Exploiting Vulnerabilities: Installing Malware Locally on ICX BMDs
Introduction:
Ensuring the security of voting systems is of utmost importance to maintain the integrity of elections. However, a recent investigation has uncovered several vulnerabilities in ICX BMDs (Ballot Marking Devices) used in Georgia's election system.
Introduction to ICX BMD Vulnerabilities:
The ICX BMDs used in Georgia's election system have been found to have security flaws that enable attackers to install malicious software. These vulnerabilities can be exploited by individuals with physical access to the machines, including regular voters. The following techniques have been successfully tested and demonstrated:
1.1 Attaching USB Devices to the ICX:
The ICX fails to restrict the types of devices that can be connected to its USB ports. This includes the USB cable connecting to the printer. Attackers can attach USB drives or other devices to the exposed printer cable, tricking the system into recognizing them as legitimate peripherals. This allows them to introduce malicious software onto the BMDs.
1.2 "Escaping" the ICX App:
A software update installed on the ICX devices inadvertently introduced a security vulnerability. By attaching a USB keyboard, an attacker can access the Android operating system settings, including the ability to install malware. The update failed to remove critical apps from the Android Overview screen, making them accessible even after a reboot.
1.3 Accessing a Root Shell via the Built-In Terminal App:
The ICX BMDs come with a built-in Terminal Emulator app that provides users with a Linux shell. By gaining access to this shell with root privileges, attackers can bypass the Android operating system's security restrictions and make unauthorized changes to the device's data and software.
Manual and Automated Malware Installation:
Attackers can manually exploit the vulnerabilities described above to install malware on ICX BMDs. This involves a series of steps, including attaching a USB keyboard, copying files, installing a modified ICX App, and performing post-installation clean-up. While this process is time-consuming and impractical in a polling place, it helps illustrate the attack's mechanics.
To streamline the attack, an automated approach using a device called a "Bash Bunny" can be employed. The Bash Bunny, acting as a USB storage device and a simulated keyboard, can be programmed to execute the necessary keystrokes to install malware quickly. This automation makes it possible for attackers, including voters, to install malware within a couple of minutes.
Exploiting a Forged Technician Card:
Another method involves using a forged Technician Card, created using a readily available Java Card. By inserting the forged card into an ICX BMD, an attacker gains access to the Technical Administration menu and can proceed to install malware using the on-screen process intended for official software updates.
Exploiting Android Safe Mode:
ICX BMDs have a "Safe Mode" feature that allows users to reboot the system with unrestricted control over the Android operating system. By pressing and holding the mechanical power button, an attacker can reboot the BMD into Safe Mode, granting them access to system apps and the ability to install or remove software.
Conclusion:
The vulnerabilities discovered in ICX BMDs present serious risks to election security in Georgia.