A group of security researchers has published a fascinating study that demonstrates how to hack a Sequoia AVC Advantage voting machine. We have already seen several electronic voting machines hacked by experts in controlled environments, but this study goes a step further and shows that it can be done in the wild without privileged access to source code or other specialized materials.

The study was conducted by a group of voting machine security experts led by Ed Felten, the director of Princeton's Center for Information and Technology Policy. They used a technique called return-oriented programming to circumvent the built-in security mechanisms in an AVC Advantage voting machine and cause it to divert votes from one candidate to another in a simulated election.

In addition to providing a chilling example of the potential for real-world election hacking, the study also explores some important questions about the longevity of voting machine security. A well-designed machine that provides highly robust security today might become vulnerable over time as new hacking techniques emerge. The researchers point out that electronic voting machines will generally have long service cycles due to the lengthy procurement and certification process.

The AVC Advantage has several characteristics that make it more secure than many other voting machines. It has hardware mechanisms that prevent it from running code from RAM. This effectively protects against attacks that involve arbitrary code injection. To circumvent this security measure, the researchers used a technique called return-oriented programming that involves co-opting bits of code that are already in the system.

By chaining together small snippets of regular code from the system ROM, it becomes possible to perform more sophisticated and specialized operations—such as redirecting votes—without having to inject malicious code. This is a relatively novel technique that emerged in 2007, and some of the earliest research on return-oriented programming was published by Hovav Shacham of UC San Diego, one of the security experts who contributed to the AVC Advantage study.

"Since the AVC Advantage is a Harvard architecture computer, traditional code injection attacks cannot succeed because any attempt to read an instruction from data memory causes an NMI which will halt the machine," the paper explains. "In practice, given a large enough corpus of code, this is not a barrier to executing arbitrary code using return-oriented programming—an extension of return-to-libc attacks where the attacker supplies a malicious stack containing pointers to short instruction sequences ending with a ret."

The hack

The team wrote a small program that searched the BIOS for groups of instructions ending in "ret." They found sequences that could be used together to manipulate the machine's behavior and control its hardware peripherals, including LCDs and memory cartridges. They then devised a pseudo-assembly based on these code snippets.

The researchers reverse-engineered an AVC Advantage machine that was purchased through a government surplus auction site. A researcher was able to buy five units for only $82. Through their reverse engineering efforts, the team documented the voting machine's internal operations and made an emulator for developing and testing hacks.

The hack is deployed in a modified results cartridge. It exploits a buffer overflow vulnerability in the machine's cartridge handling code to gain control of the stack and direct the machine to execute the selected code sequences that fulfill the malicious objective. The exploit, which was developed entirely on the group's home-rolled emulator, worked with the real hardware on the first try.

The researchers were able to devise and implement this hack in roughly 16 man-months of labor without having any access to the actual source code or non-public documentation. It worked flawlessly on actual devices during tests and could be used by a sufficiently motivated individual to manipulate the outcome of a real election. The team estimates that a comparable hack could be funded in the private market for as little as $100,000.

Democracy has never seemed so cheap.

Further reading