[E-voting] Hursti II - Supplemental Report with additional security vulnerabilities

Catherine Ansbro cansbro at eircom.net
Tue May 23 22:23:59 IST 2006

On May 11, 2006 the Black Box Voting "Hursti II" report was released, 
showing devastating security flaws in the Diebold touchscreen machines. 
This study has now been covered by Newsweek and the New York Times.

A small supplemental report was issued today pointing out additional 
concerns and high priority areas for further study.

The supplemental study can be found here:
(many photographs, allow time for download)

1. Flash memory erasure:

There seems to be a memory card-triggered feature to erase the contents 
of flash memory. This destructive function was started in the TS6 with 
the file [redacted], and there are indications that the feature is 
carried over to the TSx with trigger file [redacted], if it is found on 
the memory card. This feature was not tested in Emery County and should 
be examined further.

2. Further study needed on macros:

TS6 and TSx machines have as built-in features new kinds of macro 
capabilities. These capabilities make use of a simplistic Windows Window 
Manager Message recording and play function. Presumably the feature has 
been designed for automation of volume testing. If this is the case it 
is important to understand that this approach bypasses part of the 
system and therefore is by no means equal to end-to-end testing. There 
are a number of concerns around this feature functionality warranting 
further studies.

- The files are stored on the removable memory card as unprotected 
plain-text files. There are no protection mechanisms against 
modifications to these files.

- Are the WM_message filters adequate?

- Is the processing function secure against buffer overflow / boundary 
overflow attacks and/or string format attacks?

- Are the message parameters passed back to windows boundary checked, is 
there proper exception handling in place?

Creation and access to the macros is available with poll worker level 
access, under some circumstances even without any smart card 

In preliminary testing the following issues were identified :

- The macro is not contained in the user interface logic. Because of 
this, the macro can access settings, changing the telephone number / ip 
address and initiating calls.

- Two machines with completely identical software release numbers had 
different behavior with the same macro. Machine A just had a software 
crash and become unstable, while machine B produced an error message on 
the system log and contained the error while still resulting in loss of 
software functionalities. There were also other examples of different, 
but reproducible, software behaviors between machines with both modified 
and unmodified macros.

- File handle processing seems to be flawed and interrupted by exception 
macro processing, producing open file handles.

- There seem to be user interface race conditions, which can not be 
triggered by human interaction with the machine, but are revealed by no 
delay playback of the human actions, i.e. unmodified macros.

(See photos in report)

3. Back door

The TS6 is likely to have an additional back door for accessing windows, 
though this could not tested in Emery County – also it is unknown if any 
of this in any form has been carried over to TSx. Further source code 
analysis of the well-known "CVS.TAR" file1, which contains source code 
for the TS6 and has been widely used in touch-screen system security 
studies, has revealed this feature.

The fact that this backdoor has not been published before underlines the 
fact that source code reviews performed this far have been not conclusive.

The start-up program for the ballot station is looking for the existence 
of [redacted] on the memory card. The file itself can be empty, because 
the found file, based on the name alone, is a trigger for alternative 
execution of a general purpose file management utility program instead 
of the ballot station, therefore enabling access to Operating System. 
This back door has also been documented in [redacted]:


4. Automatic deletion of files, including election file-extension files:

In case the memory card is full, the system will, without any 
interaction with the user, start to delete files from the card to free 
up memory. This deletion will also take out files with election file 
extensions from the election subdirectory. There is no way to verify 
which logic the system follows when choosing the files to be deleted.

More concerns:

- Outdated OpenSSL version

The OpenSSL used in the TSx BallotStation 4.6.4 software is an outdated 
version 0.9.7e, dated 25/10 1994, which is known to contain some 
security vulnerabilities. At the time of the writing the most current 
versions are 0.9.7j and 0.9.8b.

- Certificate will expire

The Cyptographic certificate of the TSx machines examined in Emery 
County have an expiration date of 1/31/2009. The 
installation/replacement process for renewed certificate was not studied.

- Piggyback connectors under modem

The modem is implemented on the motherboard as piggyback module. 
However, there are two sets of connectors underneath this modem built 
for two different kinds of piggybacks. It is unknown what the other 
piggyback modules enable.

Additional concerns and many photographs are contained in the report.

PERMISSION TO REPRINT GRANTED WITH LINK TO http://www.blackboxvoting.org

More information about the E-voting mailing list