No announcement yet.

Voting Machine References And Links For Village

  • Filter
  • Time
  • Show
Clear All
new posts

  • Voting Machine References And Links For Village

    Let's use this topic area to add links to research material, articles, software and other information that will help anyone who wants to participate in the village.
    PGP Key:

  • #2
    From my twitter feed:

    @SFOpenVoting - Involved in the San Francisco Open Source Voting System - Collects detailed information on voting system information - A lot of information on vendors and distribution of EMVs by product and type - One of the original sites to draw attention to the EMV risks

    Some reading:
    - Security analysis of India's Electronic Voting Machines from 2010

    We clearly need more white papers and legit past research on vulnerabilities in the common designs.
    PGP Key:


    • #3
      Some more reading links...will post more as I have time over the coming days. Lots of links to details about vulnerabilities of particular EMVs used in the United States. Tech specs are provided when possible, as well as lists of which states (& how many counties) used particular EMV models in 2016.

      ICIT Analysis: Hacking Elections is Easy! (Part 1: Tactics, Techniques, and Procedures) + (Part 2: Psst! Wanna Buy a National Voter Database? Hacking E-Voting Systems Was Just the Beginning): Apparently this is now being sold on Amazon as a book, but I still have the original PDFs for both parts 1&2 released in September 2016. Not sure if I’ll get in trouble for uploading them somewhere else, so just PM me or tweet at me (@hexwaxwing) if you want me to send you my copies. Part 1 is 24 pages & part 2 is 55 pages. (Rally Security did a podcast discussing these papers in October 2016; accessible here).

      Voting: What is, what it could be (2001): CalTech + MIT’s collaborative project (“Voting Technology Project”) studying voting technologies.

      Fraction Magic ( Would be cool if we could verify this.

      Security Analysis of the Diebold Accuvote-TS Voting Machine (Princeton University, Center for Information Technology Policy [Ariel Feldman, J. Alex Halderman, Edward Felten] — 2006/09/13)
      Abstract: This paper presents a fully independent security study of a Diebold AccuVote-TS voting machine, including its hardware and software. We obtained the machine from a private party. Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities — a voting-machine virus. We have constructed working demonstrations of these attacks in our lab. Mitigating these threats will require changes to the voting machine’s hardware and software and the adoption of more rigorous election procedures. (Here’s the PDF of the study, + video of them hacking that EMV)

      America’s Voting Machines At Risk (Brennan Center for Justice at NYUSL [Lawrence Norden and Christopher Famighetti] — 2015)

      How to Hack An Election in 7 Minutes (Politico — 2016/08/05)
      Excellent overview of contemporary issues in EMV security. Features Princeton’s Andrew Appel + Ed Felten + J. Alex Halderman. Long article, but worth it.

      Hacking the Machines: Coverage, Finally! (Lulu Friesdat @LuluFriesdat — 2016/08/12)
      Overview of spate of voting fraud coverage from the mainstream media in August 2016 from filmmaker Lulu Friesdat, who did a documentary ("Hollerback: (Not) Voting in an American Town" 1hr 19mins) that covered Halderman & Feldman (then grad students) hacking AccuVote-TS EMVs in Lehigh County, Pennsylvania using prior to the 2004 presidential election. Goes on to describe discrepancies in the 2016 primaries & general election (for more on that, see here, here, and here).

      Hacking An Election: Why It's Not As Far-Fetched As You Might Think (NPR — 2016/08/01)

      Vulnerable Voting Machine Raises Questions About Election Security (NPR — 2015/04/16)

      AVS WinVote: The Worst Voting Machine in America (Slate — 2015/04/16)

      The Dismal State of America’s Decade-Old Voting Machines (Wired — 2015/09/15)

      America’s Voting Machines are Scarily Easy Targets (Wired — 2016/08/02)

      How to Rig An Election (Harpers Magazine — Nov 2012)

      How to Hack an Election (Bloomberg Businessweek — 2016/03/31) — Latin America, but still quite interesting.

      How Secure are U.S. Voting Systems? (NPR, Science Friday — 2016/08/05) — Interview with Bruce Schneier & Aviel Rubin, ~18 mins long.

      The Internet Is No Place for Elections (Technology Review [Mike Orcutt] — 2016/09/26)

      EDIT: Should’ve included this one too...Beth Clarkson’s stuff is interesting.

      How voting machines can be faulty (The Tab — 2016/08/12)
      Last edited by waxwing; May 27, 2017, 05:20. Reason: re-englishing


      • #4
        A Github repo for exploring the software quality of electronic voting machines, assembled by Emily Gorcenski last fall -- plus some more commentary (in the form of a Twitter thread comparing the regulatory process it takes to write software for a medical device compared to a voting machine), and another (discussing source code review guidelines for certified voting machines).

        Explore which states use which voting machines in which county (web interface OR data is downloadable in JSON, Excel, CSV formats) here.

        Election integrity research conducted by Roger Johnston/the Vulnerability Assessment Team at Argonne National Laboratory. Includes documents (2006 & 2012) covering tamper-evident seals used in elections, a few slidedecks on election integrity (2011 & 2012), some suggestions for better election security, plus two videos: one demoing Diebold EVM tampering; the other, Sequoia EVM tampering.

        Some misc resources put together by Argonne National Laboratory on the subject of election security (gathered from here): The Vulnerability Assessment Team (VAT) at Argonne National Laboratory hosts and edits the Journal of Physical Security as a free, public service. Part of what we get out of it (other than getting to read some really interesting papers about physical security) is a chance to shamelessly plug our own work and views from time to time. Here are some recent news stories about the VAT. (The first two are also very good general reviews on the subject of election security.)

        Some more stuff from Princeton University's Andrew Appel:

        Miscellaneous additions:


        • #5
          Wisconsin's 2016 Presidential election showed anomalous returns from the Dominion Sequoia AVC Edge and Accuvote. Looks like votes may have been switched from Clinton to Trump. Take a look at this Sequoia source code review (essentially a manual on the many ways to hack it) to see how easily it could've been done. It would be a great service to democracy to demonstrate vote-switching at the Village!


          • #6
            New article that's been making the rounds: The Chaos Computer Club, a multigenerational army of activists, has made the country’s democracy a lot tougher to undermine.

            Also, according to Ed Felten of Princeton, Patent 8033463 is now in the public domain as of 6/27/2017. Just in case that's useful.
            Last edited by waxwing; June 27, 2017, 17:24. Reason: added link


            • #7

              See 3rd tab labeled "Confidential." Sequoia voting machine SSL attacks: The SSL certificate is self-signed and can therefore be cloned to allow for a man-in-the-middle attack: The information required to mount a man-in-the-middle attack on the transmission is all available on the cartridge. a) Replacement of the IP address would cause the HAAT devices to dial or connect to a man-in-the-middle who could read or alter the transmission and re-encrypt it to the real HAAT Listener using that servers real public key (which is available upon request in SSL). This security relies on the voting jurisdictions to be aware of the physical security needs of the cartridges and HAAT devices after they have been prepared. The security also relies on effective physical security of the cartridges loaded into the Edge II and Edge2Plus devices, both of which can be read by commonly available COTS tools. The Insight cartridge, which utilizes a proprietary communications protocol would be more difficult to read, but none-the-less requires physical security.


              • #8
                Was Wisconsin hacked using MIM, vote-flipping code, or ROP? This paper explains the concepts behind ROP, one method by which Wisconsin's Sequoia AVC Edge DRE voting machines might've been attacked in 2016, and which is undetectable in an election audit:


                • #9

                  Discovered some red team reports and source code reviews conducted for the CA Sec of State.

                  Top Level:

                  Latest vuln assessment, conducted against ESS Unity system - published Nov 2017:


                  • #10
                    Got a bunch of accuvote tsx machines.

                    First trick I noticed with them is that if don't have a slip of paper in the printer over the sensor near the printhead it will think it's out of paper and not boot up fully.

                    Second thing cool I found is that with a pcmia memory card in it opens up cool possibiliites to download an election.
                    I really, really wish I knew the format the election was supposed to look like (a bunch of files including election.ini) so I could cook up a fake election.

                    I've tried a few different ways to use the USB header but it is a no-go so far.

                    I've put files on an sd card and put it in the sd card reader inside but the normal boot up procedure ignores the sd card.

                    There was a hack on the old TS model that putting explorers.glb on a pcmcia memory card would let you boot up into windows explorer but they seemed to have fixed / changed it. Or I'm missing something.

                    I *have* had some luck dumping the firmware through the jtag interface. I was able to talk to the bare motherboard unpowered with the olimex reader but not until I put the motherboard back into the housing and turned on debug mode did it connect and dump firmware properly(I hope?). For me the trick was to 'reset', 'halt' then call dump_image.


                    • #11
                      Originally posted by SporkySpork View Post
                      I've put files on an sd card and put it in the sd card reader inside but the normal boot up procedure ignores the sd card.
                      For SD Card, have you tried various sizes of SD Card and different formats?

                      First suggestion is to try the most compatible: a 1 GB SD Card formatted with one of the older MS DOS formats: FAT-16 (Try using an old copy of Windows, or MS DOS, or an old SanDisk format utility that allows you to specify format type. You might be able to move up to 2 GB in size for this older FAT-16, but beyond that, you decrease compatibility and increase risk for problems.)

                      Next, try the next more recent FAT, FAT-32 and again try to stay under the 2GB size limit for SD. Limit names of files to only use the 8-dot-3 convention, nothing longer, and see if that is recognized.

                      Outside of that, then you can try less compatible formats like exFat, or others.

                      Please let "us" know about your progress, what works and what does not. If you learn enough about your voting machines, consider building a presentation and submit it as a talk for next year either as a main-track talk, or a talk just for the DEF CON Voting Machine Hacking Village.



                      • #12
                        Originally posted by TheCotMan View Post

                        For SD Card, have you tried various sizes of SD Card and different formats?

                        Just now tried a fat16 1gb card and no dice. When the system came up it did not recognize the card. I've tried in and out of debugging mode (jumper on board) with this and fat32 sd cards.

                        I will say that this is a lot of fun messing around with these machines.


                        • #13
                          Originally posted by SporkySpork View Post

                          Just now tried a fat16 1gb card and no dice. When the system came up it did not recognize the card. I've tried in and out of debugging mode (jumper on board) with this and fat32 sd cards.

                          I will say that this is a lot of fun messing around with these machines.
                          Thanks for the feedback! Other ideas? Maybe it requires "read-only" before it is read.

                          Looking online, I see what appear to be "wireless enabled SD card" to copy video and images from cameras to a laptop, tablet or phone using WiFi.

                          If any of these support remote network filesystem for *reading* files from a remote store (like Samba, or WebDAV, or NFS) then maybe you can configure one of these to use a network filesystem and then if/when the Voting Machine OS tries to open a file on the SD, the request is passed to the OS with the network share, and then you can see what file name(s) if any, the voting machine is trying to open. With the names of files it is looking for, you would then have more keywords for more searches with Google or Bing.


                          • #14
                            Originally posted by TheCotMan View Post
                            Looking online, I see what appear to be "wireless enabled SD card" to copy video and images from cameras to a laptop, tablet or phone using WiFi.
                            Or I could just dump the firmware like I did earlier this week. :)

                            I pulled a 64Mb image off one. Persistence and asking for help after I exhausted obvious methods. Seems like the difference between me and an earlier attempt was that I jumped the "debug" pin on the mobo before dumping through the jtag debugger. I haven't tried to pull an image without the debug pin jumped though to see if there is a difference in image size.

                            Now I'm pulling a second image off another machine so I can compare the two.

                            I am a total n00b at reversing binaries though so it's going to be some slow going for me. :/

                            EDIT: I do have one of those eyefi cards but there's an easier way to do it with a pcmcia memory card. Once you put any PCMCIA card in the unit that it recognizes (formatted properly natch) it opens up a new menu on the machine.

                            That menu is download elections and gives you the option to call out using the 56k modem, use the serial port (normal and easily accessible on the back), or use a serial port modem.

                            I'm probably being silly but I haven't really messed with the serial port much yet.