# Last edited on 2012-03-24 18:19:57 by stolfilocal # Encoding: _*_ utf-8 _*_ Researcher cracks Brazilian voting machine The security of Brazilian electronic voting machines was broken last week by professor Diego F. Aranha (24) and a team of students from the University of Brasília. By processing the public reports that are printed by the machine at the end of the election, they managed to determine precisely the time at which each vote for each candidate was cast. Therefore, one could tell how a person voted from the time when he cast his ballot, or by taking note of the order in which people voted on the same machine. Diego's feat is exceptional in that it did not require any "hacking" or tampering with the voting machine; he merely exploited a weakness of the official voting software and of the public reports. Anyone who knows the weakness can apply the exploit any time after the election, without any interaction with the voting machine, the election tallying system, or any other special privilege. The Brazilian voting system Understanding Diego's exploit requires some background. Brazil is one of the few countries in the world that still use fully digital ("Direct Recording Electronic" or DRE) voting machines, without any voter-verifiable material record. Each machine is a standard PC with an integral LCD screen and a numeric keyboard for the voter. A separate terminal, connected by a serial cable, allows the election officer to unlock the machine by entering the voter's ID number. Instead of a hard disk, an internal flash-memory card stores the operating system (Windows in older units, Unix in newer ones) and the voting software. A second externally-removable flash card is used to load local data (such as voter and candidate lists) just before the election, and to write the vote totals and other reports at the end of the day. Brazilian elections, which happen every two years, use over 400,000 machines to collect about 100 million votes in a single day. Their software was written and is maintained by the Election Justice (JE), a branch of the Judiciary which is also in charge of voter and candidate registration, campaign monitoring and regulation, voting machine deployment and operation, and vote tallying. Those machines were deployed in 1996, ostensibly to prevent widespread voting frauds like ballot-stuffing, miscounting, and voter coercion. However they introduced even bigger fraud risks of their own. In particular, they created the risk (well known to voting specialists) of country-wide vote stealing by malicious changes to the voting machine software. A programmer with inside access could easily do that in such a way as to foil any safety checks, and then erase every trace of the fraud after printing the tampered vote totals. Without a software-independent means to re-count votes, it is impossible to detect that type of fraud, during or after the election. "Virtually materialized" ballots Brazilian election authorities, who take great pride in their original invention, have always denied those risks, claiming (against all logic) that the software could certify itsef and thus was 100% safe against any fraud. Nevertheless, in 2001 Congress ordered them to modify each machine so as to provide a printed record of each ballot, which would be verified by the voter and automatically deposited in a sealed ballot box. Vote secrecy would be ensured by the physical scrambling of printed votes in the ballot box. By recounting these voter-verified material records (VVMR) one could then detect tampering of the digital totals, and vice-versa. The JE authorities were strongly opposed to this improvement, and in 2003 convinced Congress that the printed votes could be replaced by the so-called Digital Voting Record (RDV): a listing of all the individual ballots, to be produced by the voting machine as a single file at the end of the election. To preserve vote secrecy, these virtual ballots would not identify the voter, and their order would be scrambled by software before printing. The JE authorities claimed that recounting the ballots listed in the RDV would provide the same protection against fraud as could be provided by VVMRs. As any programmer knows, this claim is obviously nonsense, since any malicious software that tampered with the vote totals could easily modify the RDV to match them. Still, JE-frendly congressmen managed to get the proposal approved in "extreme urgency" mode, without any public airings and bypassing the Congressional technical committees which coud have spotted the flaw. The JE authorities have collected these RDV files in every election since 2004. By law the RDVs should have been made available to the public, together with the vote totals; however, for reasons that are best told elsewhere, they were relased only in 2008 and 2010. The JE hacker challenges The Brazilian voting machine software is officially a state secret protected by stiff criminal penalties. It is also illegal to buy a voting machine, or even build a replica. In response to criticism, JE has commissioned a couple of security evaluations by carefully selected panels of computer scientists (whose reports have done more harm than good to its reputation), and allowed political parties to inspect the code before each election. These code inspection events have evolved into pree-election "hacking challenges" where critics are invited to break the voting machine - either by tampering with the vote totals, or by violating vote secrecy. Like the previous code inspections, these challenges are basically public relation shows, carefully designed to minimize the risk of any flaws being uncovered. Would-be "hackers" must register beforehand, and must sign nondisclosure agreements that forbids them from reveealing details of the code to anyone else. This year there were 24 people (half of whom end up being non-specialist programmers from various government agencies) in nine teams. The challenge was carried out in JE offices, with JE officials monitoring all internet usage. The would-be hackers are given only three days to inspect the voting machine software (which is presently over a million lines of source code!), and perform their attacks (which must be described first to the JE officials, and authorized by them). Thy cannot use any software analysis tools, not even "grep". Most importantly, these "hackers" are not allowed to modify the software: they are supposed to hack a machine that has been initialized with legitimate JE software. Diego Aranha's discovery Diego and his students (Marcelo M. Karam, André de Miranda and Felipe B. Sacarel) were one of the teams who took part in this year's challenge. While inspecting the RDV scrambling code, Diego observed that it was rather crude, som much so that the scrambling could be undone using only the information provided in the RDV itself and other public files printed by the machine. The UNB team then set ou to use this knowledge on a voting machine that had undergone a simulated election. The team initially described their goal to JE as being the correct ordering of 20 votes, but the officials raised the criterion for success to the identification of at least 80% of the votes. In the end the team correctly identified the original order of 484 of the 485 ballots that were cast. (One ballot was misplaced due to a typo made by the team.) Moreover, the JE voting machine also prints a "log" file that lists all significant events that occurred along the day, with their times to the second. This list includes the exact time that each voter cast his ballot. Thus, by pairing the machine's log with the RDV list as unscrambled by Diego, it is possible to pair up the choices of each voter with the time when he voted. Implications The immediate implication is that JE will have to replace the fragile RDV scrambling procedure by a more secure one. However, the discovery raises serious questions for the past elections. Because of rumors (and, in some cases, formal complaints) of election fraud, after the 2008 and 2010 elections the RDV and log files for thousands of voting machines were fetched from JE's site and widely circulated. Many of those files are probably stored in disks and DVDs out there. There is no reason to assume that a different scrambling procedure was used in those runs. If that is the case, anyone with acces to those files could use Diego's unscrambling method to obtain a time-choice list. Fortunately, the log file does not show the voter ID number, otherwise the last bit of secrecy would evaporate and everybody's votes would be in the clear. Still, partial knowledge of the order and time of each vote, as may have been remembered by other people, may be enough to reveal the coices of some voters. For example, if you remember that you voted for an unpopular candidate between 10:00 and 11:00, and also who was next you in line, you may be able to identify your own entry in the list, and then the next entry will reveal that person's vote.