[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Digivote replay attack

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Digivote replay attack
From: D V <digivoter@xxxxxxxxxxx>
Date: Sun, 18 Apr 2010 01:01:31 +0300


There is no integrity control for the communication between a URN external 
magnetic card reader
(DVDEK) and a URN PC (DVURN). As the data cable with D25 and D9 connectors 
connecting
DVDEK and DVURN is a standard data cable, it is possible to replace it with a 
similar data cable
with a hidden micro controller embedded in the connector. This hidden micro 
controller plays the
role of man-in-the-middle. It intercepts all communication between the URN 
external magnetic card
reader and the URN PC. Each time it wants to discard a vote, the micro 
controller replaces the data
read from the voting magnetic card with the data from a previous voting 
magnetic card. Otherwise
it relays the original data. Modifying the data is impossible, as this will 
invalidate the 8 byte MAC
signature at the end of the voting magnetic card data and thus fraud will be 
detected by the URN
software. But replacing the data of one vote by another previous valid vote is 
possible without
triggering the fraud detection systems.

One scenario for discarding votes for political party A.
To discard votes for political party A, replace the data cable by a data cable 
with a embedded micro
controller programmed to act like this:

    1. Act transparently (relay all data without substitution) until a voting 
magnetic card is inserted
       that has not been inserted in a MAV PC (this is a initialized voting 
magnetic card with blanc
       vote, the Usage Flag in the data indicates that this card has not been 
inserted in a MAV PC).
       Store the data of this blanc voting magnetic card in the memory of the 
micro controller, and
       relay it to the URN PC. From now on, the micro controller acts as 
man-in-the-middle.
    2. In man-in-the-middle mode, intercept all data. If it is the data of a 
voting magnetic card for
       political party A, discard the data and relay the stored blanc voting 
magnetic card data to the
       URN PC. Relay all other data unmodified to the URN PC.

Mitigation: certify and seal the data cables.

http://en.wikipedia.org/wiki/Electronic_voting_in_Belgium
3E054CF44706D1DF82D4BECF86C86EFB

                                          
_________________________________________________________________
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [SECURITY] [DSA 2037-1] New kdm packages fix privilege escalation
Next by Date: [Full-disclosure] [ MDVSA-2010:081 ] apache-mod_auth_shadow
Previous by thread: [Full-disclosure] [SECURITY] [DSA 2037-1] New kdm packages fix privilege escalation
Next by thread: [Full-disclosure] [ MDVSA-2010:081 ] apache-mod_auth_shadow
Index(es):
- Date
- Thread