Voting Village - Analysis of Security Data Collected during the Mobile Voting Pilots
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 374 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/50762 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
DEF CON Safe Mode253 / 374
11
35
63
70
74
86
90
98
102
103
104
105
106
107
109
110
113
114
117
119
121
122
123
124
126
127
128
130
136
137
138
142
146
151
152
153
154
159
160
161
163
165
166
167
168
169
171
177
189
214
226
231
232
239
240
246
247
250
255
256
265
267
268
269
270
271
272
274
279
280
283
289
290
336
337
344
360
362
363
364
365
367
00:00
Mobiles InternetAbstimmung <Frequenz>PhasenumwandlungArchitektur <Informatik>ProgrammverifikationIdentitätsverwaltungAuthentifikationDatentransferDigitalsignalTabelleElektronische PublikationAutorisierungBildschirmfensterProzess <Informatik>AuswahlaxiomVorzeichen <Mathematik>ProzessautomationRegistrierung <Bildverarbeitung>Physikalisches SystemDatensichtgerätApp <Programm>Kartesische KoordinatenSystemaufrufAbstimmung <Frequenz>Treiber <Programm>MultiplikationsoperatorMetropolitan area networkDatenstrukturLokales MinimumPhysikalisches SystemBildschirmmaskeNeuroinformatikMalwareDatensatzBitHyperbelverfahrenZusammenhängender GraphWasserdampftafelLeistung <Physik>Mobiles InternetMatchingEinsSchaltnetzMetrisches SystemFunktionalanalysisInternetworkingVererbungshierarchieHoaxRegistrierung <Bildverarbeitung>Abgeschlossene MengeSystemverwaltungFamilie <Mathematik>Personal Area NetworkOrdnung <Mathematik>Minkowski-MetrikPunktWeg <Topologie>Prozess <Informatik>ProgrammierungAggregatzustandTouchscreenQuick-SortDatenflussGeradeAuswahlaxiomZahlenbereichGruppenoperationWeb SiteGarbentheorieComputersicherheitE-MailMAPSelbstrepräsentationIdentitätsverwaltungSmartphoneProgrammverifikationDigitale PhotographieWhiteboardInterface <Schaltung>SystemplattformHumanoider RoboterMathematikTeilmengeRechter WinkelPunktwolkeTabelleBiostatistikVektorraumPerspektiveUmwandlungsenthalpieServerEchtzeitsystemVideokonferenzSoftwareDatenflussplanPhasenumwandlungEreignishorizontEndliche ModelltheorieTrennschärfe <Statistik>FlächentheorieDivergente Reihe
07:47
Normierter RaumBinärdatenVektorpotenzialVorgehensmodellProzess <Informatik>ComputersicherheitMenütechnikApp <Programm>Lokales MinimumKardinalzahlAnalysisE-MailSocial Engineering <Sicherheit>SimulationReverse EngineeringMobiles InternetMalwareObjektverfolgungRechnernetzMotion CapturingDienst <Informatik>ChiffrierungProtokoll <Datenverarbeitungssystem>KontrollstrukturKerr-LösungBootenVorzeichen <Mathematik>CodeInjektivitätMarketinginformationssystemStatistikKonfigurationsraumInformationsspeicherungTouchscreenProxy Serverp-V-DiagrammProgrammierumgebungPhysikalisches SystemElektronische PublikationMessage-PassingNummernsystemZellularer AutomatPlastikkarteRemote ServiceSoundverarbeitungPunktwolkePortscannerBeobachtungsstudieCASE <Informatik>AutorisierungLanding PageVektorrechnungTelekommunikationAbstimmung <Frequenz>Physikalisches SystemSchreib-Lese-KopfFlächeninhaltDirekte numerische SimulationSoftwareE-MailSuite <Programmpaket>CASE <Informatik>SystemplattformVektorraumMobiles InternetTabelleDifferenteOffene MengeClientMapping <Computergraphik>ZahlenbereichEindringerkennungEndliche ModelltheoriePhasenumwandlungBeobachtungsstudieDatentransferKategorie <Mathematik>MAPSchlüsselverwaltungFramework <Informatik>ComputersicherheitPunktRückkopplungVerschlingungReverse EngineeringVektorpotenzialEin-AusgabeProzess <Informatik>Weg <Topologie>Humanoider RoboterInformationPunktwolkeMereologieZusammenhängender GraphUnternehmensarchitekturApp <Programm>Natürliche ZahlAnalysisTermNetzadresseStabKartesische KoordinatenFront-End <Software>Computerarchitekturp-BlockPerspektiveCloud ComputingWasserdampftafelSystemaufrufFreewareMetropolitan area networkBildgebendes VerfahrenInformationsspeicherungDienst <Informatik>GruppenoperationGewicht <Ausgleichsrechnung>Minkowski-MetrikTelekommunikationDatensatzMultiplikationsoperatorSprachsyntheseSocial Engineering <Sicherheit>DatenstrukturKonfiguration <Informatik>Coxeter-GruppeOvalWeb SiteARM <Computerarchitektur>
15:34
Dienst <Informatik>PunktwolkeVektorrechnungMobiles InternetTelekommunikationPhysikalisches SystemAbstimmung <Frequenz>PlastikkarteComputersicherheitRechnernetzHumanoider RoboterProzess <Informatik>Zellularer AutomatCASE <Informatik>EindeutigkeitHypermediaApp <Programm>BiostatistikLokales MinimumMailing-ListeTabelleMalwareInformationFaserbündelHash-AlgorithmusGenerizitätFamilie <Mathematik>Elektronische PublikationGruppenoperationComputerGerichtete MengeSoftwareentwicklerKonfiguration <Informatik>Offene MengeSchnittmengeMultiplikationsoperatorWort <Informatik>MathematikEinfach zusammenhängender RaumGüte der AnpassungOrtsoperatorKonfiguration <Informatik>RichtungAdressraumBitOrdnung <Mathematik>MereologieSoftwareMAPFlächeninhaltIndexberechnungShape <Informatik>Formation <Mathematik>ComputersicherheitAbstimmung <Frequenz>RückkopplungHumanoider RoboterAuflösung <Mathematik>CASE <Informatik>Prozess <Informatik>Bus <Informatik>Workstation <Musikinstrument>Twitter <Softwareplattform>Lesen <Datenverarbeitung>Physikalisches SystemFaktor <Algebra>Reverse EngineeringGruppenoperationZahlenbereichInstantiierungInformationURLWeb SiteAggregatzustandTermAbschattungWeg <Topologie>t-TestGemeinsamer SpeicherApp <Programm>UnrundheitCoxeter-GruppeMechanismus-Design-TheorieEin-AusgabeBiostatistikFaktorieller RingTrennschärfe <Statistik>GarbentheorieMalwareFunktionalanalysisMinkowski-MetrikPersönliche IdentifikationsnummerQuick-SortVektorpotenzialNeuroinformatikTypentheorieWasserdampftafelHeegaard-ZerlegungSoftwareentwicklerUmwandlungsenthalpieHypermediaProtokoll <Datenverarbeitungssystem>FehlertoleranzComputeranimation
23:21
Inverser LimesAbstimmung <Frequenz>Gemeinsamer SpeicherBesprechung/Interview
Transkript: Englisch(automatisch erzeugt)
00:01
Good afternoon, everybody. My name is Nimit. I'm one of the co-founders at votes and I'm here to talk about some of the security data We've collected during the course of our mobile voting pilots over the last couple of years So before we dive into the data just a quick overview about votes
00:22
So many of you may know votes is the youngest elections company in the u.s. We got started almost by accident After winning a hackathon at South by Southwest in Austin, Texas We're back in 2014 the team of the hackathon was hacked to the future
00:43
it's the one thing you would do in the future and how you do do it and so my brother and I even that and we ended up prototyping this new election system which used smartphones biometrics Real-time identity verification and then also locked the ballots on a locked in based infrastructure
01:06
We're at a surprise. We ended up winning the first prize and that led to a whole series of events and Eventually company started in 2015. So since then we've done 67 elections so far and
01:25
Government election pilots, we've also done non-governmental elections primarily with the state political parties in various states and so some of the data we're going to share today covers a wide array of our
01:42
Elections from a security perspective and then we'll also dive in into a couple of really interesting Elections we did recently where for the first time we were able to collect a lot of interesting data So I'll begin with a quick introduction about about a system. It's a
02:03
smartphone app based mobile voting platform and The key components here are essentially the voters smartphone devices. So an iPhone or a compatible Android Then you have the cloud infrastructure Where the back-end servers are running and also distributed
02:23
Blockchain infrastructure and then you have the election administration specific interfaces to the election jurisdiction and then from their their traditional infrastructure is ballot printers and tabulation equipment and the way the entire process works is
02:44
Essentially right now the system is being piloted only for absentee voters and within absentee voters a very small subset of people Essentially military voters who are deployed their families and any US citizen who's living overseas
03:02
They're commonly referred to as Yokawa voters And so if you're in that eligible group and your jurisdiction is participating in a pilot Then you sign up normally as an absentee voter and then submit a form to your election clerk
03:20
Typically your county club and then they do a little bit of vetting and then if you are eligible they will pre-provision you on the vote system and then you get an invitation to download the application on your smartphone iPhone or compatible Android device So you begin with the the email number and email ID and a mobile number and then once you've done the initial
03:44
Onboarding you are asked to do a identity check. So you'll have to take a picture of government issued photo ID right now you can use a private license state ID or Passport you can use some other forms of ID as well
04:01
If you don't don't have those three, but those are the most commonly used ones And then once you've done the scan in the application front and back Then you're asked to take a live video selfie Then once you've completed that it does a matching to make sure the picture you took of yourself Matches the picture on the ID
04:23
Liveness Check is done as well to weed out the fakes or any other kind of fraudulent activity and once everything matches data on your ID It's compared to the voter registration file, which is provided to us by the jurisdiction for the pilot
04:42
All that matches your identity is digitized stored in the secure Space on the on the handset and all the documents you've provided are deleted at that point because we don't need them We don't want to increase the threat surface after that as well
05:00
So at this point you're ready to receive your ballot so you can see from the flow diagram essentially a 10-step process and Once you've received the ballot It's essentially your mobile representation of your actual paper ballot Which you would receive if you went to work in person at your precinct or if you opted into board by mail
05:22
Essentially the same ballot you get here And so you not the ballot on the phone and then you may be asked to sign an affidavit signed with the finger on the screen and then once you're ready to submit you confirm your choices do your Biometric verification on the device again and to that point your ballot gets
05:42
submitted to the network anonymized and you get a receipt so you can verify your selections and then also Participate in the in the audit process as well And in the background the jurisdiction gets an anonymized and anonymized copy of your receipt And then close the election day the paper ballot is printed
06:05
There's a pre tabulation audit On election day printed paper ballots are tabulated just like other paper ballots and There's no hand reproduction required And then once the elections are already in the canvas phase there's a full audit where receipts are prepared so end-to-end
06:23
That's how the process works Now that we've looked at kind of how the the system functions, let's look at the threat model so as you can see, it's It's a pretty interesting threat model here Obviously because it's an internet connected device. It is different from
06:46
traditional methods of voting So let's kind of run through the flow and it each step we can can look at the some of the threats This is the first space as you saw you opted in the County clerk proves you and then you
07:02
Started to download the app. So obviously if you're not careful you could download an incorrect app by mistake or The app may already be compromised ahead of time by a bad actor or they may be malware on your device Which you know prevents normal functioning of the application. So it's kind of the first stage
07:24
Next look at now you're at the voting stage So the threats here are meet the biometric capability on your phone isn't working as as it's supposed to and obviously at this stage with this malware apps can be reverse engineered and They can be attempts made to change change how you're voting
07:44
So that's right vector and we'll see how there are ways to mitigate that a little bit later Then obviously in the transmission phase the transmission is not secured Transmission channel that data may never reach the destination or make corrupted on the way
08:01
So we look at ways as to how that can potentially be mitigated as well And then the water gets a receipt. So the receipt There's a chance somebody else may get all of your receipt if you're not careful Obviously, that's an active area of research on how to create self-destructing
08:21
receipts but It's a potential threat vector And so and finally once the ballots reach the jurisdiction as they are printing the paper ballot for tabulation and They do a pre tabulation audit. So there is a potential threat vector, which would likely get caught by the pre tabulation audit
08:44
Nevertheless important to keep in mind We thank LA Times for making this nice picture available to us very nicely done makes it simple to understand And so now that we've looked at the kind of the high-level threat model Let's look at what kind of threats we've kind of seen in the wild over the last couple of years
09:05
So we we like to group them into a few different categories So there's obviously threats at the device level this threats at the network level and so those are kind of user centric scenarios and then
09:20
Overall is the cloud infrastructure our corporate network. So obviously those are areas of interest as well So in terms of what we've seen Passive scanning obviously, which happens to pretty much everybody these days who has a bleak facing webasset
09:40
We've also seen active analysis of our assets So people actually trying to reverse engineer all that stuff fishing of our staff clients Email spoofing attempts as well Social engineering, just really well aware of what happened recently
10:04
We've had attempts, phone calls, people pretending to be who they're not We've seen DNS tampering attempts as well SIM swap, SIM takeover attempts and then reverse engineering of the mobile applications sometimes partial and then through the analysis
10:24
mobile API level attacks People actually trying to figure out how the API is working and trying to attack it We've also seen on the Android side attempts to Compromise the TEE where some of the keys are stored
10:40
And then malware we do go across malware several devices and See later on in one of five lectures Interesting interesting case that came to light So before we dive into some of the data, it's hard be useful to look at the MITRE ATT&CK framework
11:02
So recently MITRE updated the mapping for not just the enterprise side which covers the cloud Aspects in our case, but also the mobile side So we mapped that data to what we've seen as you can see on iOS some interesting Things to note and the device level and then similarly network-based
11:25
vectors, so we already spoke about the SIM swap and then you'll see some of the other ones in the in the data head such as rogue, rogue Wi-Fi and things like that Similarly on the Android side
11:40
similar to iOS a couple of kind of different things But we find the mapping useful just as we plan out I'm sure a lot of you are looking at this as well Similarly on the on the network side for Android Let's look at a few case studies here
12:03
2018 was when we we had first opportunity to do public elections in the US and So since then we've had some interesting opportunities to collect data so we start with something from
12:20
2018 one of the really interesting things we saw early on back then was the attempts to use multiple devices at the same same anniversary and using different Mobile numbers and emails and trying to do the same thing and so in that scenario the mitigation deployed by the system was to treat this as malicious activity and
12:47
block this access we did see people use phone numbers in some telco blacklist as Well as people using well-known tools like burp suite to probe the platform probe the API and points
13:04
And in one of these cases we were able to record the traffic through a honey pot So some of that is available as part of the open data Package and is also available to share some public links at the end of the presentation. So you can get it from there as well
13:21
The other interesting thing from a case study perspective was People trying to reverse engineer the application the system has the initial handshake process and We saw some attempts manual attempts to engineer that handshake process and so in that scenario as well
13:43
One of the medications was to block the IP address ranges or block the device IDs Depending on the on the nature of the attack But that's an area where we have some feedback on better approaches to mitigate those kinds of attempts
14:02
Email spoofing so we did see we continue to see a lot of Email spoofing attempts and obviously with the mark that that helps to mitigate that But nevertheless we do keep track of it another interesting case study was involved
14:21
essentially network-based attempts to scan the Passively and then use that information to actively look at our infrastructure particularly the API Endpoints. Oh, that's where we see a lot of interest and then More recently, we've had an opportunity to do somewhat larger elections in terms of
14:45
participation some of the early pilots had a very small number of voters, so the Opportunity to collect meaningful data was a little limited from a security on-device security network security perspective But with one of the elections this year or few of the election this year
15:03
We've been able to collect some very interesting Data to analyze and so to have to have to share that One focuses around we call as the mobile mobile threat detection we partner with third parties for that capability as well as some you know stuff we have and
15:23
The way that's structured is a we call it a multi-channel component architecture The device is communicating with obviously our back end Also communicating with the third-party system similarly our back-end is communicating with the third-party system a
15:42
Good example was somebody tries to reverse engineer the app And you know hooks the specific locations where some of that course getting triggered try and bypass it You could potentially disrupt two of these channels, but we had to disrupt the third channel so that in this case
16:03
access the saving grace and also as a Extra detection mechanism and so some of this capability is actively deployed Next probably the most interesting part of the presentation so this is data from one of our recent elections
16:22
Where a few thousand people participated and this was kind of the device split Predominantly More iOS than Android and then in terms of the threats we detected on the network side It's pretty even 50-50 But on the device side we saw sort of a lopsided
16:44
Share of threats being detected on Android and that could be function of the devices that were being used Or maybe the unique factors to this to selection as well But something interesting to keep in mind sort of diving one level deeper
17:01
So on the iOS side, let's kind of look at some of the network Security threats in this this data by the way is available in the open data set. I believe it's the part one so You can dive in at your convenience as well, but at the iOS level we saw
17:21
18 devices Who were connected so this is amongst a few thousand in the 64% who were using iOS There were 18 devices detected which the Wi-Fi was deemed to be unsafe And so obviously that creates a potential for a man-in-the-middle type of attack
17:42
So the user experience was they were not able to complete the process on the device or us to contact support team In that case they were requested by the switch to the cellular network or switch to a different Wi-Fi network in this case
18:01
Once they did that they were able to proceed similarly on Android similar number about 17 on Android. We also saw an interesting case for potential ARP poisoning ARP is a Address resolution protocols
18:21
So many of you know in this case It was a little hard for a support team to detect because we didn't have visibility into what the voters home network look like and so required a little bit of troubleshooting but eventually turned out to be a media device which was causing this
18:40
poisoning and so team requested the water to turn off the media device and Then the threat went away and they were able to proceed So an area we'd love to do a little more more research, but it was interesting that we came across this one in case Next let's look at some device level threats
19:03
On the iOS side we did detect few devices where the pin was not set in that case Mitigation and resolution was to force the users to send in or activate the biometrics on the device Otherwise they couldn't really proceed and we saw a few cases of side-loaded apps and
19:23
In each of those cases when a little bit of due diligence was done They were deemed to be legitimate apps. And so the voters were able to proceed Where it was good to see them being detected in case, you know, they could pose a threat Definitely something we'd like to research more on
19:42
on the Android side Much larger number of devices without pins, which we weren't sure why but was interesting 89 devices didn't have pin set So all those voters were forced to set a pin or activate the biometric capability on the devices similarly on the side-loaded
20:01
side of things a lot more side-loaded apps Which kind of made sense given the ecosystem on Android so did take quite a bit of time to go through these Make sure everything was okay Actually, we had the election went for three days. So our support team had enough time to troubleshoot
20:23
in this investigation we did find two instances where the device did have malware and It was a fairly well-known malware. I'm sure many of you probably heard about it, but It was interesting that we were able to detect this In from the water they were able to delete the offending apps reset the devices and then
20:45
Proceed and then once the new checks were confirmed. They're actually able to vote successfully Complete the audit as well Couple of other interesting Android specific things we did detect some instances of USB debugging being enabled
21:02
Nothing malicious on that front but During the act of voting the phone was not connected to a computer So that was fine. And then we did have another 21 devices where Developer options were enabled. So once I know no direct impact, but something we'd like to keep track of
21:24
and so as I mentioned earlier this data is available as part of package we've released we'd love love more feedback and Suggestions on how to collect how to analyze this, you know in a better way
21:41
especially, you know areas around malware and Really interesting Things we were able to learn from here And you'll notice that the data is for the most part anonymized That's true of the collection process as well The water is the one who's asked to initiate
22:04
Not knowing what exactly has happened. So the data does not contain any personally identifying the information to the best of our knowledge and Lastly love love any suggestions and feedback from the community
22:21
There were young Company or the youngest company in this space trying to do something which is unusual say the least and so we love suggestions and feedback to improve and what things we could do better and Appreciate the participation of the community. Thank you for the DEFCON voting village team for giving us this
22:45
opportunity to share this data and It'd be sharing more of this data as we do more election pilots and I'd love to continue to get feedback from everybody
23:02
More information is available on our website, especially under white papers and under the security section So please feel free to explore and give us Feedback and look at the data as it's posted in the future as well. Once again, thank you And I hope you all have a great DEFCON experience this year
23:23
Especially at the voting village. Thank you. Take care