how not to build an electronic voting system -...

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

.

...... How not to build an electronic voting system

Quentin Kaiser

Hack.lu 2015

October 21, 2015

Quentin Kaiser How not to build an electronic voting system

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

.. $ whoami

Quentin KaiserSecurity Engineer | Penetration Tester

www.quentinkaiser.be [email protected] QKaiser


www.quentinkaiser.be

mailto:[email protected]

https://twitter.com/qkaiser

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

.. Disclaimer

This research was prepared and accomplished in my personalcapacity. The opinions expressed in this talk are my own and donot reflect the view of past, current, or future employer.


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

.. Outline

IntroductionEvoting Systems in BelgiumBuilding Secure Voting SystemsCODI

Polling stationsNetwork infrastructureWeb Applications

SmartmaticElection Configuration ManagerPV-VM

Conclusions


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

.. Introduction


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

..Evoting Systems in BelgiumHistorical Background

”I think your crypto is broken” - King Albert II


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

..Evoting Systems in BelgiumHistorical Background

1991 - first experiment in two townships1994 - expanded to 20% of electorate1999 - expanded to 44% of electorate, introduction of OCRcounting2003 - first experiment with ticketing in two townships2007 - BeVoting report2012 - Introduction of Smartmatic systems


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

.. Cryptographically Secure Voting Systems

Building secure voting systems is complex.ConfidentialityNon repudiationAuthenticityIntegrityNon coercionUniquenessAudit trailSimplicityEquityVerifiability


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

.. Threat Model

And people are out there to get you.

1

1Security Analysis of the Estonian Internet Voting SystemQuentin Kaiser How not to build an electronic voting system

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

.. CODI

CODI


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

.. CODI

CODI encompass multiple evoting components:JitesDigivotePGM2PGM3Election Management System


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

..CODIVoting booths

Authentication & Authorizationpolling station president initialize software with a passwordpassword verified with checksum

0 1 2 3 4 5 6 7 8 9

fullPasswordValue extension

Password checksum


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

..CODIVoting booths

Integrity Protectionfloppy disk content integrity is checked


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

..CODIVoting booths

Vote castingbug2505 explored by @doegox 2

1http://www.poureva.be/spip.php?article853Quentin Kaiser How not to build an electronic voting system

http://www.poureva.be/spip.php?article853

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

..CODIBallot boxes

Magnetic card layout

token (5 bytes) - uniquely identify a polling stationpassage (1 byte) - boolean for vote castingMAC3 (4 bytes) - ensure integrity and authenticity of votetest (1 byte) - identify voter type (N, E, S)vote (2 + x bytes) - vote value

3ISO-9797-1, Algo 2 / Padding 2Quentin Kaiser How not to build an electronic voting system

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

..CODIBallot boxes

Fraud detectionByte length - Sanity checkToken - Ensure vote was cast in same polling stationMAC - Ensure integrity and authenticity of vote


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

..CODI - Ballot boxesBypassing fraud detection

Step 1 - Byte length


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Step 2 - Token recovery


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Step 3 - MAC key recovery


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Step 3 - MAC key recovery

read MAC and vote values off a magnetic cardforeach 104 possible password combinations

...1 derive key from password combination

...2 compute MAC with derived key

...3 compare computed MAC with magnetic card’s MAC

Byproduct of MAC key recovery: you also recovered 6 bytes out of10 of the polling station’s president password.


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

..CODIBallot boxes

Fraud detectionByte length - DoneToken - DoneMAC - Done

Being able to create rogue magnetic cards breaks:non-coercion (vote buying activities)uniqueness (ballot stuffing)


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

..CODI - Ballot boxesSecure vote storage

Votes are stored in temporary file during election processtemporary file encrypted with AES on polling station closing


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Temporary file”encrypt” each vote with XOR cipherrandomness of vote position is heavily questionned


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Temporary fileXOR filter easily recoverable by brute force or offline attack(see fraud detection bypass)


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

..CODIPGM

PGM2 & PGM3Microsoft Windows executablesrely on obscure software (GuptaSQL, anyone ?)did not manage to execute them properly :(

Expected behavior:generate minutes as PDF filePDF file signed with polling station president eIDencode votes into undocumented ”Format F” formatminutes PDF + ”Format F” content sent to central server


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

..CODISecure Vote Transmission

Zipping deeper


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

..CODISecure Vote Transmission


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

..CODIElection Management System

aka OWASP Top 10


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Web1 : encoding of lists, candidates, polling stations, ...Web2 : used by belgian ambassies to transmit votesWeb3 : Ministry of home affairs intranet webapp holdingelection resultsWeb4 : logging and monitoring of WebsomethingWeb5 : webapp that hosts results, available to the generalpublicLoc1 : reception of ”format F” files and transmission to Loc2Loc2 : results verification, loading in database, transmissionto Loc3Loc3 : transmission of results to different partners (mostlypress, hopefully)


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Information leak


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Keeping your private key private


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Storing passwords in plaintext


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Arbitrary file downloaddiscovered unauthenticated arbitrary file download on Web1downloaded the script itself to look at it”StackOverflow copy/pasta”


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Arbitrary file download


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Disclosure timeline:07/2014: first mail to notify Civadis about infoleak07/2014: second email to notify Civadis about private keys08/2014: third email to notify Civadis about arbitrary filedownload01/09/2014: email again, this time I cc the IBZ02/09/2014: answer from Civadis, I replied back explainingimpact03/09/2014: ”no impact, it’s a backup server”4

05/09/2014: Civadis deactivate the accounts10/09/2014: Civadis shutdown those servers

4but it’s not, I can prove itQuentin Kaiser How not to build an electronic voting system

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

.. Smartmatic

Speaking of coordinated disclosure ...


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

.. Smartmatic

Smartmatic


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

.. Smartmatic

Smartmatic provides two systems:ECM - Election Configuration ManagerPM-VM - Voting machines (vote casting + ballot boxes)

Due to limited time, I only managed to look at ECM (for now).


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

..SmartmaticElection Configuration Manager

Highlights3 Ubuntu hosts running Linux 2.6.38-8-genericeach host provided as an .iso file online

ECM DB (PostgreSQL)ECM server (JBoss)ECM client (Java client)


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

..SmartmaticElection Configuration Manager

Getting access to those f***ing boxesno credentials in documentationno SSHno shell for saes (default user)

I ended up doing this:mount isocopy to get read/write accessmodify smartmatic seed file to set my own root passwordrepackage isoinstall in VM, login, usual post exploitation commands


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

.. Election Configuration Manager

Well thought hardening:no remote access (rsh, telnet, ssh, whatever)file permissions are well setiptables config is not great, but good enoughsudoers file limits capabilities of saes usersecurity/access.conf to disable accessno password for builtin users (e.g. postgres)loading of arbitrary remote classes disabled in RMI serveraccess to PostgreSQL limited to whitelisted IP


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

.. Election Configuration Manager

However...PostgreSQL traffic is unencryptedNo password on PostgreSQL users (ecm, postgres)

Messing with the elections in 4 steps:...1 gain physical access to network...2 ARP spoofing JBoss host and PostgreSQL host...3 connects to PostgreSQL server assuming JBoss host IP...4 dump database, gain RCE as postgres with UDF


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

..SmartmaticPM-VM

Maybe for next year !


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

.. Conclusions

Don’t believe the hype.CODI system was broken from day 1Smartmatic system also has its flaws

We need a serious audit of the Election ManagementSystem.


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

.. Q&A

Thank you for your attention. Any questions ?


..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

.. References I

Affront, Affront analysis of 2003/2004 versions of digivote,Affront (2004).

D. Wagner C. Karlof, N. Sastry, Cryptographic votingprotocols: A systems perspective., 14th USENIX SecuritySymposium.Internet Policy Institute, Voting systems design criteria. reportof the national workshop on internet voting: Issues andresearch agenda.Jason Kitcat Margaret MacAlpine Travis FinkenauerDrew Springall J. Alex Halderman, Harri Hursti, Securityanalysis of the estonian internet voting system.LaLibre.be, Le parlement wallon se prononce en faveur de lafin du vote électronique en belgique, 6 2015, .


http://www.lalibre.be/actu/belgique/le-parlement-wallon-se-prononce-en-faveur-de-la-fin-du-vote-electronique-en-belgique-556f415835709a87ac6d1627

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

.. References II

Medor Mag, Le jour où la belgique a bugué., 5 2015, .

Oladiran Tayo Arulogun Olayemi Mikail Olaniyi,Adeoye Oludotun and Elijah Olusayo Omidior, Design ofsecure electronic voting system using multifactorauthentication and cryptographic hash functions., InternationalJournal of Computer and Information Technology (2013).

PourEVA, Comment frauder lors d’une élection communalesans trop de connaissances informatiques ?, 11 2006, .

, Victoire de la transparence au conseil d’etat, 5 2011, .

, Généalogie du code source des systèmes digivote etjites, 6 2014, .

, On vous dit tout ce que l’on sait du bug2505, 6 2014,.


https://medor.coop/fr/bug/





how not to build an electronic voting system -...

Documents