I Bought a Voting Machine Online … Then Hacked It


So what we were able to do is
to go out to an online auction site and buy two machines. Less than $100 is
the cost of entry into your exploitation and
vulnerability research. So this is what
the machines look like when we booted them up. They’re fully assembled, so
now what we’ll start to do is dissect them and see
what we can find out as far as exploitation vectors. So I’ve only had access to
this for a few minutes– literally a few minutes. And I can already see the threat
landscape of this machine. I have a DB9 port here. I see the chip for the operating
system is not glued in. Pretty carefully, I
can pull that out. Now what that’s going
to allow me to do is to leave the machine behind,
and I’m going to take this chip and put it inside
of my reader writer and start looking at
what’s installed on it and what the OS has for
exploitation potential. Another thing that’s
disconcerning to me with this is that this is the smart card,
and on the back side of this I can see the communications
cable is not secured either. And that would allow for
someone to put a shim in here if someone wanted to
install a defeat device. They could put it
right here and then plug it back in so the smart
card would function as normal, but it would change
information as it goes in. All the model numbers are on
these chips, which really they should have been removed
or redacted or ground down. I can clearly see that
this as one gigabyte. So I’m assuming that
that is probably on the cache size of it. We have way too much
information on here. All of these here start now
have a piece of the puzzle that you can put together
to start formulating your exploitation vectors. So what we have here
is a smart card, and this is from our Hack the
Vote initiative that we did. In this particular machine,
there’s three different cards. One’s a supervisor card. The other is the
actual voter card when someone goes into
vote, and then there’s a third card as well. So what would happen is that
the person inserts the card, and we’re going to
see that it’s not reading our card because we’ve
yet to load it with the code. But the fact that it is
detecting it is interesting. We’re going to look
at some system logs. First of all, what strikes
me as being interesting is that this is saying
that you use an open SSL. It gives the version
number, which is bad because if there are
any exploits into that then we know exactly what version is. We can see that there was
an administrator card that was inserted, and then it had
the original date and time. And then we’ll see down here
where the date and time was set with the administrator card. Now what’s disturbing
about that is that if this machine was to be
booted up before the election day, someone could
insert administrator card and then pre-populate
some votes. We see down here, this machine’s
actually done 1,434 votes from what we can tell. So with this, it’s
just disturbing that someone could
change the date to either close the
precinct a few hours early or maybe pre-populate
with some votes. We don’t know
quite what precinct this came from because it
just says Stark County. So we’re just going
to see if we can find any other information in here. So what we see here now is 122
Meyers Lake A, maybe avenue, and that m lake underscore can
I don’t know maybe Canton, Ohio, and it says party Democrat. So says that there
was a card created, and I guess maybe they
are tracking the card is for a Democrat or maybe
some other party affiliation. So just having the
precinct information now I know what machines are
being used in the precinct. So like I said we have
two different style of voting machines,
but we know for a fact that that precinct
possibly uses this style. So if I’m going to
exploit that precinct, I’m going to do it with
this style machine. So that’s some pretty
good information. So if we look through
here, whoa, what is this? What is this? Yeah, this isn’t good here. So apparently something–
let’s see– something through this error. And with errors you get a lot
of information that could help. So this machine error log
was written on March 2013. However, this error was
thrown in 6-11-2012. So to me, I would be looking
at when the election happened. Did this error come
before the election, during the election day,
or after the election. But looking through here,
there is a lot of information that we can gather. We see things like
WinStock dot DLL, so we know there
some communications that can happen here. Tool help dot DLL– all of these are DLLs that
are associated with Windows Components, but
what that will allow us to do things like
with task bond and stuff like that is to see
are there any exploits into the subprocesses. If so it may lead to
exploitation of the machine. We also see that it’s
probably the main program is this ballot station dot exe. We see a lot of those in there. So all these error logs are very
good clues to what’s going on. And the one thing
that we found that was interesting was a little bit of
clear text in here is TAHOMA. So not sure what that is. Maybe we will look
and see if there is a candidate with that name
or something that could– let us know what
was being displayed on the screen at the time
the error was thrown. So you could imagine someone
had an exploit into this, and every time someone tried
to vote for that candidate, it throws an error
and says vote, tabulated stuff like that. So all of these things
are telltale signs into what’s happening
with the machine, and with this error
message, I’m going to research father
and see if I can deduce what actually happened
when this error message was thrown. So what we have here
is the sick– what they call the security status. And so here is
the key hash where you see that using 128-bit
AES encryption, which is good. But the one thing
that’s a little bit on the disturbing side is
that this key has expired in July of 2013,
but the issuer here doesn’t appear to be one of the
major issuers of certificates. Not saying that that’s
horrible, but that means whoever issued this
ticket, the whole integrity around the communications and
the encryption on this device resides on where
this private key is. We don’t know if this is on my
laptop that could be stolen. We don’t know if this is inside
of a secured air gap network as most of the
certificate authorities are and stuff like that. After looking at this
for the limited time and looking at the
amount of information that this device has given
us, that’s not necessary. And also all this information
is being gathered without us doing any kind of exploitation. We showed you a few things
that we would start looking at, but the fact is that this
machine booted up and presented us. This information is a
little bit disturbing. This is yet given up more stuff. So we see that it says data
transfer over SSL and TLS. So we know that there’s
some IP-based data transfers that can happen. We showed some communications
chips on there. We see that there is
user-defined security keys and supervisor pens. User defined– that means
that probably these devices– these pins are set once they
go out to whatever district it is and stuff
like that because it says it’s user defined. So, yeah, there’s a lot of
stuff in here that is worrisome, and I’m pretty confident that
with the amount of information this machine gives up,
then we can develop a exploit into this given
how wide the vectors are and the landscape. So the first thing I would do
is have a plan pre-formulated. And since the election data
is housed on a glorified thumb drive type thing, I would look
at manipulating it that way. So it would be a simple I walk
up, I have my key for this, I pop something out,
and I put something in. That would be the vector. So the one thing
that I am happy about is this machine was
for sale online. So hopefully this precinct
has updated their machines. However, this same
machine is probably one that’s being
used in one of 9,000 other precincts around the US.

About the author

Comments

  1. I do disagree that grouding down chip numbers is going to help much. It would merely delay an attack. By matching the power pins, package and device type, you can pretty quickly narrow down the exact model.

  2. sure if hackers could get to each an every voting machine,break in were people vote , in every city and every state they could hack the machines . voting machines are not hooked up to a computer or hooked to the web ect. So a hacker would have to break in and setup each an every machine in that one location then like santa claus be able to be at every V machine in every place of voting in every city all over America . cant be done . Now if theres some crooked people at a voting place they might get to the machines there an do something but not all over america. Buying a voting machine on line and showing how easy it is to hack is really stupid . not going to happen at real voting places unless done to a few by ones in charge there late at night when no ones around . So unless they hook all the voting machines to the web under one umbrella no hacking can be done by creeps, russians, yogi the bear, Joe biden, Hillary Obama ect . thats why the security not worried about on the machines being used . not hooked to the web for hackers access.

Leave a Reply

Your email address will not be published. Required fields are marked *