How do you dump the firmware from a "secure" voting machine? With a $15 open source hardware board


#1

Originally published at: https://boingboing.net/2017/10/13/how-do-you-dump-the-firmware-f.html


#2

Limor about to get some no-knock visits from Homeland Security now.


#3

I guess the NSA is too busy compiling enormous lists of dissenters and pre-criminals to spend any time securing democracy in the 'states.


#4

I initially read dump in the headline to imply replace, rather than simply download. As in, alternative firmware that would make these machines fit for purpose. Still cool, but not as cool as where my mind initially went.


#5

The report was a fairly interesting read, if a bit on the ‘executive summary’ side. One has to wonder how difficult it would be to build a transparent yet secure system for electronically recording votes.


#6

I suspect ‘not very’. After all, we all manage to bank without constantly losing money, in spite of the ever present predators constantly hunting for exploitable flaws in that system.

edit: Aside from the banks themselves, of course.


#7

I have unsupervised access to absurd numbers of voting machines before every election. Like, rooms full of them, in rows, for hours.

I probably have the technical ability to rig the vote, but I am not willing to risk implicating the schools and churches that trust me, so I won’t.

Not that it would matter, honestly. We are a very small state with winner-take-all electoral representation, completely politically dominated by a Democratic party machine.


#8

Out of morbid curiosity, how many other people are there who might have similar access to other voting machines? It really would not take very many to rig an election, I’m guessing.


#9

This is the first step to compromising voting machines:

-dump firmware
-reverse engineer it
-modify it
-replace firmware

Electronic voting is inherently compromised because it is inherently and unavoidably hackable. That is just the nature of electronics. Anyone who has studied software/hardware will tell you this. Some will mention blockchain technology, but that will compromise anonymity.

Voting has to be anonymous (to prevent buying/selling of votes), private/solitary (to prevent coercion), verifiable (recounting) and as public as possible (to enable people to check/oversee the process). Compromising any one of those compromises the whole.

Any form of remote voting compromises privacy (how can you tell there is no coercion?), verifiability (there is no paper trace) and anonymity or publicity of the process is out, too.

With remote voting you can either verify a person voted using video to check … which is still no deterrent to coercion from an offscreen threat but that directly contradicts anonymity, or have someone vote anonymously but then you cannot tell if that person was not alone/coerced. Using electronic/software means also inherently includes (untraceable/unseen) fraud through hacking: there is no protection/proof of lack of MITM attacks or hacks on the client or server. The process is a black box which is thus not public proof of the process being unfraudulent.

For mass voting the only thing which satisfies privacy/anonymity, verifiablity and a public process is a paper vote where the vote is cast in a safe and private space, the paper used leaves a paper trail and the results are counted publically and tallies are made publically and sent over the phone.

This and only this ensures a voter can vote whatever they want (so coercion and vote selling/buying is not possible due to not being able to check what the person voted), it leaves a papertrail for verification/recounting, anyone can witness the counting and ensure it is true and the tallies, due to being made public, can be checked at all steps (voting office, county, region, national) to ensure the tallies don’t change and the addition is correct.

The one ‘problem’ with paper voting is that it takes more time. You might not have results until the next day.

So what?

The only advantage to electronic voting is that it can tally faster … but is in every way more opaque, more open to fraud/interference/hacking and more expensive.

The only people who would advocate electronic voting over paper voting are people who make electronic voting machines or those who want voting to be open to fraud.


#10

NSA’s defensive mission is solely over DoD networks and systems. The split offense / defense mission is problematic enough im my opinion without adding in defense of civilian systems, such as voting machines.


#11

California has – all of my life – used paper ballots tallied via scan-trons. While there’s an occasional recount in a close election, I’ve never heard of an shenanigans as it’s completely audit able.


#12

Reading comprehension must be failing me: it sounds like you’re saying that making other people look bad is why you don’t tamper with the machines.

Surely you’ve got more respect for the democratic process than that?


#13

I think Canberra (Austrailan capital) has an open source electronic voting system, but they’re thinking of moving on from it


#14

Banks, though, try damn hard to make sure everyone involved, and the transactions themselves, are known and clearly identified. This really doesn’t work with secret ballots…


#15

I (very, very, very) strongly strongly doubt that the security of these devices is even close to adequate; but the fact that ‘dumping the firmware was trivial!’ doesn’t seem like a problem(indeed, it’s arguably a virtue).

You don’t want reflashing the device to be trival; and you don’t want modifying any voting/state data temporarily stored on the device to be trivial; but if the integrity of the election depends on the secrecy of the firmware the security model is so doomed that you should consult Ripley’s First Law of Security and start from scratch.

Preventing firmware dumping is a popular DRM/copy protection move; because those contexts make secrecy valuable and don’t treat user knowledge of exactly what the system is doing as a virtue(quite the contrary); and is sometimes treated as ‘more secure’ in general because of the assumption that there are definitely flaws, probably serious, in the firmware; but hopefully making it harder to dump will delay discovery by forcing the attacker to black-box it(subject to the input limits, rate limiting/lockout, etc. of the device) rather than being able to analyze the firmware at their leisure on their choice of system; but if your ‘security’ involves the fatalistic acceptance of the fact that your software is broken; it isn’t good enough for this job.

If anything, in a situation where the device must not have been tampered with, the question is not “How can we keep someone from dumping the firmware?” but “How can we be sure that even maliciously reprogrammed devices cannot falsely return the ‘correct’ firmware if asked to dump the firmware they are currently running?” Even if the software is not open in a licensing sense; ‘security’ that depends on it being vaguely inconvenient to get a look at the flaws is pitifully inadequate(worst case, having someone tear the chip down, gate by gate under a microscope isn’t that expensive, even if more polite dumping mechanisms have been disabled); and if you can’t verify that the hardware is actually running the software it should be; it doesn’t matter how solid the software you think you are using is, because you might be using different software and not know that.

Unfortunately, robust verification that a device is, hardware and software, exactly what it should be; rather than modified/backdoored/built with partially compatible counterfeits/etc. is considered Hard(DARPA has a strong interest in the problem, since the DoD depends heavily on being able to get parts, often for hardware no longer in wide civilian use, which makes them vulnerable to counterfeits; and has plenty of opponents who would love to slip them some backdoors, this has ensured more research but not changed the problem’s status as ‘Hard’); especially if you want a reasonably cheap and nondestructive test; which you do in this case.


#16

Oh, I have no idea. But generally the machines have to be distributed out from a central depot, and it’s physically impossible to deliver them all at the instant they are needed to the polling places, so for a couple of days beforehand trucks deliver them to secure holding areas. Like schools and churches, mostly, although not all churches are deemed sufficiently trustworthy if you catch my drift. :smiling_imp:

But no matter where they’re stored before the election, it’ll be in a place with a conditioned environment, so somebody will have access for maintenance of HVAC, wiring and plumbing emergencies. To me, this is just one of many arguments against using electronic voting machines. Other countries use simpler, more robust methods that don’t have this vulnerability.

If I were a truly morally upstanding citizen with unsullied respect for the democratic process I’d probably be ethically required to take a sledgehammer to those machines, wouldn’t I? :smiling_imp:

More seriously: I’m not sure I can explain this adequately. Other humans looking bad isn’t in the calculus. I’ve been trusted. Basically, I don’t do volunteer work for organizations or causes I don’t respect, and these have placed trust in me. I can’t justify betraying that trust. So maybe if I could wave a magic wand and flip the election to the Green Party or the Working Families Party, I would, or maybe not, but I simply don’t have to make that decision.


#17

Call me paranoid, but I’d love to know whether any hacking of high tech voting machines put Donald over and into office – ditto for the GOP success with the congressional elections. Then, after we make the machines secure (and, for the scan machines at least, maintain the paper sheets), we maybe can worry about who exactly did the hacking.
That a number of American voters believe the BS in the social media is far more disturbing than the Russians abusing those networks.
But that’s me. Clearly, the DNC and corporate media disagree.


#18

This topic was automatically closed after 5 days. New replies are no longer allowed.