In this course, you'll learn what every citizen should know about the security risks--and future potential — of electronic voting and Internet voting. We'll take a look at the past, present, and future of election technologies and explore the various spaces intersected by voting, including computer security, human factors, public policy, and more.
Guarding Against Tampering
Loading...
En provenance du cours de University of Michigan
Securing Digital Democracy
96 notes
À partir de la leçon
Security Procedures and Voting Around the World
Methods for ensuring the security of democracy
Rencontrer les enseignants
J. Alex HaldermanAssociate Professor
Electrical Engineering and Computer Science
The next set of procedures I wanna talk about are procedures that election
organizations put in place to guard the voting system and the voting machines
against tampering. Now if you think back to paper balloting,
when in the election cycle, was it necessary to guard the ballot box against
tampering? Well, you needed to make sure at the
beginning that it was empty and that it didn't have a false bottom or false side
and you needed to make sure that no one added or removed or changed any of the
ballot papers between the start of polling and the time that counting finished.
So between polling and counting was the biggest period of vulnerability for the
ballot box and the time it had to be guarded.
But with the introduction of electronic voting machines, that situation changes
dramatically. So, a DRE voting machine that has only its
electronic record of the count, it might be tampered with before the election,
maybe years before the election, maybe even while it was being, the software was
being written. And that tampering could alter the
software in a way that would change votes on election day.
So with DREs, it's not only necessary to safeguard them during polling and
counting, we need to safeguard the machine at all times, up until as we saw in an
earlier lecture, even after the machine is no longer used for elections, it could
still have data on it that's going to reveal voters' secret ballots.
So it's really a lifetime of security. This is one of the things that just adds
to the cost of DRE voting in a way that most people don't realize.
So, how would you safeguard machines like this?
You have to remember that we have to keep track of them in storage.
We have to keep track of them on election day, and we have to keep track of the
removable memory cards, and so forth. One aspect of that is making sure that the
location where they're stored is going to be secure.
You need a secure facility, probably one with cameras, maybe one with a watchman.
All of these are costly add ons to the voting process.
Another aspect is making sure that they're being secured while they're being
transported to polling places and when the memory cards are being removed and brought
back to counting. So for those procedures something that we
can import from older forms of elections, like the paper ballot box you see on the
left is something called a two person rule.
That is, you have to have at least two people watching at all times when it's
being transported or in use. That's sort of a minimal security
requirement to impose. So there's, that's on the thinking that,
if you have two people who are watching each other, the temptation for fraud or
the ability to coerce both of them would be reduced.
So maintaining the physical security by observing, by watching is one kind of
procedural safeguard that can be put in place to protect these voting machines and
technologies. In practice however these procedures the
real procedures that are followed are much more lax than we might like.
When you think about the, the logistics of conducting a real election you have to
make sure that the machines are going to be there on the polling day in time for
the polling places to open. And this can present a big challenge,
especially for bulky machines like big DRE's or lever machines.
Those machines are going to need to be delivered some time in advance.
Just, there are not enough people, not enough trucks to drop all of them off at
say seven in the morning when polls open. So what many elections authorities do in
practice is they'll drop these machines off the day before the election.
These are some pictures from elections in New Jersey where this kind of procedure is
common. These are polling places that are in local
schools, and there are the machines unguarded the evening before the election.
These particular machines, ABC Advantage Machines, are one of the machines that I
showed you how, they could be tampered with back, in the second week of the
course. So.
Procedures like this, leaving the voting machines overnight, are usually called
sleepovers. They might be left in the polling place.
They might even be left for smaller equipment with some of the poll
workers. All of this just creates a tremendous
opportunity for fraud though because the machines are relatively easy to tamper
with. And any tampering would not necessarily be
observable on election day. So this kind of sleepover procedure is one
of the Achilles heels of the entire chain of custody procedure, that is the
procedures that are in place to make sure that the machines will be guarded and
remain untampered at all times. Another mechanism that's put in place to
try to safeguard the, the physical integrity of the machines against
tampering is what's known as tamper- evident seals.
These are physical devices like the that come in many different styles, but the
intent is always to have some kind of way to tell whether an enclosure has been
opened between the time the seal was put in place and the time it's been inspected.
So, we can look at this example here. This is a tamper-evident seal of the
style used on the New Jersey machines. And it consists of the sticker that's
placed over part of the case. If the sticker is pealed back or removed
it is designed so that it will look different.
It will show this VOID writing in the background on the right.
Now there are a number of procedures that have to be followed in order to use tamper-
evident seals correctly for them to have any value at all.
And one of the most basic is you have to make sure that the seal that's there when
you're checking is the same as the seal that was there when the case was closed.
That is you have to check that the serial number on the seal is right.
If it's changed, like you can see these are slightly different, then that could
just be that someone's removed the original seal and replaced it with another
one of the same kind but with a different serial number.
So that's the most basic procedural check. There are a lot more procedural checks
that are important. So, we'll see those in a minute.
Tamper-evident seals come in many different forms.
Some of them are in the style of a padlock, some of them are a little wire
rope, some of them are, like the ones we just saw, a sticker.
The question is whether these seals are actually that tamper resistant.
I'd like to pause for a minute and let you think about this question.
How might you try to tamper with some of these different kinds of seals?
The attacker might try a few different ways to defeat these so-called tamper-
evident seals. One would be to remove the seal and
replace it with a new one that looks just like the original.
Another possibility would be to find a way to take the seal off and put the original
one back on without leaving any evidence that it had ever been removed.
So, these turn out to be empirical questions.
How easy is it for the kinds of seals that are actually in use or on the market to
either replace them with fresh ones without being detected, or to take them
off and put them back on without leaving enough evidence?
This man, Roger Johnston, who is the head of the vulnerability assessment team at
Argonne National Lab has done very extensive studies of tamper-evident seals.
And asking just these questions, how easy would it be to defeat them in the ways
I've talked about? So in one result after trying to defeat
244 different kinds of seals, he found that the average time it would take to
defeat them for just a single person working alone was only 1.4 minutes, and
the average cost to break a seal was only 62 cents.
To devise a successful attack starting from scratch with a new kind of seal took
an average of less than two, less than 2.5 hours.
And the median times are even and costs are even worse than these.
So most of the seals on the market perform extremely poorly, being defeated in less
than a minute at a cost of less than $0.10.
And, this is not just low security seals he's looking at, or ones that are
advertised for low security purposes. Nineteen percent of those he considered in
this study were either being evaluated for or currently in use for nuclear
safeguards. So, the state of seals on the market, of
typical seals, is just much, much poorer than you might think, if you didn't take
time to think about how they might be defeated.
Johnston also found that there was very little correlation between the cost of the
seal and how quickly it could be defeated. Expensive seals might be as easy as cheap
seals so cost is not a factor that you, you can use very reliably in evaluating
how, how much security a seal might give you.
Now when we go from just seals in general for lots of applications to the way seals
are used in voting machines we, we can look at some actual evidence from the way
they're used in the field. This man Andrew Appel, who's a computer
scientist at Princeton, has spent a lot of time looking at the seals and seal
procedures that are used in New Jersey on those machines I just showed you the ABC
Advantages. And the seals, they are really important
because as we saw, the machines are left unguarded overnight before the election.
And as Appel's and my own research has shown it's easy to tamper with the
machines by changing the software, if you can get them open.
So, how strong a deterrent or a defense do those seals provide?
Appel has looked at the seal procedures in place in New Jersey and, right now, they
actually use a number of different seals on the same machine, different styles of
seals. There are seals over the screw caps, you
need to open it up. There are wire seals on certain parts of
the machine. There are also sticker-style seals on
other places. So, they're trying to make it really tough
by putting a lot of different kinds of seals on the same kind of device.
But Appel has shown in his research that he was able to easily defeat every one of
these seals using commonly available tools and a little bit of ingenuity.
One of those kinds of seals is this cup seal that is placed over the screw caps.
Apell was able to defeat the cup seal using a pair of pliers and a chisel.
What he did was he figured out a way that he could lift it enough to chisel around
the bottom, take it off, and then remove the screw.
And then he was able to put it back on and replace that damaged part with a new one,
but have the original cap, which is the place with the serial number, show little
or no evidence that it had ever been removed.
Another kind of seal he looked at was this padlock style seal that goes on another
part of the machine. What Appel found was that he could make a
jig that would allow him to drill two very, very small, almost invisible, holes
into this padlock steel, and then he could open it up, put it back together, and it
would be extremely unlikely that this attack would be detected just by a cursory
visual inspection. There there's the, the tape and sticker
seals, that are on other parts of the voting machine.
What Apell found was that he could just take a heat gun, and warm them up a little
bit, and then pry them off, and reattach them after opening the machine without
exposing them and making them show that they had been tampered with.
So, just, again, another example of a little bit of a clever application of
commonly available tools allows each of these kinds of seals to be defeated.
That's how you get up to these amazingly low costs for breaking them.
So real attackers would almost certainly be able to defeat these seals if they had
a minimal amount of time to apply to each of the machines.
Using tamper-evident seals in practice requires a pretty complicated set of
procedures. And if we're going to look at the set of
procedures, we might call this a procedural protocol, there are a lot of
questions we need to ask to make sure that the procedures provide a minimal amount of
protection. So first, is the seal even going to be
there when the attacker has access to the machine?
If the machine's not sealed when it's in the warehouse and attackers potentially
are going to access the machine there, it's not providing any protection.
Second, does the seal actually need to be removed to get in?
One thing they found on the machines in New Jersey was that there were alternate
ways to get in and at those memory chips without actually removing the seals.
So you might go in through another door or compartment.
Another question is, can the attacker just temporarily remove the seal?
This one has to do with the security of the seal, as Appel and Johnston
researched. Or, can he just replace it with a new
seal? The other attack we considered.
In order to prevent replacing it with new seals, one of the minimum things that you
need to do is record the serial number written on the seal.
So the seal protocol has to incorporate some mechanism for that.
You also don't need to check that it's the same later and if the procedures don't
include a provision for reliably doing this, you're in trouble.
Finally, even if the serial number matches, do officials actually inspect for
any evidence of tampering like those tiny screw holes that Appel made in the padlock
style seal. And if anomalies are detected, are they
recorded and reported? Both of these are important because you
have to be able to figure out that it's not just one broken seal or one place
where maybe for human errors someone wrote down the wrong serial number.
If it's a pattern of fraud, you're only going to be able to find it if the people
who are doing the inspection communicate with other people doing the inspection.
And the a, a wide scale series of anomalies can be noted.
Now, the last question is, is appropriate action taken when problems are found with
the seals? This is really the hardest one, because
what's the appropriate thing to do if there are a lot of seals broken?
Well, clearly, you have to investigate and figure out what's happened, and whether
any tampering was done. But if they're DRE voting machines and
someone tampered with them and installed fraudulent software.
Often, that fraudulent software could just wipe itself out, and remove all traces of
the fraud at the end of the election. So, what, what constitutes appropriate
action is hard. Another possibility though, another kind
of attack that we haven't talked about so far is, what if someone just goes in and
breaks a lot of the seals but doesn't, doesn't actually do any other tampering?
He just say, breaks those, those stickers or tapes in order to try to disrupt the
election. So this kind of attack could create a
denial of service if you that, that would be very low in cost and probably easy to
get away with if you if you create evidence of fraud without committing it
you might you might prevent the votes from being counted in a timely manner, you
might cause a very long and protracted investigation, you might certainly
undermine voter confidence. So seals are just not very good at
distinguishing between that kind of denial of service attack and someone actually
getting in and tampering with the internals of the election.
The last thing I wanna talk about, having to do with seals, is a new approach to
making them. A, a way we might end up with much better
tamper evident seals. This is an idea that comes out of Roger
Johnston and his colleague's work at Oregon.
So the way that seals work mostly today, the, the, the current approach is, is what
we might call an evidence method. When the seal is tampered with it's
supposed to create and display some kind of visual indicator that, that cause,
creates evidence that it has been opened, like the void lettering in the background
of this tape seal you see here. Johnston's new approach is, something that
he and his colleagues call, anti-evidence, and this is a really, really neat concept.
So, the way it works is you can imagine your seal is some kind of electronic
device. And inside, it has some amount of secret
information, and it doesn't display this information.
But it has some way of proving to someone who challenges it that it knows this
information. For technical people, you might imagine
some protocol based on hashes or MACs. But what happens when the seal is broken
is that it erases that secret information. It can no longer do that kind of proof so
after it's broken there's no way to open it up and get the information, there's no
way to put that information back in. It's gone forever.
This is the nature of the anti-evidence approach and perhaps some day seals based
on an approach like this will be able to provide a stronger defense.
Explorer notre catalogue
Rejoignez-nous gratuitement et obtenez des recommendations, des mises à jour et des offres personnalisées.
Coursera propose un accès universel à la meilleure formation au monde,
en partenariat avec des universités et des organisations du plus haut niveau, pour proposer des cours en ligne.
© 2018 Coursera Inc. Tous droits réservés.
