The vote hacking village at DefCon25 was an eye-opening experience in the world of what-ifs, worst-case scenarios, and the results of utter carelessness.
How We Worked
As the village opened on Friday, I sat down at a Diebold ExpressPoll 5000, along with another teammate. For the next five hours we worked together to figure out how to compromise the device, but the first step was making the thing work.
The ExpressPoll 5000 is a voter registry lookup device that is supposed to allow election workers to verify voters in a precinct, and print voting cards at the polling station. Optional peripheral devices for the Express Poll include a printer, and a barcode scanner. The Express Poll has two slots in the top - one for a PCMCIA card, and one for a Compact Flash card, as well as 2 USB ports and a cat5 networking port in the back.
The physical security of the Diebold ExpressPoll 5000 is weak, to say the least. The PCMCIA and Compact Flash cards are covered by a small plastic case, with a very small loop that one could attach tamper evident tape, or a very thin zip tie to. Tamper evident tape and zip ties, however, are very easily breached, as demonstrated in the DEF CON Tamper Evident village next door. The USB ports, and networking cable, on the other hand, are completely open to the world, and very easy to access.
We removed the PCMCIA card from the ExpressPoll, and put it into a reader, to see just what was on there. To our delight, there was a file called PollData.db3 - a great place to start. The PollData.db3 file was empty, but not encrypted, so writing to it was simple matter.
The main login screen for the Express Poll 5000 has fields for a Poll Number, User Name and Password. A quick trip to Google for some documentation for the device showed a hard-coded admin user name of 1, and a password of 1111. Surely this couldn’t be the case, we thought. We were wrong, and 1 and 1111 got us into the device.
Upon typing in the password, we were greeted by a SQLite error, stating that a required data table was missing. Well, how convenient! We could create the table and fields ourselves, in the PollData.db3 file, and see where that would lead us. We popped the PCMCIA card out, and into a reader, and within seconds had that SQLite error resolved, and were on to another one.
Note: for those who know a little about databases, the use of SQLite as a production (never mind election) database is a questionable one. SQLite does not allow for multiple levels of privileged access, meaning that anybody with access to the database and read and write to the database. After a couple hours of shuttling the card between the device and the reader, and solving SQLite errors that popped up, and we were finished. We had a working Diebold ExpressPoll 5000, that let us cycle through screens, and open polls for voting.
The next step was to load some fake data, including a precinct, a polling place, and a voter, Votey McVoteface. This was an easy enough matter, and already we have exposed vulnerability in the machine - the ability to simply write to the database using a card reader, without having to deal with encryption, or write protection. Using this method, one could add voters, delete voters. We could also change the defined boundaries of a voting precinct, in order to add or drop voters from their polling place, and leave them without somewhere to vote, or allow them to vote in multiple locations, all without physical access to the Diebold polling machine. All it would take is one naive or malicious poll worker, at any level, to compromise an election in this fashion.
A keyboard plugged in to the USB port of the ExpressPoll allowed interface with the UI on the screen, but did not provide any additional access to functions, or vulnerabilities.
A compact flash card was found, containing a SQLite database of some 600,000 voter records in Tennessee, formatted for the ExpressPoll. Someone sold a Diebold ExpressPoll 5000, containing this card, on eBay.
The very presence of this card at DEF CON, a well-known hacker conference, or indeed anywhere outside of an incinerator, is a huge vulnerability, as it indicates that personal and voter records are clearly not treated with respect, or any sort of security. The entries within this database could be altered, deleted, or appended to, demonstrating that even voter records used in an actual election could be altered by anybody with access to basic hardware.
From a firmware perspective, the Diebold ExpressPoll 5000 searches the Compact Flash card for, and runs, binaries upon boot. These binaries can be unsigned - that is, they are not from a trusted party, and can contain malicious code. It would be again, a trivial matter to inject code to carry out malicious functions into this machine, simply by turning it off, and turning it back on again.
We did not have the opportunity during DefCon to take a look at the peripheral devices, such as the barcode scanner, or the printer, so it is hard to make assumptions based on what we have not seen. However, due to the complete lack of attention to obvious security flaws, one could easily predict that the scanner may be vulnerable to attack as well, through maliciously designed barcodes, while the printer may be susceptible to the many known printer vulnerabilities.
In short, the Diebold ExpressPoll 5000 is a piece of election hardware that is compromised to the core, and creates a hacker-friendly platform for large-scale election manipulation, on multiple fronts. The manufacturer took no security precautions when designing and implementing the database and firmware into this system, leaving those who use it vulnerable to a cornucopia of election fraud.