Project Omaha

Possible Attack Vectors

PEB Based Attacks

This section covers malicious actions via PEB.

Changing Votes

In the EVEREST Report, the researchers manage to craft a modified PEB that, when used to submit a vote, could swap an arbitrary number of candidates if the candidates chosen by the voter were not the ones preferred by the attacker. One of these attacks simply swaps the voter's selection, in hope that the voter does not read the "Summary" page given by the iVotronic nor read the receipt of their vote until they leave the voting booth. The researchers behind the EVEREST report also managed to create a second version of this PEB that did not swap the votes until moments after a voter's submission. Once a voter submitted their vote, the bad PEB could swap the voter's candidates. This change would be reflected in the Real Time Audit Log, a Voter-Verifiable Paper Trail, but could easily be missed due to the speed at which the RTAL prints.

Fleeing Voters

"Fleeing Voters" are voters who leave the poll before their ballot is completely filled out and submitted. In the case of a voter that flees, there is a chirping alarm that the iVotronic gives out after a period of inactivity. This signals to the poll workers that the voter has fled, and to take proper action for the state. For example, Ohio discards the ballots of fleeing voters, while California submits the incomplete ballot.

In the case of a state such as Ohio, a PEB can be crafted in such a way that if a fleeing voter voted for the attacker's candidate, the PEB could override the chirping alarm process, and simply cast the vote. The researchers also managed to create a PEB that would fake a confirmation page if the voter had submitted a vote for a certain candidate. After a short period of time, the real confirmation page would pop up, presumably after the voter had already left the booth. Since the vote is never actually confirmed, the chirping alarm is activated, and the ballot is discarded.

iVotronic Flash Card Attacks

This section covers possible attacks through flashing bad firmware on the iVotronic Machine.

Denial of Service

A flash card can be constructed so that when the iVotronic tries to read the election image file, it continuously crashes and can not participate in the election process.

Voter Confusion

Similarly, a flash card can be constructed to contain a buffer overflow of the stack containing "Hotspot" elements, such as buttons. In practice, the researchers only used it to return garbage error messages, confusing the voter, but any arbitrary code could be executed from this overflow vulnerability, including the PEB based attacks stated above.

M100 Optical Scanner Attacks

This section covers a few vulnerabilities with the M100 Optical Scanner, which is used to read physical ballots.

Stealing Votes

The M100 can get its firmware updated from a special PCMCIA card, which is usually provided by ES&S representatives. Using a malicious PCMCIA card to update the firmware, the M100 can give all votes to the first candidate listed.

Denial of Service

A different malicious PCMCIA card can be crafted, causing the M100 to write to an invalid address. This write causes the machine to experience a segmentation fault and hang, making it unusable until a reboot. Once the machine is restarted, it attempts to write to the invalid address again, rendering the machine useless.

Virus Propagation

Due to the nature of the ES&S voting process, the entire election cycle could become compromised. The Unity election management system is used to create PEBs and Compact Flash Cards for the iVotronics, as well as PCMCIA Cards for the M100 Optical Scanner. Once polling is over, the results PEB that is generated by the iVotronic machine is collected, and taken to where the Unity system lies, to tabulate the votes. Due to a number of possible exploits detailed in the EVEREST Report, it is fully possible to create an infected iVotronic machine that "infects" the PEBs that are put into it. These infected PEBs can be used to infect other iVotronic machines, until the entire voting location is compromised. Once the polling is closed, an infected results PEB could be created. This bad PEB is read by the Unity Election Management System, infecting it at the same time. Now, all media (PEBs, Flash Cards, and PCMCIA cards) that are created by Unity in the future will contain bad payloads, thus compromising the entire election!


< Hacking the PEB | Top | For Future Reference >