In this course, you'll learn what every citizen should know about the security risks--and future potential — of electronic voting and Internet voting. We'll take a look at the past, present, and future of election technologies and explore the various spaces intersected by voting, including computer security, human factors, public policy, and more.
Diebold
Loading...
From the course by University of Michigan
Securing Digital Democracy
96 ratings
From the lesson
Computers at the Polls
Voting enters the computing age
Meet the Instructors
J. Alex HaldermanAssociate Professor
Electrical Engineering and Computer Science
Welcome back to securing digital democracy.
This is a very exciting lecture for me. Because, well, last time, we got to talk
about, some of the problems with DREs in concepts.
Some of the things people thought might go wrong.
In this lecture, I get to show you some of the things that go wrong.
We're going to get to go through a series of research projects, where researchers
were able to get a hold of DRE voting machines actually used in the real world,
and get them to misbehave in ways that simulate what real criminals could do.
The first of these stories comes from my own work when back in 2006, when I was a
grad student at Princeton, getting my PhD. I got to be part of the first hands-on
academic study of a DRE used in real elections in the United States.
Here's the voting machine that we got to look at.
It was the Diebold AccuVote TS. This was, at the time, the most widely
used electronic voting machine in the US. It's still used statewide in Maryland and
Georgia. The AccuVote-TS is a touchscreen machine.
It's actually very similar to a computer. So, conceptually, there's, there's no
difference between the voting machine and the computer.
They both run arbitrary software, they both have internal flash storage, they
both have a flat panel display. The only difference at, conceptually, at
least is in the cosmetics. The Dewalt machine has a touch sensitive
screen, unlike your typical laptop but really it works very similarly to an Ipad
or a tablet. On an architectural level inside, it's
actually a little bit more similar to a PDA or a smartphone.
It uses a microprocessor that's designed and was used at the time for devices like
this. And it runs a version of Windows, called
Windows CE, which is a little bit different from your desktop operating
system, but was designed for PDAs and smartphones.
So the Diebold machine that we acquired came to us from an anonymous source.
Because you'll recall at the time, as we talked about at the end of the last
lecture, Diebold was very, very protective of these machines.
They, they had non-disclosure agreements with all of their customers.
They threatened election officials who wanted to work with independent security
evaluators with losing their jobs. It, it was a very cloak and dagger time.
And I told you at the beginning of the course how I, I went up to New York City
and received the machine from the, the trench coat wearing man with the leather
briefcase. But the cloak and daggerness of the whole
thing continued we ended up spending the, spending an entire summer working on the
machine in total secrecy. We didn't want Diebold to rush off to, try
to get say court order for us to stop the work although our lawyers assured us that
the process was, was completely legal. We didn't want it to be tied up in
litigation for an extended period. So our plan was to perform our study in
secrecy and then go public with it at the same time the voting machine manufacturer
would learn about the results. As a result of this we spent the, the
summer working on the machine in, in the basement of the Friend Center at
Princeton. In an unmarked room that wasn't even on
the maps of the building. This is the level of cloak and daggerish
secrecy involved. So our first task was to find out how the
machine worked and to be able to get a copy of the software out of the machine.
And now, think about this, if you're handed a, a computer device that's what we
call an embedded system. That's a device that's made with special
purpose software that's, that's stored inside it.
It's not entirely clear how you would get the software out at all to even begin
looking at it. So we opened the machine and the first
thing we did was try to understand how the hardware worked.
Now by looking at the chips we were able to identify the parts, here's the, the
microprocessor. These are the memory chips, the flash
chips that store the machine's internal software and a record of the votes.
This is a slot for a PC card, a kind of removable memory card that's basically the
same kind of idea as your digital camera. Now election officials used these cards to
program in the ballots at the start of the election, and then to copy out the votes
for each candidate at the end. They'd take the card out and bring it to a
central location where they'd be electronically tabulated by a different
kind of computer. In addition to those, there is a socket
with a removable memory chip. This removable memory chip ended up being,
the way we were able to crack the software and figure out how to copy it off.
But I'll tell you a little bit more about how that works in a second.
To understand how the software behaved once we did copy it off of the machine we
had to go through a process called reverse engineering.
And reverse engineering is a, a standard technique in computer science, where you
start with a completed device, and you go backwards to find out how it works.
In the case of, of software reverse engineering, we're starting with a, a, a
finished piece of computer software, and we want to try to go backwards and
understand what's in the source code to that software.
Typically computer software that you receive isn't in the form of source code,
the actual instructions people have written.
It's in the form of what we call a binary. That is a an executable computer program
written in a much more compact form of instructions that are, are built for
computers to understand but not for people.
It's possible to reverse that process, to go backwards from the executable or binary
to something resembling source code by using very specialized computer software
like this. This is, a package called IDA PRO, that's
a system for reverse-engineering software. The process of using this is extremely
tedious. It might take weeks to go backwards for a
software the, the complexity of, of this voting machine.
But the process is, in concept, not that hard to understand.
The IDA will display for us here, the set of compact computer instructions.
This is something called assembly language, and we can add comments as we're
trying to decipher what each line is for. It also shows branches every time the
software might take different paths, depending on the, the state of the
machine. So little by little, we can work backwards
from the computer instructions and get to something that is a human understanding of
what the software is doing. After weeks of this, we finally got the
machine into a configuration where we understood how it worked.
And could run a simulation of a real election.
Some things we found from reverse engineering that software were, were
really, really disturbing. We found a number of design flaws that
could allow someone who had even temporary access to that memory card used to load
ballots into the machine to, to replace parts of the software that were running
the election. The software in the AccuVote-TS has three
main layers. At the bottom of this software stack, as
we call it, is something called the bootloader.
And the bootloader is very low-level simple software that's responsible for
turning on the machine and starting up the operating system.
The bootloader runs Windows, that is it starts the Windows operating system, and
the technical name for what it runs is the Windows CE kernel.
On top of Windows, the first thing that Windows starts is an application called
BallotStation, and BallotStation is actually not that different from a program
that you might run on your desktop PC like a word processor or a web browser, except
that instead of providing those kinds of features it provides screens for setting
up an election, voting and then outputting the results of an election at the end of
the polls. Now we figured out when we were reverse
engineering the machine, that there are some design flaws in the boot loader, that
could allow a malicious person to replace any piece of this software with their own
tampered-with version. Now even if we assume that the default
software that ships with the machine normally is honest, we have to worry that
someone who replaced the software with a tampered version, might re-program it to
be malicious and to change or steal votes. Now what we found was that the boot
loader, by design has features for updating the machine software if certain
files are present on the removable memory card used to load the ballot design at the
beginning of the election. If there is a file with the name of FBOOT
.NB0, the boot loader, when you turn on the machine, just replaced itself with
whatever is in that file. Another file named NK.bin will cause the
bootloader to replace Windows with the contents of that file.
And through another process, a file called install.ins can be used to replace the
BallotStation software. Now it's important for voting machines
like any other kind of computer to have some mechanism for doing software updates,
but the problem with the Diebold machine was there weren't any security controls on
the way this worked. All you had to do is know the file name.
There weren't any secrets necessary for that process.
There wasn't even any confirmation on the screen asking whether you wanted to do
that update. Another file called explorer.glb, if
present on the card, would cause the machine not to automatically run ballot
station. But instead to run Windows Explorer.
This is basically the same interface you get on a desktop pc for browsing through
the files. So this was immensely helpful to us in
figuring out how the machine worked. And in testing on it.
But it could also provide another means of replacing software.
You could just start, start Windows like this and then copy your malicious voting
software on to the machine from a remove, from the removable card.
Another means of potentially subverting the software on the system involve that
removable ROM chip on the motherboard. And I have one of those chips right here.
So this was a feature that was built into the machine probably for testing while
they were designing it. If you set some switches or jumpers on the
motherboard to the position shown in that table it can cause the machine to start,
not from its internal memory boot loader but from whatever software is on this
removable chip. The machine came with one of these chips
that had, had one version of the software and we, we started out our whole process
by reverse engineering that software and modifying it to give us further control of
the machine, and allow us to dump the rest of the contents of its internal memory.
So, all we had to do was program our own chip with our malicious software, change
some jumpers, and plug the chip in and turn it back on.
So, this is an example of what I call, a failure in depth.
There wasn't just one route for replacing the machine's code with malicious
software. There were three totally separate routes
that someone could go through. If any of these were available, an
attacker could tamper with the machine. There was booting into Windows.
There was using those magic file names on the memory card to replace the internal
software or firmware. And there was replacing the ROM chip.
This sort of problem with multiple failures giving an attacker multiple
options for breaking into a machine, is something we're going to see again, with
other sorts of voting systems in the future.
Now it's time to ask, what could go wrong? You've seen different ways that someone
could replace the software, replace the ballot station application with their own
malicious version. Now, I'd like you to think about some of
the different kinds of attacks that someone could do if they were able to get
malicious software on the machine. We'll talk about some of the things that
we actually tried in the research project when we come back.
If the attacker can change the software on the machine there's almost no end to what,
what sorts of malicious tampering he can do.
The most obvious desire would be to change the votes stored on the machine.
But there are a few ways you could go about doing that.
I'm going to explain, the, the mech, the mechanisms for cheating that, we actually
demonstrated in the research project. We developed an application that can be
loaded onto the machine by exploiting any of those design flaws I talked about.
And runs on top of windows along side the ballot station interface.
It hides in the background so there's nothing normally on the screen, unless the
attacker invokes a special control screen that gives them an option to set the
election result. Using this interface you can pick who's
going to win, and by how much. The stuffer application will then continue
to hide in the background, and as it runs, it monitors the voting process.
Every time someone casts a vote, the Stuffer program determines whether that
vote should be changed in order to make the real, the final election outcome match
what the attacker has programmed. So the, the AccuVote has actually three
different records that reflect what's going on during voting.
In its internal memory inside the case there is a primary vote record and an
audit log. And then on that removable memory card the
machine stores a backup vote record. All of these are accessible from software
running on the machine including from the Stuffer.
So our Stuffer application changes the records in all three of these places.
At the end of the election, the Stuffer can remove itself and having changed all
of the records, there will then be no electronic evidence left in the machine
that anything was amiss. This is a, a great illustration of the
problems with fully paperless DREs. If all of the records are electronic, and
all of them can be modified from the software.
Then if that software is malicious, it can make things go wrong.
So, the, the test election we ran with this was a contest between George
Washington and Benedict Arnold. And what we would do, we would load the,
malicious software onto the machine beforehand, using that removable memory
card. Then we would have the machine print out
its initial paper tape. This is a standard procedure at the
beginning of an election. They'll print a tape where the machine
checks that it has zero votes. Of course when you think about what's
really going on with a zero tape like this.
The software is just driving the printer and printing whatever text the software
says. So our malicious software could very
easily have this tape print zero votes even if there were votes loaded in.
So nothing appears to be wrong at this point.
Then voters can cast their votes and we'd always have everyone vote for George
Washington. But no matter how many votes were cast,
the output of the election would always be Benedict Arnold winning.
This is our malicious software at work actually functioning in the real machine.
As if this attack weren't bad enough, it turns out that we can exploit these same
problems to do something that's even more dangerous than just simply infecting one
machine via its memory card. In the process of conducting a normal
election, the election officials take the memory card that, that looks basically
like this. And, they will move it from machine to
machine in order to do things like performing software updates.
So they'll put a card in to the first machine, take it out and put it in to the
second machine, and so on. This moving a card from machine to machine
is a vector for spreading malicious software.
Just like back in the days of, of floppy disks, we had to worry about disks being
infected with viruses. We realized that, that this move, transfer
of the memory card might be exploited in a similar way.
What we came up with was a way to make a voting machine virus, that is, a way to
infect a single machine. With malicious software.
It would then spread via the memory card as it was moved from machine to machine.
So you put the memory card into the infected machine, the card becomes
infected, then if you put the card into another machine, that machine becomes
infected. In this way it would be possible for a
voting machine virus that was loaded onto a single machine by someone with very
temporary access to that machine or just a few seconds of access to its removable
memory card, and then to spread through the course of an election cycle or two to
all of the other machines in the jurisdiction.
So you could imagine infecting a whole state from a single point of entry by
spreading a voting machine virus. Now, this is just tremendously scary,
because it reduces the size of the conspiracy you need to attack a statewide
election to potentially just one technically expert person, and access to
one memory card or one voting machine. Actually, Diebold did have one defense
mechanism in place, and that was a physical security mechanism.
Covering the memory card slot on the side of the machine was a locking metal door,
that you had to get open in order to replace the card.
This turned out to be another example of a failure in depth, but before I tell you
how the door mechanism failed, I'd like you to try to puzzle out for yourself,
what could go wrong with a lock and key mechanism like this?
So, it turns out that there was a lot that was wrong with the lock and key used to
protect the Accuvote-TS. Diebold made several different mistakes.
The first problem was that all of the voting machines everywhere use the exact
same key, including all of the machines in the State of Maryland and the State of
Georgia. So if a criminal were to steal one of
those keys, could then go and open up any of the voting machines.
As if that weren't bad enough, you didn't even need the key to open up the machine.
It turned out the lock was easy to pick. I can pick the, the lock on the AccuVote
TS in about ten seconds with some lock picking tools.
Or I've taught students to open a lock like this in less than a minute using only
some paper clips. If you know what you're doing or take a, a
few minutes to learn. This lock doesn't pose any kind any kind
of hurdle. As if that weren't bad enough, it turns
out that the same key was already widely available.
There's a number written on the side of the key and if you put that into Google,
you'll find the exact same key is widely sold on Ebay for things like jukeboxes and
hotel minibars. Low security applications like this are
using the same standard kind of key. Diebold selected a low security and widely
available key for the TS. I actually bought one of those, those keys
on Ebay. Here it is, this was sold for a jukebox,
and it successfully opens the voting machine.
As if that weren't bad enough, Diebold themselves had a website where people
could buy the key. Now, now it wasn't as bad as you might
think. Diebold's website would only sell you the
key if you had already bought voting machines from them, so you had to be a
municipality. But they did have this catalog page, that
had a very high resolution picture of the key that in this picture I'm partially
blacking out. The picture was high enough resolution
that a reader who learned about our work and saw this webpage was able to go to the
hardware store and buy a similar-looking key.
And then go home and file it down to match the picture.
He sent us the key that he cut at home from the picture.
And it opened the voting machine. Here's the actual homemade Diebold key.
So, Diebold, on their own website, was giving out all the information you needed
to defeat the security, the physical security mechanism which was the only
thing that was keeping someone standing at the machine from replacing its software.
This is another example, the Diebold key, of a failure in depth.
You could steal a key from another machine or pick the lock or buy one online or make
one at home. Any of these ways would have allowed you
to get into the machine. So the, the attacker had, had multiple
options because of Diebold's design flaws. Now we might ask whether the Diebold
machine was particularly bad with these multiple failures in depth, this ability
for, for malicious software to change the votes.
Or for a voting machine virus to spread from machine to machine.
Was it just a Diebold problem, or is this something that effects other DRE's too.
We'll get to see the answer to that question in the next segment.
Explore our Catalog
Join for free and get personalized recommendations, updates and offers.
Coursera provides universal access to the world’s best education,
partnering with top universities and organizations to offer courses online.
© 2018 Coursera Inc. All rights reserved.
