Researchers at University of California San Diego, Princeton University and University of Michigan have demonstrated a method to compromise and alter the tallies of Sequoia AVC Advantage voting machines. They presented their results at the Usenix 2009 Electronic Voting Workshop, held in Montreal this week. They used a method called return-oriented programming to modify voting tallies on the machines. The did this without access to the source code or the hardware designs.
Quoting from an article in The Register:
Sequoia and manufacturers of other brands of e-voting machines frequently discount vulnerability research into their products by pointing out that the underlying source code is closely guarded. Researchers in many studies, they argue, have unrealistic access to the devices’ inner workings.
“What we have shown or what I hope we have shown in this paper is that that criticism in untrue,” Hovav Shacham a professor at UC San Diego, told The Register. “It might take a little more work if we don’t have the source, but nevertheless we’re able to find vulnerabilities and exploit them in useful ways in machines where the only access we have is the physical artifacts themselves.”
The same method has demonstrated to defeat security measures in Linux, OpenBSD and Solaris. In return-oriented programming snippets of benign code are combined to produce malicious behaviour. The researchers were even able to demonstrate that they could alter the outcome of elections, using this method.
The development, certification and procurement cycle for voting machines is slow. The design of the Sequia AVC Advantage dates back to the early 80′s and many are still used in New Jersey, Louisiana, and elsewhere. The machines used to develop and test the exploit were bought at a Buncombe County North Carolina government surplus auction web site.
Using bright lights, magnifying glasses, a low voltage continuity tester and data sheets for the components, team members were able to develop a circuit diagram of the hardware of the voting machine. From that they were able to deduce how the unit worked. Then they used a disassembler to fill in the remaining details.
Joshua Herback used the hardware functional specifications to develop a simulator, which other team members then improved upon. The exploit was completely developed on the simulator, returning to the actual hardware only to verify the exploit. The exploit worked the first time they tried it.
The researchers have demonstrated that newly developed methods for exploiting systems put otherwise secure systems at risk.
