14 DAY TRIAL // An attack on home routers could alter a vote cast over the Internet in an untraceable manner, by modifying the raw data traveling from the voter’s computer to the systems of the election authority, researchers have found.
Internet voting systems have started to gain popularity recently, as multiple governments have either begun testing with this sort of programs or have already implemented them.
Original firmware replaced with malicious one
One of the proposed methods for voting over the Internet is through PDF files that are downloaded by the voter, filled with their choice, and then sent via email to the election authority.
In a paper titled “Modifying an Off-the-Shelf Wireless Router for PDF Ballot Tampering,” researchers at Galois, a firm specializing in research and development of new computer technologies, present an attack method that can lead to changing the information in a ballot.
The approach used was to alter the firmware of an off-the-shelf router running a Linux-based operating system in a way that would make it inconspicuous unless a detailed analysis is performed.
Traces of tampering are very difficult to spot
Researchers say that the changes they made to the firmware code had less than 50 lines and would replace the kernel code responsible for handling packet transmission on network devices. Once compiled, the result would be indistinguishable from the original firmware.
Assessing traffic handling and careful inspection of the code would reveal the tampering. Some signs of modification do exist, and one consists in slower TCP connections to ports 25 and 587, which are the standard for email communication. The second giveaway is that some byte sequences are replaced with different ones.
“To ensure that our attack had minimal impact on router performance, we ran several benchmarks to gauge its effect. On TCP connections to ports 25 and 587, we observed a slowdown of approximately 25%. This would definitely be a noticeable performance hit, but all commonly-used email clients send mail asynchronously in the background and end users typically do not monitor the speed of their outgoing email,” researchers say in the paper.
Multiple methods exist to compromise the router
Getting the malicious firmware to the user’s router is a task that can be carried out by leveraging different vulnerabilities, one of the most common being the UPnP (universal plug and play) enabled by default.
Another way is to abuse the built-in update mechanism available in a large number of routers. DNS-based spoofing of the upgrade server could trick the router into installing the malicious update and fool the checksum verification mechanism, since both the hash of the file and the firmware appear to originate from the same source.
Moreover, in some cases, the update process lacks any sort of protection and the file is downloaded from an online location without any verification, except for its version number.
Man-in-the-middle attacks are also possible for some devices, while one of the simplest methods is to take advantage of the weak credentials protecting access to the router’s configuration.
Safety measures do not guarantee 100% protection
The researchers propose multiple mitigation tactics, encrypting the ballot and/or the SMTP connection being two of them. However, these measures would not stand before a man-in-the-middle attack.
A more secure firmware upgrade mechanisms is also on the list, but this would mean that only one attack vector would be eliminated.
“The overall conclusion is inescapable: unencrypted PDF ballots sent via electronic mail can be altered transparently, potentially with no sign of alteration, and certainly with no way to determine where on the network any alterations took place or the extent to which the votes have been corrupted. This method of vote submission is inherently unsafe, and should not be used in any meaningful election,” the researchers say.
