To understand how the software behaved once we did copy it off of the machine we
had to go through a process called reverse engineering.
And reverse engineering is a, a standard technique in computer science, where you
start with a completed device, and you go backwards to find out how it works.
In the case of, of software reverse engineering, we're starting with a, a, a
finished piece of computer software, and we want to try to go backwards and
understand what's in the source code to that software.
Typically computer software that you receive isn't in the form of source code,
the actual instructions people have written.
It's in the form of what we call a binary. That is a an executable computer program
written in a much more compact form of instructions that are, are built for
computers to understand but not for people.
It's possible to reverse that process, to go backwards from the executable or binary
to something resembling source code by using very specialized computer software
like this. This is, a package called IDA PRO, that's
a system for reverse-engineering software. The process of using this is extremely
tedious. It might take weeks to go backwards for a
software the, the complexity of, of this voting machine.
But the process is, in concept, not that hard to understand.
The IDA will display for us here, the set of compact computer instructions.
This is something called assembly language, and we can add comments as we're
trying to decipher what each line is for. It also shows branches every time the
software might take different paths, depending on the, the state of the
machine. So little by little, we can work backwards
from the computer instructions and get to something that is a human understanding of
what the software is doing. After weeks of this, we finally got the
machine into a configuration where we understood how it worked.
And could run a simulation of a real election.
Some things we found from reverse engineering that software were, were
really, really disturbing. We found a number of design flaws that
could allow someone who had even temporary access to that memory card used to load
ballots into the machine to, to replace parts of the software that were running
the election. The software in the AccuVote-TS has three
main layers. At the bottom of this software stack, as
we call it, is something called the bootloader.
And the bootloader is very low-level simple software that's responsible for
turning on the machine and starting up the operating system.
The bootloader runs Windows, that is it starts the Windows operating system, and
the technical name for what it runs is the Windows CE kernel.
On top of Windows, the first thing that Windows starts is an application called
BallotStation, and BallotStation is actually not that different from a program
that you might run on your desktop PC like a word processor or a web browser, except
that instead of providing those kinds of features it provides screens for setting
up an election, voting and then outputting the results of an election at the end of
the polls. Now we figured out when we were reverse
engineering the machine, that there are some design flaws in the boot loader, that
could allow a malicious person to replace any piece of this software with their own
tampered-with version. Now even if we assume that the default
software that ships with the machine normally is honest, we have to worry that
someone who replaced the software with a tampered version, might re-program it to
be malicious and to change or steal votes. Now what we found was that the boot
loader, by design has features for updating the machine software if certain
files are present on the removable memory card used to load the ballot design at the
beginning of the election. If there is a file with the name of FBOOT
.NB0, the boot loader, when you turn on the machine, just replaced itself with
whatever is in that file. Another file named NK.bin will cause the
bootloader to replace Windows with the contents of that file.
And through another process, a file called install.ins can be used to replace the
BallotStation software. Now it's important for voting machines
like any other kind of computer to have some mechanism for doing software updates,
but the problem with the Diebold machine was there weren't any security controls on
the way this worked. All you had to do is know the file name.
There weren't any secrets necessary for that process.
There wasn't even any confirmation on the screen asking whether you wanted to do
that update. Another file called explorer.glb, if
present on the card, would cause the machine not to automatically run ballot
station. But instead to run Windows Explorer.
This is basically the same interface you get on a desktop pc for browsing through
the files. So this was immensely helpful to us in
figuring out how the machine worked. And in testing on it.
But it could also provide another means of replacing software.
You could just start, start Windows like this and then copy your malicious voting
software on to the machine from a remove, from the removable card.
Another means of potentially subverting the software on the system involve that
removable ROM chip on the motherboard. And I have one of those chips right here.
So this was a feature that was built into the machine probably for testing while
they were designing it. If you set some switches or jumpers on the
motherboard to the position shown in that table it can cause the machine to start,
not from its internal memory boot loader but from whatever software is on this
removable chip. The machine came with one of these chips
that had, had one version of the software and we, we started out our whole process
by reverse engineering that software and modifying it to give us further control of
the machine, and allow us to dump the rest of the contents of its internal memory.
So, all we had to do was program our own chip with our malicious software, change
some jumpers, and plug the chip in and turn it back on.
So, this is an example of what I call, a failure in depth.
There wasn't just one route for replacing the machine's code with malicious
software. There were three totally separate routes
that someone could go through. If any of these were available, an
attacker could tamper with the machine. There was booting into Windows.
There was using those magic file names on the memory card to replace the internal
software or firmware. And there was replacing the ROM chip.
This sort of problem with multiple failures giving an attacker multiple
options for breaking into a machine, is something we're going to see again, with
other sorts of voting systems in the future.
Now it's time to ask, what could go wrong? You've seen different ways that someone
could replace the software, replace the ballot station application with their own
malicious version. Now, I'd like you to think about some of
the different kinds of attacks that someone could do if they were able to get
malicious software on the machine. We'll talk about some of the things that
we actually tried in the research project when we come back.
If the attacker can change the software on the machine there's almost no end to what,
what sorts of malicious tampering he can do.
The most obvious desire would be to change the votes stored on the machine.
But there are a few ways you could go about doing that.
I'm going to explain, the, the mech, the mechanisms for cheating that, we actually
demonstrated in the research project. We developed an application that can be
loaded onto the machine by exploiting any of those design flaws I talked about.
And runs on top of windows along side the ballot station interface.
It hides in the background so there's nothing normally on the screen, unless the
attacker invokes a special control screen that gives them an option to set the
election result. Using this interface you can pick who's
going to win, and by how much. The stuffer application will then continue
to hide in the background, and as it runs, it monitors the voting process.
Every time someone casts a vote, the Stuffer program determines whether that
vote should be changed in order to make the real, the final election outcome match
what the attacker has programmed. So the, the AccuVote has actually three
different records that reflect what's going on during voting.
In its internal memory inside the case there is a primary vote record and an
audit log. And then on that removable memory card the
machine stores a backup vote record. All of these are accessible from software
running on the machine including from the Stuffer.
So our Stuffer application changes the records in all three of these places.
At the end of the election, the Stuffer can remove itself and having changed all
of the records, there will then be no electronic evidence left in the machine
that anything was amiss. This is a, a great illustration of the
problems with fully paperless DREs. If all of the records are electronic, and
all of them can be modified from the software.
Then if that software is malicious, it can make things go wrong.