Full Disclosure mailing list archives
Digivote replay attack
From: D V <digivoter () hotmail com>
Date: Sun, 18 Apr 2010 01:01:31 +0300
There is no integrity control for the communication between a URN external magnetic card reader (DVDEK) and a URN PC (DVURN). As the data cable with D25 and D9 connectors connecting DVDEK and DVURN is a standard data cable, it is possible to replace it with a similar data cable with a hidden micro controller embedded in the connector. This hidden micro controller plays the role of man-in-the-middle. It intercepts all communication between the URN external magnetic card reader and the URN PC. Each time it wants to discard a vote, the micro controller replaces the data read from the voting magnetic card with the data from a previous voting magnetic card. Otherwise it relays the original data. Modifying the data is impossible, as this will invalidate the 8 byte MAC signature at the end of the voting magnetic card data and thus fraud will be detected by the URN software. But replacing the data of one vote by another previous valid vote is possible without triggering the fraud detection systems. One scenario for discarding votes for political party A. To discard votes for political party A, replace the data cable by a data cable with a embedded micro controller programmed to act like this: 1. Act transparently (relay all data without substitution) until a voting magnetic card is inserted that has not been inserted in a MAV PC (this is a initialized voting magnetic card with blanc vote, the Usage Flag in the data indicates that this card has not been inserted in a MAV PC). Store the data of this blanc voting magnetic card in the memory of the micro controller, and relay it to the URN PC. From now on, the micro controller acts as man-in-the-middle. 2. In man-in-the-middle mode, intercept all data. If it is the data of a voting magnetic card for political party A, discard the data and relay the stored blanc voting magnetic card data to the URN PC. Relay all other data unmodified to the URN PC. Mitigation: certify and seal the data cables. http://en.wikipedia.org/wiki/Electronic_voting_in_Belgium 3E054CF44706D1DF82D4BECF86C86EFB _________________________________________________________________ Hotmail: Free, trusted and rich email service. https://signup.live.com/signup.aspx?id=60969 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Digivote replay attack D V (Apr 18)