[E-voting] Hursti II - Supplemental Report with additional security
cansbro at eircom.net
Tue May 23 22:23:59 IST 2006
On May 11, 2006 the Black Box Voting "Hursti II" report was released,
showing devastating security flaws in the Diebold touchscreen machines.
This study has now been covered by Newsweek and the New York Times.
A small supplemental report was issued today pointing out additional
concerns and high priority areas for further study.
The supplemental study can be found here:
(many photographs, allow time for download)
1. Flash memory erasure:
There seems to be a memory card-triggered feature to erase the contents
of flash memory. This destructive function was started in the TS6 with
the file [redacted], and there are indications that the feature is
carried over to the TSx with trigger file [redacted], if it is found on
the memory card. This feature was not tested in Emery County and should
be examined further.
2. Further study needed on macros:
TS6 and TSx machines have as built-in features new kinds of macro
capabilities. These capabilities make use of a simplistic Windows Window
Manager Message recording and play function. Presumably the feature has
been designed for automation of volume testing. If this is the case it
is important to understand that this approach bypasses part of the
system and therefore is by no means equal to end-to-end testing. There
are a number of concerns around this feature functionality warranting
- The files are stored on the removable memory card as unprotected
plain-text files. There are no protection mechanisms against
modifications to these files.
- Are the WM_message filters adequate?
- Is the processing function secure against buffer overflow / boundary
overflow attacks and/or string format attacks?
- Are the message parameters passed back to windows boundary checked, is
there proper exception handling in place?
Creation and access to the macros is available with poll worker level
access, under some circumstances even without any smart card
In preliminary testing the following issues were identified :
- The macro is not contained in the user interface logic. Because of
this, the macro can access settings, changing the telephone number / ip
address and initiating calls.
- Two machines with completely identical software release numbers had
different behavior with the same macro. Machine A just had a software
crash and become unstable, while machine B produced an error message on
the system log and contained the error while still resulting in loss of
software functionalities. There were also other examples of different,
but reproducible, software behaviors between machines with both modified
and unmodified macros.
- File handle processing seems to be flawed and interrupted by exception
macro processing, producing open file handles.
- There seem to be user interface race conditions, which can not be
triggered by human interaction with the machine, but are revealed by no
delay playback of the human actions, i.e. unmodified macros.
(See photos in report)
3. Back door
The TS6 is likely to have an additional back door for accessing windows,
though this could not tested in Emery County – also it is unknown if any
of this in any form has been carried over to TSx. Further source code
analysis of the well-known "CVS.TAR" file1, which contains source code
for the TS6 and has been widely used in touch-screen system security
studies, has revealed this feature.
The fact that this backdoor has not been published before underlines the
fact that source code reviews performed this far have been not conclusive.
The start-up program for the ballot station is looking for the existence
of [redacted] on the memory card. The file itself can be empty, because
the found file, based on the name alone, is a trigger for alternative
execution of a general purpose file management utility program instead
of the ballot station, therefore enabling access to Operating System.
This back door has also been documented in [redacted]:
4. Automatic deletion of files, including election file-extension files:
In case the memory card is full, the system will, without any
interaction with the user, start to delete files from the card to free
up memory. This deletion will also take out files with election file
extensions from the election subdirectory. There is no way to verify
which logic the system follows when choosing the files to be deleted.
- Outdated OpenSSL version
The OpenSSL used in the TSx BallotStation 4.6.4 software is an outdated
version 0.9.7e, dated 25/10 1994, which is known to contain some
security vulnerabilities. At the time of the writing the most current
versions are 0.9.7j and 0.9.8b.
- Certificate will expire
The Cyptographic certificate of the TSx machines examined in Emery
County have an expiration date of 1/31/2009. The
installation/replacement process for renewed certificate was not studied.
- Piggyback connectors under modem
The modem is implemented on the motherboard as piggyback module.
However, there are two sets of connectors underneath this modem built
for two different kinds of piggybacks. It is unknown what the other
piggyback modules enable.
Additional concerns and many photographs are contained in the report.
PERMISSION TO REPRINT GRANTED WITH LINK TO http://www.blackboxvoting.org
More information about the E-voting