Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

CWE the Vote

It's a nice, sunny day in Cleveland, myfriends. Tonight, after the votes are counted, including myquadrennial write-in vote for "Lynard Skynard", the signs willstart coming down, the bumper stickers will start to fade in the sun,and the home phone will quit ringing. You see, I live in a magicalplace called Ohio, which for some reason, is responsible fordetermining the fate of the free world.

You know, Ohio, where people make carsout of barstools, and government officials invest in coincollections, and then lose them.

It's no joke living in a "battlegroundstate". This time around some people are even trying their hand atmessing around with the voting system itself. Those of us who haveparticipated in CTFs know what they're thinking – let's justforget this "points" nonsense and start targeting the scoringserver. Except that when we do it, dirty hackers that we are, it's somekind of nefarious thing. Sure Mr. Politician, unless it helps youwin, then it's just "politics":


The frustrating bit is that votingcould be a pretty darn secure system if we wanted it to be. Well how about this, since Skynard isn'tshowing up in the exit polls, and I'm already starting to get WolfBlitzer'd out (and it's not even noon), let's enumerate someweaknesses in the system, just for kicks. WithMITRE CWEs and everything.

#1. Rejected ballots

From the article:

"Earlier this week, Norman Robbins, the research director at the Northeast Ohio Voter Advocates, a nonpartisan voter-education group, notified Husted's office that thousands of requests for absentee ballots may have been rejected improperly statewide because of incomplete data checks by local election officials. The checks mistakenly showed that the applicants weren't registered to vote. Nearly 900 wrongly rejected ballot requests were found in Cuyahoga County alone, Robbins said.

I've read that a few times, and I'm still scratching my head. The term "rejected improperly" sounds like they were legitimate, but then someone decided they weren't for some reason. The checks showed they weren't registered to vote, but they actually were? And you got through how many of these before you figured that out?

Verdict: CWE-354: Improper Validation of Integrity Check Value

The software does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.

It's kind of weird, because the application takes the data, and it's well-formed but now the app actually thinks it's invalid at some stage. Actually we'd probably just call this a bug, but it's a security issue here because votes are getting trashed. Think for a minute about this, if those were orders for a product with credit card numbers attached, is there any chance they'd get screwed up by something like this?

VP: "So it turns out we lost $1m last quarter because we threw out valid orders"

CEO: "You can fill three boxes with your personal items."

#2. Voter misinformation

From the article:

"Extra preparations will help, but they haven't stopped reports of phony election workers showing up at people's homes to collect their absentee ballots or anonymous callers falsely claiming that voters can stay home on Election Day and cast their ballots by phone."

Look at how cute – they're attacking the clients too, like what we did when WPA got all nasty on us: deauth the clients and watch for the handshake. But then you have to do some more work, possibly a lot more work depending on how its configured (WPS ftw). Ever think maybe we're in the wrong business?

The main issue here is that the "client application" thinks that it's sending the data to the right place, but in fact it's getting trashed. Hey wait a minute, that sounds like clickjacking...


I think there are two things going on here. First off, WHO BELIEVES THIS STUFF? I know that's an old, bad argument and "will someone please think of the old people?" etc etc. But jeez, send me those names and I'm going to get in the timeshare business. For you special phone-voters out there, I dub thee:

CWE-494: Download of Code Without Integrity Check

The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.

Don't you remember in school when Sergeant McGruff told us to make those creepy pseudo-cops show us their badge? The ones with the "police van" filled with candy? COME ON

BUT here's the other problem, there's no McGruff of the voting world. Seriously, there should be. I'm going to make one up called Punchy O'Balletbox, and he's going to do PSA's about how there is no such thing as voting by phone ("Look, you canna fit a ballot in it! That's how ya know!") but also there would be some kind of actual process that you could use to determine a valid polling place or worker.

The lack of this control (or at least the general public knowledge of it), gets you a nice big

CWE-693: Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Kind of a generalization, but it speaks to the fact that we know there are attacks against the system, in this case impersonation, and there just isn't much talk about it outside of these kinds of articles. And then we say "What a shame, I wish there was something we could do".

Punchy O'Balletbox, coming in 2016.

#3. Voter Suppression / Intimidation

The article again:

"They plan to challenge voters they suspect of casting ballots illegally."

I like the name "poll watcher". It sounds pretty innocent, like "bird watcher". I think of someone who wears a shirt that says GO DEMOCRACY and hangs around cheering on people as they fill in the circles, or whatever they do in there.

But it turns out that some of these people do more than watch. Just like those jerk birdwatchers that try to chase away the birds and question whether they actually live in a nest in this country. The last time that happened, I had to move to a different spot because the migratory birds started getting nervous. So annoying. In vulnerability terms, this one is like some kind of selective denial-of-service, where both the server and the voter are attacked – transactions are prevented based on some kind of criteria. I bet it's shoe size, because people get jealous about things like that.

Well it's a bit of a stretch, but let's think about:

CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.

It kind of fits. If there are a certain number of poll workers, each that can chase away one of those poll chaser/watcher/ticklers, I don't know, every half an hour, then yeah I guess you're eating up resources by being a jerk. And isn't that what DoS is all about? For the lulz.

Overall, though, the bigger picture: isn't this all the symptom of a bigger problem? It's like we're making this up as we go along or something. Kind of like making your own crypto, there are a lot of mistakes to make until you get an algorithm that can stand up to The Schneier. Seems like there should be a standard somewhere for this stuff, maybe?

CWE-358: Improperly Implemented Security Check for Standard

The software does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.

And if there isn't a standard, shouldn't there be? Like TLS and the whole CA system, which gets scrutinized constantly because it's so important for taking card numbers and converting them into money.

Hey maybe that's all that is missing, some capitalism:

Each candidate must sell a dozen ship containers of Blackberry Playbooks, and whoever runs out first wins.

Now there's a guy that can get stuff done.