[<prev] [next>] [day] [month] [year] [list]
Message-ID: <SNT111-W11AACC4D6562EC9C8B5CA9B60D0@phx.gbl>
Date: Sun, 18 Apr 2010 01:01:31 +0300
From: D V <digivoter@...mail.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Digivote replay attack
There is no integrity control for the communication between a URN external magnetic card reader
(DVDEK) and a URN PC (DVURN). As the data cable with D25 and D9 connectors connecting
DVDEK and DVURN is a standard data cable, it is possible to replace it with a similar data cable
with a hidden micro controller embedded in the connector. This hidden micro controller plays the
role of man-in-the-middle. It intercepts all communication between the URN external magnetic card
reader and the URN PC. Each time it wants to discard a vote, the micro controller replaces the data
read from the voting magnetic card with the data from a previous voting magnetic card. Otherwise
it relays the original data. Modifying the data is impossible, as this will invalidate the 8 byte MAC
signature at the end of the voting magnetic card data and thus fraud will be detected by the URN
software. But replacing the data of one vote by another previous valid vote is possible without
triggering the fraud detection systems.
One scenario for discarding votes for political party A.
To discard votes for political party A, replace the data cable by a data cable with a embedded micro
controller programmed to act like this:
1. Act transparently (relay all data without substitution) until a voting magnetic card is inserted
that has not been inserted in a MAV PC (this is a initialized voting magnetic card with blanc
vote, the Usage Flag in the data indicates that this card has not been inserted in a MAV PC).
Store the data of this blanc voting magnetic card in the memory of the micro controller, and
relay it to the URN PC. From now on, the micro controller acts as man-in-the-middle.
2. In man-in-the-middle mode, intercept all data. If it is the data of a voting magnetic card for
political party A, discard the data and relay the stored blanc voting magnetic card data to the
URN PC. Relay all other data unmodified to the URN PC.
Mitigation: certify and seal the data cables.
http://en.wikipedia.org/wiki/Electronic_voting_in_Belgium
3E054CF44706D1DF82D4BECF86C86EFB
_________________________________________________________________
Hotmail: Free, trusted and rich email service.
https://signup.live.com/signup.aspx?id=60969
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists