Election Security Header Art


No announcement yet.

Diebold AccuVote-TSx hacking and raising hell

  • Filter
  • Time
  • Show
Clear All
new posts

  • Diebold AccuVote-TSx hacking and raising hell

    I have been hacking Diebold AccuVote TSx over the last few weeks using surplus from the DC voting village, expanding on previous public research and known issues to further improve the ability to modify / hack the device. I found some additional weaknesses in the flash chip security, demonstrated a basic bootkit and most importantly how to inject your own executable into the Windows CE .NET 4.1 OS that runs on these machines. The devices run with a very minimal build of Windows CE, so I have also built some separate binaries to help you on your adventures and given step-by-step details on how to add them to a device. Injecting tools like "mstsc.exe" and "pword.exe" give you the ability to use terminal services as well as document editing etc. You can essentially follow our described steps using the configuration and tools from our blog to run anything you want on a Diebold system under the hardened Premier Elections OS. You could even flash the device to run some entirely new and exotic OS like Linux, although a lack of FPU might make this a more difficult task it is certainly possible. You can find a detailed walk through of all our findings on the blog here:


    You can find tools and utilities, including our configuration for JTAG interaction with CPU & Flash memory here:


    The hardest part of doing modifications now is finding working software for PPC2003 (PocketPC 2003 or WinCE) as many sites and archives are defunct with broken links. You can inject games like space invaders and solitare easily, I was also able to get it to run DooM albeit through a mstsc.exe terminal session as the compiled binaries for DooM from this era do not work correctly on the device. If you compile them from source then you may get better results and various source ports of games for this platform are available online. Our blog post explains how to run arbitrary EXE's and I had some success using video players, networking clients and other various utilities that are not shipped by default in the device which you can find on our github. Here is a screen shot of the device playing DooM.

    Click image for larger version  Name:	doom.jpg Views:	0 Size:	616.2 KB ID:	230113

    Happy Hacking!
    Attached Files

  • #2
    Great work!
    PGP key: dtangent@defcon.org valid 2020 Jan 15, to 2024 Jan 01 Fingerprint: BC5B CD9A C609 1B6B CD81 9636 D7C6 E96C FE66 156A