A small supplemental report was issued today pointing out additional concerns and high priority areas for further study.
The supplemental study can be found here:
http://www.blackboxvoting.org/BBVtsxstudy-supp.pdf (many photographs, allow time for download)
Excerpts:
1. Flash memory erasure:
There seems to be a memory card-triggered feature to erase the contents of flash memory. This destructive function was started in the TS6 with the file
, and there are indications that the feature is carried over to the TSx with trigger file , if it is found on the memory card. This feature was not tested in Emery County and should be examined further.
2. Further study needed on macros:
TS6 and TSx machines have as built-in features new kinds of macro capabilities. These capabilities make use of a simplistic Windows Window Manager Message recording and play function. Presumably the feature has been designed for automation of volume testing. If this is the case it is important to understand that this approach bypasses part of the system and therefore is by no means equal to end-to-end testing. There are a number of concerns around this feature functionality warranting further studies.
- The files are stored on the removable memory card as unprotected plain-text files. There are no protection mechanisms against modifications to these files.
- Are the WM_message filters adequate?
- Is the processing function secure against buffer overflow / boundary overflow attacks and/or string format attacks?
- Are the message parameters passed back to windows boundary checked, is there proper exception handling in place?
Creation and access to the macros is available with poll worker level access, under some circumstances even without any smart card authentication.
In preliminary testing the following issues were identified :
- The macro is not contained in the user interface logic. Because of this, the macro can access settings, changing the telephone number / ip address and initiating calls.
- Two machines with completely identical software release numbers had different behavior with the same macro. Machine A just had a software crash and become unstable, while machine B produced an error message on the system log and contained the error while still resulting in loss of software functionalities. There were also other examples of different, but reproducible, software behaviors between machines with both modified and unmodified macros.
- File handle processing seems to be flawed and interrupted by exception macro processing, producing open file handles.
- There seem to be user interface race conditions, which can not be triggered by human interaction with the machine, but are revealed by no delay playback of the human actions, i.e. unmodified macros.
(See photos in report)
3. Back door
The TS6 is likely to have an additional back door for accessing windows, though this could not tested in Emery County – also it is unknown if any of this in any form has been carried over to TSx. Further source code analysis of the well-known "CVS.TAR" file1, which contains source code for the TS6 and has been widely used in touch-screen system security studies, has revealed this feature.
The fact that this backdoor has not been published before underlines the fact that source code reviews performed this far have been not conclusive.
The start-up program for the ballot station is looking for the existence of on the memory card. The file itself can be empty, because the found file, based on the name alone, is a trigger for alternative execution of a general purpose file management utility program instead of the ballot station, therefore enabling access to Operating System. This back door has also been documented in :
4. Automatic deletion of files, including election file-extension files:
In case the memory card is full, the system will, without any interaction with the user, start to delete files from the card to free up memory. This deletion will also take out files with election file extensions from the election subdirectory. There is no way to verify which logic the system follows when choosing the files to be deleted.
More concerns:
- Outdated OpenSSL version
The OpenSSL used in the TSx BallotStation 4.6.4 software is an outdated version 0.9.7e, dated 25/10 1994, which is known to contain some security vulnerabilities. At the time of the writing the most current versions are 0.9.7j and 0.9.8b.
- Certificate will expire
The Cyptographic certificate of the TSx machines examined in Emery County have an expiration date of 1/31/2009. The installation/replacement process for renewed certificate was not studied.
- Piggyback connectors under modem
The modem is implemented on the motherboard as piggyback module. However, there are two sets of connectors underneath this modem built for two different kinds of piggybacks. It is unknown what the other piggyback modules enable.
Additional concerns and many photographs are contained in the report.
PERMISSION TO REPRINT GRANTED WITH LINK TO http://www.blackboxvoting.org