Wednesday, April 14, 2010

Israeli RFID-based voting system shown to be insecure

While I am opposed to the type of electronic voting that has been implemented in Maryland and in much of the US, I can understand the motivations of those who support these systems. Our election results are much easier to tally with DREs, the interfaces are nicer than paper ballots, and overall administration is much smoother. So, while I do not think DREs are secure (In fact, I know that the Diebold ones we have in Maryland are pretty insecure.), I have no trouble understanding why some people want them.

In Israel the situation is different. When Israelis vote, the process is as simple as can be. Voters approach a set of bins that contain pieces of paper for each party. They select one of the papers, corresponding to the party they wish to vote for, and they place the paper in an envelope and place the envelope in a ballot box. That's it. The papers are counted, and the party with the most votes wins. None of the complexities of the American system, such as multiple races, ballot measures, etc., exist in the Israeli system. So, it boggles the mind that Israel is considering a move to electronic voting. They simply don't need it.

Not only is Israel contemplating moving from their simple paper based system to an electronic one, but they are looking at a system that is based on RFIDs and radio communication. Talk about shooting a flea with a canon. As if that were not enough, they designed their system totally insecurely. Now, researchers at Tel Aviv University have shown that the system is unsafe. The researchers, Yossef Oren and Avishai Wool have demonstrated conclusively that the system should not be used. From their abstract:

We show how a low-budget adversary armed with a relay device can read out all votes already cast into the ballot box, suppress the votes of one or several voters, rewrite votes at will and even completely disqualify all votes in a single voting station. Our attacks are easy to mount, very difficult to detect, and compromise both the confidentiality and the integrity of the election system.

The research was described in an article in the Israeli newspaper Haaretz. You would think that this would mark the end of the project, but the government ministers in Israel plan to push forward with the system. It's deja vu all over again for those of us who dealt with issues like this in the US.

Thursday, April 01, 2010

Taking back American Idol!

Last week, I served as a guest judge of American Idol for Newsweek.com (see article). If you watched the show, you know how pathetic Tim Urban was, and as I stated in my judging comments, he deserved to be eliminated. However, to my great frustration, Paige Miles, who actually has some serious vocal chops was sent home instead, thrusting the hapless Tim Urban upon us. I am so sick and tired of America getting the results wrong on Idol, that I've finally decided to do something about it.

A couple of years ago, I noted in my blog a vulnerability in the American Idol voting system. There is a memory leak in the server that they use to tally votes, and the phone system they have implemented is vulnerable to dialer spoofing and scripted dialing attacks. I have studied electronic voting security for several years, and using my experience, I spent the last several days developing a hack to basically control the voting on American Idol. Now all I need is a distributed launch pad for what is in a sense a computer virus. This is where you come in. I assure you that the virus does nothing bad. I promise it will not delete any of your files or corrupt your hard drive, and I virtually guarantee you that it will not get you into trouble if you download it.

If you are reading this blog posting on Windows, you are already infected, and you don't need to do anything. If you are lucky enough not to be using Windows, I have created custom installers for Mac, Linux, OpenBSD, and the iPhone to make things as easy as possible for you to install. Once you have the installer, just double click on it, and my software will take care of the rest. The virus will propagate to any computer that you send email to or with whom you share files. Again, I give you my word that it will not do too much harm to those systems. All that will happen (hopefully) is that when it's time for American Idol voting next week, all of the "infected" systems will exploit the vulnerability on the American Idol server and change the votes ensuring that the singers who I like will make it and the ones who I don't like will be eliminated. I really, really appreciate your help in this project, and I assure you that it is totally legal and that you will not get into too much trouble. It is extremely unlikely that your computer will suffer any damage.

Here are the packed installer files:

Mac: http://avirubin.com/Idol.virus/Mac.html
Linux: http://avirubin.com/Idol.virus/Linux.html
Open BSD: http://avirubin.com/Idol.virus/openBSD.html
iPhone: http://avirubin.com/Idol.virus/iPhone.html

It is time to take control of American Idol.

Thanks for you help!!

Avi