6.1 Sequoia
The red team analyzing the Sequoia system identified several issues. They fall into
several classes:
1. Physical Security. The testers were able to gain access to the internals of the systems
by, for example, unscrewing screws to bypass locks. The screws were not protected
by seals. Similarly, plastic covers that were protected by seals could be pried open
enough to insert tools that could manipulate the protected buttons without damaging
the seals or leaving any evidence that the security of the system had been
compromised.
2. Overwriting Firmware. The testers discovered numerous ways to overwrite the
firmware of the Sequoia Edge system, using (for example) malformed font files and
doctored update cartridges. The general approach was to write a program into
memory and use that to write the corrupt firmware onto disk. At the next reboot, the
boot loader loaded the malicious firmware. At this point, the attackers controlled the
machine, and could manipulate the results of the election. No source code access was
required or used for this attack, and a feature of the proprietary operating system on
the Edge made the attack easier than if a commercial operating system had been used.
3. Overwriting the Boot Loader. Just as the testers could overwrite firmware on the
disk, they could overwrite the boot loader and replace it with a malicious boot loader.
This program could then corrupt anything it loaded, including previously uncorrupted
firmware.
4. Detecting Election Mode. The firmware can determine whether the system is in test
mode (LAT) or not. This means malicious firmware can respond correctly to the preelection
testing and incorrectly to the voters on Election Day.
5. Election Management System. The testers were able to bypass the Sequoia WinEDS
client controlling access to the election database, and access the database directly.
They were able to execute system commands on the host computer with access only
to the database. Further, the testers were able to exploit the use of the autorun feature
to insert a malicious program onto the system running the Sequoia WinEDS client;
this program would be able to detect the insertion of an election cartridge and
configure it to launch the above attacks when inserted into an Edge.
6. Presence of an Interpreter. A shell-like scripting language interpreted by the Edge
includes commands that set the protective counter, the machine’s serial number,
modify the firmware, and modify the audit trail.
7. Forging materials. Both the update cartridges and voter cards could be forged.
The report presents several scenarios in which these weaknesses could be exploited to
affect the correct recording, reporting, and tallying of votes.
6.2 Diebold
The team investigating the Diebold system identified several issues. They fall into several
classes:
1. Election Management System. The testers were able to penetrate the GEMS server exploiting vulnerabilities in the Windows operating system as delivered
and installed by Diebold. Once this access was obtained, they were able to bypass the
GEMS server to access the data directly. Further, the testers were able to take
security-related actions that the GEMS server did not record in its audit logs. Finally,
with this level of access, the testers were able to manipulate several components
networked to the GEMS server, including loading wireless drivers onto the GEMS
server that could then be used to access a wireless device plugged surreptitiously into
the back of the GEMS server.
2. Physical Security. The testers were able to bypass the physical controls on the
AccuVote Optical Scanner using ordinary objects. The attack caused the AV-OS unit
to close the polls, meaning the machine could not tally ballots at the precinct or
inform voters whether they had “over-voted” their ballot. Similarly, the testers were
able to compromise the AccuVote TSx completely by bypassing the locks and other
aspects of physical security using ordinary objects. They found an attack that will
disable the printer used to produce the VVPAT in such a way that no reminders to
check the printed record will be issued to voters.
3. AccuVote TSx. The testers found numerous ways to overwrite the firmware in the
AccuVote TSx. These attacks could change vote totals, among other results. The
testers were able to escalate privileges from those of a voter to those of a poll worker
or central count administrator. This enabled them to reset an election, issue
unauthorized voter cards, and close polls. No knowledge of the security keys was
needed.
4. Security Keys for Cryptography. The testers discovered that a well-known static
security key was used by default.
The report presents several scenarios in which these weaknesses could be exploited to
affect the correct recording, reporting, and tallying of votes.
more at:
http://www.sos.ca.gov/elections/voting_systems/ttbr/red_overview.pdf*edited to add note to mods: This is public information taken straight from the SOS site; I do believe it is exempted from the copyright limitations, however if not, then please modify as needed.