CSW2017 Harri hursti csw17 final

© 2016 Nordic Innovation Labs. All Rights Reserved.
November 22, 2016
Touch-and-Go Elections
How convenience has taken over security, again.
Harri Hursti

Presentation Title Goes Here
Why I am talking about this?
u  Started hacking election machines in the summer of 2005 by invitation of Election
Supervisor Ion Sancho of Tallahassee, Florida
u  Have participated 3 government sanctioned election machine security studies
u  In my opinion, the EVEREST Report commissioned by the Secretary of State Ohio
is the most important – the redacted report was 316 pages
u  Written in 2007 so it is old and claimed to be outdated
u  Studied around the world about systems used in other countries
u  In the recent US Presidential election participated as an expert witness in 3 state
lawsuits and additional Federal suits
u  … and those proceedings are not yet closed
… it is a long story

What this talk is and is not about?
u  Not an announcement of a new hack
u  Not making claims that the elections were hacked
u  This is to provide information and insights what has been going on
… just to make it clear

How it all started ...
u  2005 hack of Diebold machines
u  2007 California top-to-bottom review
u  2007 EVEREST of Ohio
u  … and that was the last wide scale independent
security review in the USA
u  After, new systems have been deployed
… and never independently reviewed
•  52 models of voting machines were
used in 2016 election
…

What kind of system they use ...

This is a simple
ballot ...

39,695 ballots

Who is responsible in the government ...
u  NIST drafts The Voluntary Voting System Guidelines (VVSG)
u  The Election Assistance Commission (EAC)
u  Independent agency of the United States government created in 2002 (HAVA)
u  Adopting voluntary voting system guidelines
u  Accrediting voting system test laboratories
u  Certifying voting equipment
u  … and a lot more with staff of 30 employees
u  2010 the EAC lost its quorum of Commissioners
u  preventing many normal operational duties
u  December 2014 the U.S. Senate confirmed 3 out of 4 Commissioners
u  Back in business … right ?
u  For a while ...
… on the Federal level

Not so much...
… this is not over yet
… but may be heading towards the end

Developments elsewhere ...
u  DMCA 6th triennial review & rulemaking 2015
u  The mechanism to get exemptions
u  Final ruling grants exemption ”for purposes of
good-faith security research” of voting machines,
effective immediately
… DMCA

How to get a real election machine?
l  It used to be
l  Still 10 years ago it was very difficult
to get any access to a voting machine
l  All these 3 models are still in use in
general elections in USA
l  … and some internationally
… That must be next to impossible?

… wait, there’s more!
l  There are companies you’d never imagine!
How about something intersting?

l  And they sell everything you need to secure
elections … like secure seals ...

l  Official seals? I am sure they wouldn’t sell those
with no questions asked to anyone by just typing
in a credit card. Right?

Oh no!
Facepalm!

Before the last year US elections Congressional hearings
… explained why elections cannot be hacked
u  ”Citizens cast their votes at a voting machine that is not connected
to the internet”
u  ”Because voting machines are not connected to the internet, a bad actor
would need to physically access hundreds of voting machines that
collect the votes.”
u  So the machines are not connected? Right?
u  Many Local Election Officials certainly believe that there is no
”Network access” even without the Internet

Sauk, WI
… reporting their election night results
u  It is a common practice and often required by the law for local
jurisdictions to report their results on the official website
u  This is the 1st page of the results published, and the only document
available for a long time
u  Weird?

Sauk, WI
u  There are more votes reported in the individual
races than the total ballots cast

Sauk, WI
u  Down the ballot the gap gets smaller

Sauk, WI
u  And after the 3rd it becomes normal ...

… fast forward 3 weeks or so
… what did the recount say?
u  Minutes of the Board of Canvassers, December 1 :
u  Clarification on election night totals was given as:
On election night after several unsuccessful attempts made by the City of Baraboo to modem-in the results from
one voting machine, the results from that machine were manually entered by staff in the Sauk County Clerk’s
office. When it appeared that the results still were not submitted, staff in the clerk’s office manually entered the
results again, resulting in the results being entered twice. The error was count at the county canvass and race
results were adjusted accordingly.
u  One machine in a city of 5777 ballots caused 2485 votes extra?
u  More importantly : Modem in results?

Meanwhile in Florida
… Actually a 1.5 years earlier ...
u  The equipment had been tested. The test had failed.
u  The addendum was published to address an issue of failing the test.

u  “Testing conducted for this request was limited in scope to only regression testing of the Verizon C2 modem
configuration.”
u  On May 11, 2015 :
u  “When the modem process started, a 'Modem Error – Connection Refused by Host' occurred.”
u  “BVSC determined that the IP address was incorrect”
u  “Both attempts resulted in an 'SFTP Error Login Fail' error message”
u  “... the vendor determined that the problem was due to the fact that configuration script in the firewall …
needed to be upgraded ...”

u  On May 14, 2015 :
u  ”BVSC received the new firewall”
u  ”.. also verifying the connection to BVSC's SFTP server from the vendor's home office ...”
u  ”This resulted the vendor discovering that a typo existed in the configuration scripts that were provided with
the new firewall.”

u  On May 18, 2015 :
u  “BVSC received the updated firewall firewall from ES&S”
u  “The modem transmission went through successfully with no errors.”
u  “As a final step, staff verified that the modemed election results yielded the expected counts.”
u  Success! In a week they sorted it out and modem was modeming without errors
u  … and there certainly was no word “Internet” anywhere, so we are good.
u  or maybe as Penn & Teller remind us, “Elvis didn't do no drugs”

… Actually a 1,5 years earlier ...
u  Voting machine marketing material says”:
“Results are sent over a secure and hardened
network. Static Internet Protocol (IP) addresses
are assigned to the modem inside each DS200.
These IPs are added to the server’s “white list”
while all other incoming IP addresses are blocked
for a secure transfer.”
u  So, what was this “The Modem” thingie anyways?
u  Footnote says : “Multitech MTSMC-C2-N3-R. 1”

u  Specifications are clear about TCP/IP functions...

… so what does this all mean?
u  Modem means something goes over TCP/IP and SFTP involving a firewall along the way
u  We all know that TCP/IP does not mean Internet, neither does SFTP
u  Neither does firewall mean Internet, on docs identified as Cisco ASA 5505
u  And certainly connecting into Verizon or Sprint LTE data service does not mean Internet
u  Netgear Zing and Jetpack 4G LTE MiFi/WiFi dongles are mentioned as alternatives to the 'Modem' regional
results
u  … and a bad actor cannot go evil without physical access ...
u  There are no specific IP addresses mentioned in those public documents
u  FTP software is mentioned for secure FTP :
u  Server : Cerebus 6.0.7.1
u  Client : IPSwitch WS_FTP 12.4.1
u  (Client side system requires RMCOBOL 12.06 runtime =)

… so what does it all mean?
u  The actual certificate document lists also 3 wireless USB LTE devices:
u  USB551L
u  Netgear 341U
u  Netgear 340U
u  USB memory sticks, CF cards, etc
u  Anti-virus software is mentioned as optional
u  (as the computers are not connected to a network, right?)

… so what does it all mean?
u  Everyone in this room can agree that someone should take a serious look into these newer systems?

At least it's decentralized
… and single place can only cause very limited damage
u  ”The Center for Election Systems is a unique project impacting
all facets of Georgia's elections. It tests every voting machine
used in the state, creates all federal, state and local ballots and
houses the voter rolls for every district in Georgia.”
u  Georgia is a single vendor environment
u  Central Election Management System servers are supported
by staff from the University.
u  … and it is not a unique approach to have a 3rd party
handle a lot of the activities the public assumes are the
responsibilities of the officials ...

At least it's decentralized
… and single place can only cause very limited damage
u  Across the USA in many cases, the actual programming of
the voting machines is done by 10-20 employee shops
u  Literally in a strip mall, and without any basic security
u  … while the Georgia outsource partner is a major university which
is well funded and well prepared compared to its peers ...

What are the hot topics going forward?
… where is the gold rush now?
u  Internet voting concepts keep on coming back.
u  The newest snake oil is blockchain voting
u  Electronic pollbooks are attracting a lot of attention
u  Those systems have to be real-time synchronized, and therefore networked
u  Some systems vendors are pushing are virtual screen sharing systems from a central location

Housekeeping item, about those recounts
… what happened?
u  Wisconsin – Recounted statewide, through not all by hand
u  51 counties counted by hand, 9 by re-scanning (!), 12 by a combination
u  11,883 votes were corrected (over half of the margin of victory was erased!)
u  Michigan – Halted after 3 days under opposition from state and the winning candidate
u  10 counties finished, 12 started but not finished (out of 83)
u  Pennsylvania – Defeated in federal court under opposition from state and the winning candidate
u  One county (out of 67) recounted by hand only 143 of its 228 precincts
u  No published results. No information available.

Housekeeping item, about those recounts
… what happened?
u  There was no evidence detected for an attack.
u  Only in Wisconsin the probability to have detected an attack was meaningful
u  part of the votes were recounted by rescanning them and therefore in case of a hack...
u  Important information learned about vulnerabilities!
u  Fun numbers. The USA has:
u  200 million registered voters
u  13,000 voting jurisdictions
u  187,000 election precincts
u  52 models of voting machines were used in 2016 election

Acknowledgements
… to the partners in preventing crimes
u  Alex Halderman
u  Matt Bernhard
u  Margaret MacAlpine
u  Justin Moore
u  … and many others

Thank you! Q&A

CSW2017 Harri hursti csw17 final

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à CSW2017 Harri hursti csw17 final

Similaire à CSW2017 Harri hursti csw17 final (20)

Plus de CanSecWest

Plus de CanSecWest (9)

Dernier

Dernier (20)

CSW2017 Harri hursti csw17 final