Profile picture
Richard DeMillo @rad_atl
, 32 tweets, 5 min read Read on Twitter
1/Thirty Ways to Exploit GA's election system vulnerabilities not requiring an internet connection. @BrianKempGA and election officals endlessly repeat system is not connected to the Internet therefore secure.
politics.myajc.com/news/state--re…
It doesn't matter. Here's 30 reasons why.
2/Before we begin be aware that SOS is remarkably ambiguous about what "no Internet" means. No DIRECT connection, no connection during ELECTIONS, never even DURING TESTS, NEVER EVER NOT EVEN A CHANCE, voting machines ONLY, ALL system parts...These are distractions. Don't matter.
3/First of all, none are true. Simplest counter example: We know that KSU servers holding critical programming were not only connected to Internet, they were misconfigured to allow open access, had been indexed by Google and therefore seen/accessed by millions. But let's go on..
4/Internet aside, voting system components are connected together on local area networks (LAN) yielding cyber vulnerabilities that don't need an Internet connection. A Trojan horse hiding on one inject code by placing autoruns in root directories. Worms propagate this way.
5/How would malware get into a LAN? Many vulnerabilities below answer this but the easiest way is to attach an unauthorized wireless access point to the LAN. Impossible? This was observed at KSU & other election centers & at least 1 vendor lied about remote access software.
6/Election results sent over analog phone lines assuming that analog is not digital and therefore secure. Can be seen at English Street facility. Analog lines use Common Channel Signaling SS7 to set up calls. SS7 is digital and hacked since 1995. Useful for man-in-middle attacks.
7/What can you do once you're rattling around a LAN? If there are administrative shares, an attacker can get access to every file system on the network.
8/Proxies and reverse proxies can be started that fool trusted apps into thinking they are talking to local programs.
9/At the time the systems boot up, drivers are loaded for shared resources. Rootkits replace those drivers with listeners and loggers.
10/Removable media (memory cards for example) are loaded from machines on the LAN and are used to create an communication channel to target machines. Software can be transferred in this way.
11/Shellcode can be executed by any target machine. It just has to be transferred but that can be done at any time over low bandwidth channels.
12/Every operating system has cron like daemons that can be used to sync events without consulting a central Internet connected server for command-and-control
13/Speaking of daemons, we know nothing about the toolsets developers used to mount virtual resources. Developers ARE connected to Internet. If their tools are compromised so is every machine on which they're installed. Daemon tool sets are a vector for supply chain compromise.
14/Compromised supply chains are significant because EVERY computer including the voting computers are born on the Internet.
15/Diebold software in 2003 was discovered on an open FTP server.
16/Mass market vendors of equipment install standard software packages at the point of sale. The PC towers used in Georgia are purchased from those vendors.
17/Aging equipment like the machines used in GA are repaired from repurposed parts purchased on the open Internet. Even if you trusted the existing supply chain, repaired machines enjoy no such trust. Contaminated memories were discovered at DEFCON 26.
18/System and application software and system firmware are updated on industry schedules and delivered by the Internet (or on removable media that are programmed by Internet connected computers)
19/Configuration management of system components does not manage the mismatching of old and new components, middleware, drivers, and firmware. Certification documents do not reflect current system status. This is relevant because dependencies between components are unexamined.
20/Data poisoning. In the run-up to the GA 06 election in 2017. 5 epollbooks were stolen but never recovered. Memory cards were stolen too. Access to the epollbooks would have allowed arbitrary data manipulation. If reintroduced would poison the databases.
21/Facilities management. In addition to WAPs, KSU post-event documents show unlocked data closet with unmarked connection to public network. The name of the network was redacted. Unauthorized personnel could have moved a cable from one jack to another.
22/The KSU facility was located in a repurposed house. Publicity video documents lack of physical access controls. No reception or guard at front door. Once inside, no separation of areas with restricted access.
23/The KSU Center for Election Systems used an open Twitter feed to signal events to county election officials, thereby bypassing the need for an Internet based command center. No idea how SOS handles this now that KSU staff has been absorbed by SOS.
24/Prior to election critical technology events, global DDOS attacks crippled a sizeable number of hosts worldwide. Ensuing confusion is often used as cover for localized attacks, but there are no published logs of election system staff activities during these events.
25/Physical access to voting machines unrestricted at some sites. Election workers left for the day leaving unauthorized personnel with equipment. Machines secured only with loose cables and tamper-evident seals that are easily defeated by people with minimal training.
26/Insider threats bypass network safeguards altogether. Non all insider attacks are the results of malicious behavior of insiders. For example a compromised account is an insider threat.
27/Data loss. In the event of count disruptions, workers restart machines without regard to data loss and invoke manual processes to continue the count.
28/Shifting sands: ES&S GEMS server software depends on JET database engine. JET security vulnerabilities are well documents: cvedetails.com/vulnerability-…
29/Shifting sands pt. 2: Hard coded encryption keys and unencrypted files containing passwords.
30/No checks: Have checks been carried out to see if code bases are contaminated? Proprietary programs using now insecure hashes mentioned in powerpoint but undocumented.
@threadreaderapp # unroll unroll
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Richard DeMillo
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!