Zeev's Turnips Talk Politics (ZTTP)

[XenaLives]

Now, let's imagine you want to create the near perfect vote tampering system ...

Here are some of the most desirable characteristics of a 'fraud enabled' voting system, and the "best" part is the AccuVote TS pictures posted on the http://openvotingfoundation.org website are a sufficient proof that this machine can achieve all of those goals :

- The fraud should leave no traces as soon as the machine is reset / powered off
- The fraud should not require moving, or removing any part of the machine
- The fraud program or operation should not be revealed even after serious forensic examination
- The fraud should not require any specific resident software in the machine to operate
- The fraud should not be detected by a careful source code examination or certification process
- The fraud should use only the hardware present in the regular AccuVote TS machine without any change
- The fraud should resist a careful instrumented realtime debugging / attempt to discover it's inner working
- The fraud should not disrupt the voting machine's expected behavior for the user to prevent tipping about what is going on
- The fraud should not be detectable even by a skilled observer or the manufacturer's own technicians at the voting booth
- The fraud should not require the fraudulent operator to type anything on the keyboard
- The fraud should not require the fraudulent operator to even touch the machine
- The Fraud should be possible even when the fraudulent operator can be observed by third parties
- The Fraud should be self contained and should not require any previous or subsequent intervention on the voting machine
- The fraud should be usable upon request, only in selected voting booths that are not known before the election starts
- The fraud should be possible at any moment before, during or after the voting period
- The fraud should not require the fraudulent operator to carry a bulky device such as a laptop or a handheld computer, an organizer, etc ...
- Once the fraud is done, or if caught (either while performing the fraud or after), the operator should be able to safely erase all proofs in less than 2 seconds and be certain to avoid any conviction.
- It should be possible to apply the fraud (or different frauds, or to 'undo' the fraud) as many times as required before, during or after the election.
- It should be possible to use a voter as the fraudulent operator
- The fraud should not require guesswork (no dependence on external information)
- The fraud should not require tampering with the election result communication since it leaves auditable traces
- The fraud should be performed entirely at the voting booth, requiring no implication at the higher levels.
- The fraud should be easy to plan and execute to minimize traces and reduce liabilities to either a single individual or a very small group.
- The fraudulent operator should not have any specific skills and the instructions given to him must be very easy to understand and follow (being a "Diebold Candidate" voter have it's limitations !)

Tough or impossible requirements ?

The recently discovered multi-boot capability can be tempting, but it leaves traces, and there is a need to open the voting machine to set the switches. There is also a risk that the incriminating software can be found if the flash based fraudulent boot loader does not erase/alter itself before audit/forensic examination. Also, the only practical way to alter it 'on demand' during the vote is to type some predefined key sequence, something not easily performed in a voting booth.

There is a 'better' way.

First, look at this picture:
http://www.openvotingfoundation.org/ts/slides/16-lwr.html

On the left, there is a component labeled "U30", this is an IrDA transceiver. The two holes in the casing prove it's intended to work at all times and not only as a debugging / testing device.
This transceiver looks like a 4 Mbps (fast IrDA) Agilent HSDL-3602 (very few have this 10 pins package).
Data sheet:http://www.avagotech.com/assets/downloadDocument.do?id=1564

On the hardware level, this is both an infrared transmitter and an infrared receiver. The signals it can transmit or receive are very similar to the signals sent over a regular serial port. In facts, most modern UARTS can be programmed to operate either as a wired RS232 interface or as a wireless, infrared interface.
IrDA itself refers to the (awfully complex) software protocol normally associated with the infrared wireless interface.
It's important to keep in mind that, just like a wired RS232 port, it can be used with a much simpler protocol and can be used in unidirectional mode (receive only, without transmitting anything).
It is logically placed near the 'keypad' connector that is also a RS232 serial port.
Data sheet:http://www.sipex.com/Files/DataSheets/SP3243.pdf

The IrDA controller can be seen here http://www.openvotingfoundation.org/ts/slides/10-bleft.html
It's the Hitachi HD64465BP whose press release is here http://www.hitachi.com/New/cnews/E/1998/981019B.html and clearly mentions that in contains an IrDA interface.

At the base of the software driver, just like for RS232 handling, there is a hardware triggered interrupt routine that responds to the arrival of new characters and stores them in a buffer until a condition occurs that transfers the buffer content to higher level software.
Any programming error that let the buffer overflow anywhere during the processing of the data can corrupt the return stack and lead to the buffer's content being executed as code. This is one of the most common vulnerability and even when great care is taken, nearly all computer systems that accept data generated from the outside are vulnerable, may they be Windows or Linux based or embedded systems.
Read the classic "Smashing the stack for fun and profit" http://reactor-core.org/stack-smashing.html for in depth information.
Maybe it could be renamed "Smashing the stack for fun, vote fraud and huge profits".

Once code execution is transferred to the loaded code, it have full, unlimited access to the system and can alter the machine's behavior or the data it stores (such as vote results) in any way the malicious author intended it to. In an embedded processor without sophisticated protections, this is even easier than on a Pentium class processor machine using a modern OS (Windows XP / Linux).

If the IrDA software contains such a flaw (or even more than one, call that redundant insecurity), it's nearly impossible to prove it was intentionally planted / left in the code.

The injected fraudulent code is only present in RAM, and can even remove itself and allow normal processing to resume once it have finished it's task, so it leaves no traces for further forensic analysis.

A modified infrared keyless car entry transmitter can be used to send the 'malformed' / too long data packets and, at 4Mbps, transmission time for a 40 Ko executable would be around 0.1 second.

the fraudulent operator would need to be placed on the side of the machine or in front of it if he uses reflection on the (usually white) side panel of the voting booth : http://www.qacelections.com/new_pa1.jpg

The transmitter can be used up to 3 to 4 feet away (or more if a high efficiency infrared LED is used) and can go through light clothing, allowing activation by clicking on the transmitter from inside a pant or shirt pocket.

Once all the voting machines have been 'beamed', a simple code, such as a long click could be used to erase the incriminating code and data in the IR transmitter processor (either in Flash or in RAM). Since normal operating frequencies for keyless transmitters are well below 4 Mbps, the fast transmission pattern could be easily hidden, modulating the normal pulses and thus preserving the normal, benign keyless entry function in case someone sees the key activation and becomes suspicious.

"beaming" can be done late in the voting process, and only in a few selected booth where exit poll interviews of voters shows that the "Diebold candidate" needs a little help from his friends ...

I have no proof it really happened, all I can say is that I can't see a single legitimate use for this IrDA port on a voting machine and, if I had to design the best electronic vote tampering system I can think of, that's exactly how I would do it.

http://www.bbvforums.org/forums/messages/9707/36345.html