Wednesday, August 12, 2009

Sequoia e-voting machine commandeered by clever attack

Using a method known as return-oriented programming, computer scientists have figured out how to trick a widely used electronic voting machine machine into altering tallies by bypassing measures that are supposed to prevent unauthorized code from running on it.

The Sequoia AVC Advantage machine is programmed to execute code only when it's stored on read-only memory chips that are difficult to install and remove. By expressly forbidding running code in random access memory, the intention was to make it impossible for attackers to inject malicious programs that might compromise the integrity of an election.

However, a computer science research team from Princeton, UC San Diego and the University of Michigan succeeded with an attack by reverse engineering first the hardware on a legally purchased Sequoia AVC Advantage and then also reverse engineer the software it ran by analyzing the ROM. The research was presented this week at the 2009 Electronic Voting Technology Workshop/Workshop on Trustworthy Elections.
"It's excellent research," said David Wagner, a computer scientist from the University of California at Berkeley who attended the conference. "The research is significant because it illustrates that attacks get better over time and it shows just how difficult it is to protect paperless voting systems." ®

See article in The Register.