the internals of the systems," writes Matt Bishop, "by, for example, unscrewing screws to bypass locks. The screws were not protected by seals. Similarly, plastic covers that were protected by seals could be pried open enough to insert tools that could manipulate the protected buttons without damaging the seals or leaving any evidence that the security of the system had been compromised."
The Santa Barbara team uncovered what appeared to be evidence that Sequoia's security hardening consisted in large part of a customer relations campaign to allay fears that tampering would be a problem. It cited Sequoia literature that actually explained to customers that since its software doesn't access any other libraries besides Microsoft SQL Server, no one else could possibly have remote or unauthorized access to its SQL Server database. That whole notion is fundamentally flawed, the Sequoia red team pointed out, adding that it was able to execute arbitrary commands on the Sequoia database using ordinary SQL Server queries.
Like the Hart system, Sequoia leaves the choice of Windows version installation to its customers, particularly for its client-side voting systems. Sequoia's documentation recommends Windows 98 and Windows ME, probably for lower profiles or less expensive, older equipment. "This is a problem," writes the Sequoia red team, "because those Windows versions provide no user-level security."
The final report for the California Secretary of State paints a picture of a trio of information systems whose security integrity is either fragile or non-existent. In some cases, it seems to indicate that the job of reinforcing security may have, for at least one manufacturer, been assigned to its public relations department.
But the report also gives the manufacturers an unexpected line of defense: They can claim they had reason not to cooperate with these tests, so the teams' complaints that they had little to work with or were pinched for time may be invalid - as a malicious user may be faced with similar circumstances. They can also pass on responsibility for vulnerabilities to Microsoft, whose own operating system security (especially the older versions) is publicly known to be woefully inadequate.
The fact that, with incomplete information and limited time, reasonably skillful researchers were able to craft malware the overwrote the system firmware of three brands of voting machines, and compromise their servers as well, will not sit well with election reformers. Suddenly "hanging chads" doesn't seem to have been that much of a problem.