[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
How the UM Fight Song killed the DC electronic ballot return system
- To: Mary Eberle <m.eberle@xxxxxxxxxxxx>, Margit Johansson <margitjo@xxxxxxxxx>, Angie Layton <angielayton@xxxxxxxx>, Marilyn R Marks <marilyn@xxxxxxxxxxxxxxx>, joseph richey <richey80304@xxxxxxxxx>, Harvie Branscomb <harvie@xxxxxxxxxxxxx>, Kathryn Wallace <kcanges@xxxxxxxxx>, Stith Bennett <stith@xxxxxxxxxxx>, Geof Cahoon <gcahoon@xxxxxxxxx>, Ralph Shnelvar <ralphs@xxxxxxxxx>, Joe Pezzillo <jpezzillo@xxxxxxxxx>, Neal McBurnett <neal@xxxxxxxxxxxxxxxxx>, Paul Walmsley <paul@xxxxxxxxxxx>, Colorado Voter Group <ColoradoVoter@xxxxxxxxxxxxxxxx>, Sunny Maynard <dinophile@xxxxxxxxx>, Tom Morris <Tmmco1@xxxxxxx>, Jon Ehrlich <jbehrlich@xxxxxxxxx>, Laurie Bretz <laurieannb@xxxxxxx>, Catherine Lo <ctlo@xxxxxxx>, Dan Leftwich <jdlwcec@xxxxxxxxx>, Dan Martin <dan@xxxxxxxxxxx>, Deb Adams <debsueadams@xxxxxxxxxxx>, Larry Steven Bowlds <Larry.Bowlds@xxxxxxxxxxxx>, Peter or Alison Richards <aprichards@xxxxxxxx>, Barbara Dungey <barbara.b.dungey@xxxxxxxxx>, Catherine Jarrett <citizensforjarrett@xxxxxxx>, Yvonne Iden <Vonderosa@xxxxxxxxx>, Al Kolwicz <alkolwicz@xxxxxxxxx>, "AM760.net" <webmaster@xxxxxxxxx>, "betsy.puls" <betsy.puls@xxxxxxxxx>, carlelawrence <CarlELawrence@xxxxxxxxx>, CFVI Attendees <attendees@xxxxxxx>, Citizens for Verifiable Voting <cvv-discuss@xxxxxxxxxxxxxxxxx>, Colorado Secretary of State <Public.Secretary@xxxxxxxxxxxxxxx>, Congressman Mark Udall <co02@xxxxxxxxxxxxxx>, council@xxxxxxxxxxxxx, crew@xxxxxxxxxxxxxxxxxx, csjacobs <csjacobs@xxxxxxxxxxxx>, Dan Culberson <danculberson@xxxxxxxx>, "Democrats.com" <activist@xxxxxxxxxxxxx>, Hillary Hall <hhall@xxxxxxxxxxxxxxxxx>, info@xxxxxxxxxxxxxxxxxxxx, James <james@xxxxxxxxxxx>, Jared Polis <jared@xxxxxxxxxxxxxx>, Judd Choate <Judd.Choate@xxxxxxxxxxxxxxx>, Ken Gordon <ken@xxxxxxxxxxxxx>, Lou Puls <lou.puls@xxxxxxxxx>, Margaret Samuelsen <MSAMUELSEN@xxxxxxx>, Mariko Kageyama <aspeciosus@xxxxxxxxx>, Max Puls <madmax303@xxxxxxxxxxx>, Michael Bennet <moveon-help@xxxxxxxxxxxxxxx>, Newsroom Denver_Post <newsroom@xxxxxxxxxxxxxx>, newsroom@xxxxxxxxxxxxxxx, openforum@xxxxxxxxxxxxxx, Paul Tiger <paul.tiger@xxxxxxxxxxxxx>, Representative Claire Levy <claire.levy.house@xxxxxxxxxxx>, "Restore the Republic!" <rtr@xxxxxxxxxxxxxxxxxxxxxx>, Senator Rollie Heath <rollie.heath.senate@xxxxxxxxxxx>, Sigrid Sommerfeldt <sommerfeldt@xxxxxxxxxxxxx>, Stuart Puls <stu.puls@xxxxxxxxx>, "Thom Hartmann's Newsletters" <adhd@xxxxxxxxxxxxxxxxxxxx>
- Subject: How the UM Fight Song killed the DC electronic ballot return system
- From: Lou Puls <lou.puls@xxxxxxxxx>
- Date: Sat, 9 Oct 2010 18:39:57 -0600
- Delivered-to: mailing list cvv-discuss@xxxxxxxxxxxxxxxxx
- Delivered-to: moderator for cvv-discuss@xxxxxxxxxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:from:date :message-id:subject:to:content-type; bh=IeVMOouXCCLAsKN6BoIj+ZjVgGjv5dqHTTd8FAZZv9I=; b=Xblah8md93OZrme3DxIaXWe19rtFDrrGPvwIYf3A9/NhWyt/4NjBs+8F+bfadn3+5L wHgsXS4tmJ1/eDZQpV4ytz8IOLTVS/Zn7mvmhTPyY8MT/hO7imoHwBv5bYjmXLeWr7eo T1ZbrR64ry3mTQ1Po2yalJmGkqFZk/A2/4lT4=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=nonyA5Fjf+yasYDm4GiT15miS5DUE3UOQwPM4+kJwCDkoV1cAjY6oQiAt1t4TyToUK UStC9oo/wpdp1fvvxZ2ijnPKjI2gw3WscZVj+RAt2VWAdvgsaXAfx86tlnAr0K0zqAhy PDk2rNEyBGU3ncCOy53rkpvD0abb7B2Wnx1v0=
- List-help: <mailto:cvv-discuss-help@coloradovoter.net>
- List-post: <mailto:cvv-discuss@coloradovoter.net>
- List-subscribe: <mailto:cvv-discuss-subscribe@coloradovoter.net>
- List-unsubscribe: <mailto:cvv-discuss-unsubscribe@coloradovoter.net>
- Mailing-list: contact cvv-discuss-help@xxxxxxxxxxxxxxxxx; run by ezmlm
To all concerned about verifiable, trustworthy elections:
As noticed by Voter Action [www.VoterAction.org], a computer science group at the University of Michigan has succeeded in HACKING (White-Hat-legally) into the District of Columbia testbed website for "Internet Voting" and revealing the brittleness and full vulnerability of the concept of trying to use unprotected, unencrypted transmission of ballots over such an open system.
The DC site was (its electronic ballot return component has been cancelled for the current election) a dedicated, somewhat secured website -- any attempt to use an even more vulnerable email ballot return system (such as used by the State of Colorado) is irresponsible to the extreme -- whatever its well-intentioned purpose to simplify overseas voting.
In the demonstration link in the UM blog posting below, YOU TOO can hack into the site, cast your poisoned ballot and PLAY the audio of the UM Fight Song!
By J. Alex Halderman October 5th, 2010 at 9:07 pm
The District of
Columbia is conducting a pilot project to allow overseas and
military voters to download and return absentee ballots over the Internet.
Before opening the system to real voters, D.C. has been holding a test period in
which they've invited the public to evaluate the system's security and
usability.
This is exactly the kind of open, public testing that many of us in the
e-voting security community — including me — have been encouraging vendors and
municipalities to conduct. So I was glad to participate, even though the test
was launched with only three days' notice. I assembled a team from the
University of Michigan, including my PhD students, Eric Wustrow and Scott Wolchok, and
Dawn Isabel, a member of the University of Michigan technical staff.
Within 36 hours of the system going live, our team had found and exploited a
vulnerability that gave us almost total control of the server software,
including the ability to change votes and reveal voters’ secret ballots. In this
post, I’ll describe what we did, how we did it, and what it means for Internet
voting.
D.C.'s pilot system
The D.C. system is built around an open source server-side
application developed in partnership with the TrustTheVote
project. Under the hood, it looks like a typical web application. It's
written using the popular Ruby on Rails framework and runs on top of the Apache
web server and MySQL database.
Absentee overseas voters receive a physical letter in the mail instructing
them to visit a D.C. web site, http://www.dcboee.us/DVM/, and log in with
a unique 16-character PIN. The system gives voters two options: they can
download a PDF ballot and return it by mail, or they can download a PDF ballot,
fill it out electronically, and then upload the completed ballot as a PDF file
to the server. The server encrypts uploaded ballots and saves them in encrypted
form, and, after the election, officials transfer them to a non-networked PC,
where they decrypt and print them. The printed ballots are counted using the
same procedures used for mail-in paper ballots.
A small vulnerability, big consequences
We found a vulnerability in the way the system processes uploaded ballots. We
confirmed the problem using our own test installation of the web application,
and found that we could gain the same access privileges as the server
application program itself, including read and write access to the encrypted
ballots and database.
The problem, which geeks classify as a
“shell-injection vulnerability,” has to do with the ballot
upload procedure. When a voter follows the instructions and uploads a
completed ballot as a PDF file, the server saves it as a temporary file and
encrypts it using a command-line tool called GnuPG. Internally,
the server executes the command gpg with the name of this temporary
file as a parameter: gpg […]
/tmp/stream,28957,0.pdf.
We realized that although the server replaces the filename with an
automatically generated name (“stream,28957,0” in this example), it keeps whatever
file extension the voter provided. Instead of a file ending in “.pdf,” we could
upload a file with a name that ended in almost any string we wanted, and this
string would become part of the command the server executed. By formatting the
string in a particular way, we could cause the server to execute commands on our
behalf. For example, the filename “ballot.$(sleep 10)pdf” would
cause the server to pause for ten seconds (executing the “sleep 10” command) before responding. In
effect, this vulnerability allowed us to remotely log in to the server as a
privileged user.
Our demonstration attacks
D.C. launched the public testbed server on Tuesday,
September 28. On Wednesday afternoon, we began to exploit the problem we found
to demonstrate a number of attacks:
- We collected crucial secret data stored on the server, including
the database username and password as well as the public key used to encrypt the
ballots.
- We modified all the ballots that had already been cast to
contain write-in votes for candidates we
selected. (Although the system encrypts voted ballots, we simply discarded
the encrypted files and replaced them with different ones that we encrypted
using the same key.) We also rigged the system to replace future votes in the
same way.
- We installed a back door that let us view any ballots that
voters cast after our attack. This modification recorded the votes, in
unencrypted form, together with the names of the voters who cast them, violating
ballot secrecy.
- To show that we had control of the server, we left a “calling
card” on the system's confirmation screen, which voters see after voting. After
15 seconds, the page plays the University of Michigan fight song. Here's a
demonstration.
Stealthiness wasn't our main objective, and our
demonstration had a much greater footprint inside the system than a real attack
would need. Nevertheless, we did not immediately announce what we had done,
because we wanted to give the administrators an opportunity to exercise their
intrusion detection and recovery processes — an essential part of any online
voting system. Our attack remained active for two business days, until Friday
afternoon, when D.C. officials took down the testbed
server after several testers pointed out the fight song.
Based on this experience and other results from the public tests, the D.C.
Board of Elections and Ethics has announced that they will not proceed with a
live deployment of electronic ballot return at this time, though they plan to
continue to develop the system. Voters will still be able to download and print
ballots to return by mail, which seems a lot less risky.
D.C. officials brought the testbed server back up
today (Tuesday) with the electronic ballot return mechanism disabled. The public
test period will continue until Friday, October 8.
What this means for Internet voting
The specific vulnerability that we exploited is simple to fix, but it will be
vastly more difficult to make the system secure. We've found a number of other
problems in the system, and everything we've seen suggests that the design is
brittle: one small mistake can completely compromise its security. I
described above how a small error in file-extension handling left the system
open to exploitation. If this particular problem had not existed, I'm confident
that we would have found another way to attack the system.
None of this will come as a surprise to Internet security experts, who are
familiar with the many kinds of attacks that major web sites suffer from on a
daily basis. It may someday be possible to build a secure method for submitting
ballots over the Internet, but in the meantime, such systems should be presumed
to be vulnerable based on the limitations of today's security
technology.
We plan to write more about the problems we found and their implications for
Internet voting in a forthcoming paper.
—
Professor J. Alex Halderman is a computer scientist at the University of Michigan.
= = = = =
Lou Puls
Museion Research
Westcliffe CO
--
Tea Party Motto --
Government FOR the people who hate government,
Government BY the people who hate to govern,
Government OF the people who hate to vote.
~after Wiley, Non Sequitur