The Halderman Report Exposes Vulnerabilities in Georgia's ICX Voting System
I. Understanding the ICX App and its Vulnerabilities
The ICX voting system relies on a dedicated mobile application called ICX App, which allows voters to cast their ballots electronically. The report exposes critical weaknesses in the ICX App, enabling attackers to exploit its code and compromise the integrity of the voting process.
A. Reverse-Engineering the ICX App
By employing publicly available tools like APKTool and Java2Smali, researchers were able to disassemble the original ICX App and translate its code into a human-readable representation called "smali." This process facilitated the identification of potential vulnerabilities within the app's structure and functionality.
B. Manipulating QR Codes and Votes
The report demonstrates how the ICX App can be modified to change ballot QR codes selectively. This manipulation allows attackers to alter the recorded votes in favor of their preferred candidate, potentially swaying election outcomes. The malware developed for this purpose can modify the data representation within the QR code, thereby reflecting fraudulent choices controlled by the attacker.
II. Overcoming Procedural Defenses
Georgia's ICX voting system incorporates various procedural defenses aimed at ensuring the integrity and accuracy of the electoral process. However, the report exposes the susceptibility of these defenses to malicious activities.
A. Defeating Logic and Accuracy Testing
The logic and accuracy testing (LAT) process, designed to identify errors in ballot design and counting logic, can be easily defeated by ICX malware. The demonstration malware skips cheating on the initial ballots, making it difficult to detect its presence. Even if the LAT process were enhanced, attackers could adapt the malware to minimize the probability of detection.
B. Bypassing Hash Validation and APK Verification
The ICX App displays the SHA-256 hash of its installed APK on the screen, aiming to provide transparency and allow verification. However, the report reveals that a modified app can display the expected hash value instead of its actual one, thus evading detection. Additionally, the malware can export the original unmodified APK instead of its own during the verification process, making it impossible to detect the presence of malware.
III. Implications for Voter Verification and Auditing
The vulnerabilities uncovered in the ICX voting system have significant implications for both voter verification and auditing processes.
A. Limited Voter Verification of QR Codes
Due to the nature of the voting process, voters have no practical means to verify the contents of the QR codes generated by the ICX App. This lack of transparency allows attackers to modify the QR codes while leaving the human-readable portion of the ballot unchanged, making their fraudulent actions almost undetectable to voters.
B. Inadequate Auditing Practices
Georgia's auditing practices, including risk-limiting audits (RLAs), are insufficient to detect malware-driven fraud effectively. RLAs, conducted in November during even-numbered years and targeting a single statewide contest, are unlikely to detect fraud in the majority of elections and contests. Additionally, malware that changes both QR codes and ballot text can evade detection even during RLAs.