Computer scientists take over electronic voting machine with new programming technique (w/ Video)

Aug 10, 2009
UC San Diego computer science Ph.D. student Stephen Checkoway clutches a print out demonstrating that his vote-stealing exploit that relied on return-oriented programming successfully took control of the reverse engineered voting machine. Credit: UC San Diego / Daniel Kane

(PhysOrg.com) -- Computer scientists demonstrated that criminals could hack an electronic voting machine and steal votes using a malicious programming approach that had not been invented when the voting machine was designed. The team of scientists from University of California, San Diego, the University of Michigan, and Princeton University employed “return-oriented programming” to force a Sequoia AVC Advantage electronic voting machine to turn against itself and steal votes.

“Voting machines must remain secure throughout their entire service lifetime, and this study demonstrates how a relatively new programming technique can be used to take control of a voting machine that was designed to resist takeover, but that did not anticipate this new kind of malicious programming,” said Hovav Shacham, a professor of computer science at UC San Diego’s Jacobs School of Engineering and an author on the new study presented on August 10, 2009 at the 2009 Electronic Voting Technology Workshop / Workshop on Trustworthy Elections (EVT/WOTE 2009), the premier academic forum for voting security research.

In 2007, Shacham first described return-oriented programming, which is a powerful systems security exploit that generates malicious behavior by combining short snippets of benign code already present in the system.

This video is not supported by your browser at this time.
Computer scientists led by Hovav Shacham, a UC San Diego professor, hacked an electronic voting machine and stole votes using a malicious programming approach that had not been invented when the voting machine was designed. The computer scientists employed "return-oriented programming" to force a Sequoia AVC Advantage electronic voting machine to turn against itself and steal votes. Credit: UC San Diego Jacobs School of Engineering

The new study demonstrates that return-oriented programming can be used to execute vote-stealing computations by taking control of a voting machine designed to prevent code injection. Shacham and UC San Diego computer science Ph.D. student Stephen Checkoway collaborated with researchers from Princeton University and the University of Michigan on this project.

“With this work, we hope to encourage further public dialog regarding what voting technologies can best ensure secure elections and what stop gap measures should be adopted if less than optimal systems are still in use,” said J. Alex Halderman, an electrical engineering and computer science professor at the University of Michigan.

The computer scientists had no access to the machine’s source code—or any other proprietary information—when designing the demonstration attack. By using just the information that would be available to anyone who bought or stole a voting machine, the researchers addressed a common criticism made against voting security researchers: that they enjoy unrealistic access to the systems they study.

“Based on our understanding of security and computer technology, it looks like paper-based elections are the way to go. Probably the best approach would involve fast optical scanners reading paper ballots. These kinds of paper-based systems are amenable to statistical audits, which is something the election security research community is shifting to,” said Shacham.

“You can actually run a modern and efficient election on paper that does not look like the Florida 2000 Presidential election,” said Shacham. “If you are using electronic voting machines, you need to have a separate paper record at the very least.”

Last year, Shacham, Halderman and others authored a paper entitled “You Go to Elections with the Voting System You have: Stop-Gap Mitigations for Deployed Voting Systems” that was presented at the 2008 Electronic Voting Technology Workshop.”

“This research shows that voting machines must be secure even against attacks that were not yet invented when the machines were designed and sold. Preventing not-yet-discovered attacks requires an extraordinary level of security engineering, or the use of safeguards such as voter-verified paper ballots,” said Edward Felten, an author on the new study; Director of the Center for Information Technology Policy; and Professor of Computer Science and Public Affairs at Princeton University.

Return-Oriented Programming Demonstrates Voting Machine Vulnerabilities

To take over the voting machine, the computer scientists found a flaw in its software that could be exploited with return-oriented programming. But before they could find a flaw in the software, they had to reverse engineer the machine’s software and its hardware—without the benefit of source code.

Princeton University computer scientists affiliated with the Center for Information Technology Policy began by reverse engineering the hardware of a decommissioned Sequoia AVC Advantage electronic voting machine, purchased legally through a government auction. J. Alex Halderman—an electrical engineering and computer science professor at the University of Michigan (who recently finished his Ph.D. in computer science at Princeton) and Ariel Feldman—a Princeton University computer science Ph.D. student, reverse-engineered the hardware and documented its behavior.

It soon became clear to the researchers that the voting machine had been designed to reject any injected code that might be used to take over the machine. When they learned of Shacham’s return-oriented programming approach, the UC San Diego computer scientists were invited to take over the project. Stephen Checkoway, the Ph.D. student at UC San Diego, did the bulk of the reverse engineering of the voting machine’s software. He deciphered the software by reading the machine’s read-only memory.

Simultaneously, Checkoway extended return-oriented programming to the voting machine’s processor architecture, the Z80. Once Checkoway and Shacham found the flaw in the voting machine’s software—a search which took some time—they were ready to use return-oriented programming to expose the machine’s vulnerabilities and steal votes.

The computer scientists crafted a demonstration attack using return-oriented programming that successfully took control of the reverse engineered software and hardware and changed vote totals. Next, Shacham and Checkoway flew to Princeton and proved that their demonstration attack worked on the actual voting machine, and not just the simulated version that the computer scientists built.

The computer scientists showed that an attacker would need just a few minutes of access to the machine the night before the election in order to take it over and steal votes the following day. The attacker introduces the demonstration attack into the machine through a cartridge with maliciously constructed contents that is inserted into an unused port in the machine. The attacker navigates the machine’s menus to trigger the vulnerability the researchers found. Now, the malicious software controls the machine. The attacker can, at this point, remove the cartridge, turn the machine’s power switch to the “off” position, and leave. Everything appears normal, but the attacker’s software is silently at work.

When poll workers enter in the morning, they normally turn this type of voting machine on. At this point, the exploit would make the machine appear to turn back on, even though it was never actually turned off.

“We overwrote the computer’s memory and state so it does what we want it to do, but if you shut off the machine and reboot from ROM, the exploit is gone and the machine returns to its original behavior,” explained Checkoway.

The computer scientists tested a machine that is very similar to machines that are used today in New Jersey and Louisiana. These New Jersey and Louisiana machines may have corrected the specific vulnerabilities the computer scientists exploited, but they have the same architectural limitations. The researchers highlight the possibility that current voting machines will be vulnerable to return-oriented programming attacks similar to the attack demonstrated in this study.

“This work shows how difficult it is to design voting machines that will remain secure over time. It’s impossible to anticipate what new kinds of attacks will be discovered in the future,” said Halderman.

More information:

Related publications:

J.A. Halderman, E. Rescorla, H. Shacham, and D. Wagner. “You Go to Elections with the Voting System You Have: Stop-Gap Mitigations for Deployed Voting Systems.” In D. Dill and T. Kohno, eds., Proceedings of EVT 2008. USENIX/ACCURATE, July 2008. cseweb.ucsd.edu/~hovav/papers/hrsw08.html

R. Roemer, E. Buchanan, H. Shacham, and S. Savage. “Return-Oriented Programming: Systems, Languages, and Applications.” 2009. In review. cseweb.ucsd.edu/~hovav/papers/rbss09.html

E. Buchanan, R. Roemer, H. Shacham, and S. Savage. “When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC.” In P. Syverson and S. Jha, eds., Proceedings of CCS 2008, pages 27-38. ACM Press, Oct. 2008. cseweb.ucsd.edu/~hovav/papers/brss08.html

Source: University of California - San Diego (news : web)

Explore further: Using 'Big Data' approach to map relationships between human and animal diseases

add to favorites email to friend print save as pdf

Related Stories

Review finds potential flaws in voting systems

Jul 30, 2007

Flaws that leave electronic voting machines vulnerable to security attacks were discovered by University of California researchers as part of an unprecedented "Top-to-Bottom Review" of the systems commissioned by California ...

The Web: Internet voting still a long way off?

Sep 28, 2005

Some of the recommendations to improve electronic voting technology made by the election reform commission headed by former President Jimmy Carter and former Secretary of State James Baker provide only "marginal" improvements ...

Human factors researchers test voting systems for seniors

Dec 27, 2007

Human factors researchers at Florida State University have identified ways to improve electronic voting accuracy among older voters while also shortening waiting time at the polls. The results of their study were published ...

Recommended for you

User comments : 7

Adjust slider to filter visible comments by rank

Display comments: newest first

Mudshark
5 / 5 (1) Aug 10, 2009
I've been a precinct inspector for a county in Arizona for several years. Arizona has about a secure and fair system as you can have. We switched from punch card to optical scanners over 20 years ago and the election committee's have always had equal number of party members of any party getting over 15% of the vote. All positions at the voting locations alternate with different parties for checks and balances. You can have fair voting, if you want to. Peter W.
Caliban
1 / 5 (2) Aug 11, 2009
It has already been demonstrated just how easily all the different brands of these machines can be tampered with at various stages before, during, and after the voting process. Non-partisan or bi-partisan supervision is not the issue. The issue is that it only takes the intvention of a single human being to affect the outcome of the voing of thousands or millions of voters. This is far and away more difficult to accomplish with mechanical vote-counting devices.
PaulLove
not rated yet Aug 11, 2009
As all the parties getting more than 15% of the vote have worked so hard to convince everyone that the other party cheats and is dishonest is it really any surprise that most people tend to believe that any party that has gotten more than 15% of the vote cheats and is dishonest?

This demonstrates that you don't require collusion to affect the vote just a single rabid party member with the correct skills.
AmericanDude61
not rated yet Aug 12, 2009

ALL computer systems can be hacked one way or another. It's just a matter of time for a talented team to crack it.
VOR
5 / 5 (1) Aug 14, 2009
the votes of lawmakers are public information. We have an existing culture of privacy in citizen voting. I for one would not mind having my votes being in a centralized system that I could privately access and confirm my votes went the way I intended. This would of course counter poll fraud/tampering etc. Yes there would be risk of my vote becoming known by hacking the encryption etc, but I would be willing to take that risk. A pure discussion of voting privacy is another topic, as I am acually taking about a private record. But I think the idea of non-private voting should not be so taboo. While I understanding the thinking behind privacy, I dont think its so overwhemingly obvious that its better and makes for a better result. 'Freedom from coersion' in voting is what I've commonly heard as reason for privacy (like from your boss, spouse etc). But there is the other side of that coin called 'taking responsibility for your vote'. By your vote being known there would be less 'unqualified' voting. You might be asked to explain by someone you know why you voted for who you did. That would potentially increase political conversation, knowledge, and involvment, all of which are lacking in the general public. But back to the topic of fraud.. I think unless we have such vote confirmation measures (probably never will), WE SHOULD HAVE ONLY PAPER BALLOTS. COMPUTER VOTING WITH NO PAPER TRAIL IS A RECIPE FOR FRAUD. Take action on this important topic.
KBK
3 / 5 (1) Aug 15, 2009
Voting is too important to allow computers to handle it. no paper trail. Make sure you fight for pure paper voting, with actual traceable and countable records being kept.

Computer voating was pushed forward by a desire to commit fraud: It really is that simple.
Caliban
1 / 5 (2) Aug 15, 2009
VOR- agree with the ALLCAPS. The purpose of private balloting, however, is so that no one will know who you vote for, thereby, hopefully, reducing the chances that someone will(at the polling place) try to coerce you to vote a certain way, or even administer a severe beat-down or even lynch your ass. The idea of a centralized vote database/record, where individual voters could verify that their votes were properly accounted for is one that I like as well, but also susceptible to tampering. If it can be hacked, it will be hacked-given sufficient motivation.