Projects and Research

DVSorder: Ballot Randomization Flaws Threaten Voter Privacy

Distinguished Paper Award, USENIX 2024

A trend towards publishing ballot-by-ballot election results has created new risks to voter privacy due to inadequate protections by election technology. These risks are manifested by a vulnerability we discovered in precinct-based ballot scanners made by Dominion Voting Systems, which are used in parts of 21 states and Canada. In a variety of scenarios, the flaw—which we call DVSorder—would allow attackers to link individuals with their votes and compromise ballot secrecy. The root cause is that the scanners assign pseudorandom ballot identifiers using a linear congruential generator, an approach known since the 1970s to be insecure. Dominion attempted to obfuscate the generator's output, but we show that it can be broken using only pen and paper to reveal the order in which all ballots were cast. Unlike past ballot randomization flaws, which typically required insider access to exploit or access to proprietary software to discover, DVSorder can be discovered and exploited using only public information.

In addition, the election sector's response to our findings provides a case study highlighting gaps in regulations and vulnerability management within this area of critical infrastructure. Although Dominion released a software update in response to DVSorder, some localities have continued to publish vulnerable data due to inadequate information sharing and mitigation planning, and at least one state has deferred addressing the flaw until after the 2024 presidential election, more than two years following our disclosure.
DVSorder: Ballot Randomization Flaws Threaten Voter Privacy
Braden L. Crimmins, Dhanya Y. Narayanan, Drew Springall, J. Alex Halderman
33rd USENIX Security Symposium
USENIX Security '24, Philadelphia, PA, August 2024
@inproceedings {299892,
  title = {{DVSorder}: Ballot Randomization Flaws Threaten Voter Privacy},
  author = {Braden L. Crimmins and Dhanya Y. Narayanan and Drew Springall and J. Alex Halderman},
  booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
  year = {2024},
  month = aug,
  url = {https://www.usenix.org/conference/usenixsecurity24/presentation/crimmins},
}

Security Analysis of Georgia's ImageCast X Ballot Marking Device

(additional details in a forthcoming research paper)
In 2020, Georgia replaced its insecure, decades-old DRE voting machines with new ballot scanners and ballot marking devices (BMDs) manufactured by Dominion Voting Systems. Although the same BMDs are used for accessibility in parts of approximately 15 other states, Georgia is unique in using them statewide as the primary method of in-person voting. This unusual arrangement places potentially malicious computers between Georgia voters and their paper ballots. In contrast, in most of the United States, voters mark paper ballots directly by hand, and BMDs are reserved for those who need or request them. Georgians who vote at a polling place generally have no choice but to use the BMDs.

All voting systems face cybersecurity risks. As the National Academies of Sciences, Engineering, and Medicine recently concluded “[t]here is no realistic mechanism to fully secure vote casting and tabulation computer systems from cyber threats”. However, not all voting systems are equally vulnerable. Curling Plaintiffs contend that Georgia's universal-use BMD voting system is \emph{so insecure} that it violates voters' constitutional rights.

To assist the Court in understanding the risks that the system creates, Curling Plaintiffs asked us to conduct a security analysis of the ImageCast X (ICX) BMD and associated equipment used in Georgia elections. Using an ICX provided by Fulton County, we played the role of an attacker and attempted to discover ways to compromise the system and change votes. We spent a total of approximately twelve person-weeks studying the machines, testing for vulnerabilities, and developing proof-of-concept attacks. Many of the attacks we successfully implemented could be effectuated by malicious actors with very limited time and access to the machines, as little as mere minutes. This report documents our findings and conclusions.
Security Analysis of Georgia's ImageCast X Ballot Marking Devices
J. Alex Halderman and Drew Springall
Curling v. Raffensperger, Civil Action No. 1:17-CV-2989-AT, U.S. District Court for the Northern District of Georgia, Atlanta Division, July 2021
This advisory identifies vulnerabilities affecting versions of the Dominion Voting Systems Democracy Suite ImageCast X, which is an in-person voting system used to allow voters to mark their ballot. The ImageCast X can be configured to allow a voter to produce a paper record or to record votes electronically. While these vulnerabilities present risks that should be mitigated as soon as possible, CISA has no evidence that these vulnerabilities have been exploited in any elections.

Exploitation of these vulnerabilities would require physical access to individual ImageCast X devices, access to the Election Management System (EMS), or the ability to modify files before they are uploaded to ImageCast X devices. Jurisdictions can prevent and/or detect the exploitation of these vulnerabilities by diligently applying the mitigations recommended in this advisory, including technical, physical, and operational controls that limit unauthorized access or manipulation of voting systems. Many of these mitigations are already typically standard practice in jurisdictions where these devices are in use and can be enhanced to further guard against exploitation of these vulnerabilities.

The Security Impact of HTTPS Interception

As HTTPS deployment grows, middlebox and antivirus products are increasingly intercepting TLS connections to retain visibility into network traffic. In this work, we present a comprehensive study on the prevalence and impact of HTTPS interception. First, we show that web servers can detect interception by identifying a mismatch between the HTTP User-Agent header and TLS client behavior. We characterize the TLS handshakes of major browsers and popular interception products, which we use to build a set of heuristics to detect interception and identify the responsible product. We deploy these heuristics at three large network providers: (1) Mozilla Firefox update servers, (2) a set of popular e-commerce sites, and (3) the Cloudflare content distribution network. We find more than an order of magnitude more interception than previously estimated and with dramatic impact on connection security. To understand why security suffers, we investigate popular middleboxes and client-side security software, finding that nearly all reduce connection security and many introduce severe vulnerabilities. Drawing on our measurements, we conclude with a discussion on recent proposals to safely monitor HTTPS and recommendations for the security community.
The Security Impact of HTTPS Interception
Zakir Durumeric, Zane Ma, Drew Springall, Richard Barnes, Nick Sullivan,
Elie Bursztein, Michael Bailey, J. Alex Halderman, and Vern Paxson
Proc. 24th Network and Distributed System Security Symposium
NDSS '17, San Diego, CA, February 2017
@inproceedings{httpsInterception-ndss2017,
 title = {The Security Impact of {HTTPS} Interception},
 author = {Zakir Durumeric and Zane Ma and Drew Springall and Richard Barnes and Nick Sullivan and Elie Bursztein and Michael Bailey and J. Alex Halderman and Vern Paxson},
 booktitle = {Proceedings of the 2017 Network and Distributed System Security Symposium},
 year = {2017},
 month = feb,
 }

Measuring the Security Harm of TLS Crypto Shortcuts

TLS has the potential to provide strong protection against network-based attackers and mass surveillance, but many implementations take security shortcuts in order to reduce the costs of cryptographic computations and network round trips. We report the results of a nine-week study that measures the use and security impact of these shortcuts for HTTPS sites among Alexa Top Million domains. We find widespread deployment of DHE and ECDHE private value reuse, TLS session resumption, and TLS session tickets. These practices greatly reduce the protection afforded by forward secrecy: connections to 38% of Top Million HTTPS sites are vulnerable to decryption if the server is compromised up to 24 hours later, and 10% up to 30 days later, regardless of the selected cipher suite. We also investigate the practice of TLS secrets and session state being shared across domains, finding that in some cases, the theft of a single secret value can compromise connections to tens of thousands of sites. These results suggest that site operators need to better understand the tradeoffs between optimizing TLS performance and providing strong security, particularly when faced with nation-state attackers with a history of aggressive, large-scale surveillance.
Measuring the Security Harm of TLS Crypto Shortcuts
Drew Springall, Zakir Durumeric, J. Alex Halderman
16th ACM Internet Measurement Conference
IMC '16, Santa Monica, CA, November 2016
@inproceedings{cryptoShortcuts-imc2016,
    title = {Measuring the Security Harm of {TLS} Crypto Shortcuts},
    author = {Drew Springall and Zakir Durumeric and J. Alex Halderman},
    booktitle = {Proceedings of the 16th ACM Internet Measurement Conference},
    year = {2016},
    month = nov,
}

FTP: The Forgotten Cloud

Once pervasive, the File Transfer Protocol (FTP) has been largely supplanted by HTTP, SCP, and BitTorrent for transferring data between hosts. Yet, in a comprehensive analysis of the FTP ecosystem as of 2015, we find that there are still more than 13 million FTP servers in the IPv4 address space, 1.1 million of which allow "anonymous" (public) access. These anonymous FTP servers leak sensitive information, such as tax documents and cryptographic secrets. More than 20,000 FTP servers allow public write access, which has facilitated malicious actors' use of free storage as well as malware deployment and click-fraud attacks. We further investigate real-world attacks by deploying eight FTP honeypots, shedding light on how attackers are abusing and exploiting vulnerable servers. We conclude with lessons and recommendations for securing FTP.
FTP: The Forgotten Cloud
Drew Springall, Zakir Durumeric, J. Alex Halderman
46th IEEE/IFIP International Conference on Dependable Systems and Networks
DSN '16, Toulouse, France, June 2016
@inproceedings{ftpCloud-dsn2016,
  title = {{FTP}: The Forgotten Cloud},
  author = {Drew Springall and Zakir Durumeric and J. Alex Halderman},
  booktitle = {Proceedings of the 46th IEEE/IFIP International Conference on Dependable Systems and Networks},
  year = {2016},
  month = jun,
}

Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice

Best Paper Award, CCS 2015

Pwnie for Most Innovative Research, Black Hat USA 2015

We investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. First, we present a novel flaw in TLS that allows a man-in-the-middle to downgrade connections to “export-grade” Diffie-Hellman. To carry out this attack, we implement the number field sieve discrete log algorithm. After a week-long precomputation for a specified 512-bit group, we can compute arbitrary discrete logs in this group in minutes. We find that 82% of vulnerable servers use a single 512-bit group, allowing us to compromise connections to 7% of Alexa Top Million HTTPS sites. In response, major browsers are being changed to reject short groups. We go on to consider Diffie-Hellman with 768- and 1024-bit groups. A small number of fixed or standardized groups are in use by millions of TLS, SSH, and VPN servers. Performing precomputations on a few of these groups would allow a passive eavesdropper to decrypt a large fraction of Internet traffic. In the 1024-bit case, we estimate that such computations are plausible given nation-state resources, and a close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break. We conclude that moving to stronger key exchange methods should be a priority for the Internet community.
Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin, and Paul Zimmermann
Proc. 22nd ACM Conference on Computer and Communications Security
CCS ’15, Denver, CO, October 2015
@inproceedings{weakdh-ccs2015,
    title = {Imperfect Forward Secrecy: {H}ow {D}iffie-{H}ellman Fails in Practice},
    author = {David Adrian and Karthikeyan Bhargavan and Zakir Durumeric and Pierrick Gaudry and Matthew Green and J. Alex Halderman and Nadia Heninger and Drew Springall and Emmanuel Thom\'e and Luke Valenta and Benjamin VanderSloot and Eric Wustrow and Santiago Zanella-B\'eguelin and Paul Zimmermann},
    booktitle = {Proceedings of the 22nd ACM Conference on Computer and Communications Security},
    year = {2015},
    month = oct,
}
Research Highligh—Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
David Adrian, Karthikeyan Bhargavan, Zakir Durumeric, Pierrick Gaudry, Matthew Green, J. Alex Halderman, Nadia Heninger, Drew Springall, Emmanuel Thomé, Luke Valenta, Benjamin VanderSloot, Eric Wustrow, Santiago Zanella-Béguelin, and Paul Zimmermann
Communications of the ACM
CACM, Januaray 2019, Vol. 62, No. 1
@article{weakdh-cacm2019,
    title = {Research Highlight---Imperfect Forward Secrecy: {H}ow {D}iffie-{H}ellman Fails in Practice},
    author = {David Adrian and Karthikeyan Bhargavan and Zakir Durumeric and Pierrick Gaudry and Matthew Green and J. Alex Halderman and Nadia Heninger and Drew Springall and Emmanuel Thom\'e and Luke Valenta and Benjamin VanderSloot and Eric Wustrow and Santiago Zanella-B\'eguelin and Paul Zimmermann},
    journal = {Communications of the ACM},
    year = {2019},
    month = jan,
    volume = {62},
    number = {1},
}

Security Analysis of the Estonian Internet Voting System

Estonia was the first country in the world to use Internet voting nationally, and today more than 30% of its ballots are cast online. In this paper, we analyze the security of the Estonian I-voting system based on a combination of in-person election observation, code review, and adversarial testing. Adopting a threat model that considers the advanced threats faced by a national election system—including dis- honest insiders and state-sponsored attacks—we find that the I-voting system has serious architectural limitations and procedural gaps that potentially jeopardize the integrity of elections. In experimental attacks on a reproduction of the system, we demonstrate how such attackers could target the election servers or voters’ clients to alter election results or undermine the legitimacy of the system. Our findings illustrate the practical obstacles to Internet voting in the modern world, and they carry lessons for Estonia, for other countries considering adopting such systems, and for the security research community.
Security Analysis of the Estonian Internet Voting System
Drew Springall, Travis Finkenauer, Zakir Durumeric, Jason Kitcat, Harri Hursti, Margaret MacAlpine, and J. Alex Halderman
Proc. 21st ACM Conference on Computer and Communications Security
CCS ’14, Scottsdale, AZ, November 2014

@inproceedings{ivoting-ccs2014,
    title = {Security Analysis of the {E}stonian {I}nternet Voting System},
    author = {Drew Springall and Travis Finkenauer and Zakir Durumeric and Jason Kitcat and Harri Hursti and Margaret MacAlpine and J. Alex Halderman},
    booktitle = {Proceedings of the 21st ACM Conference on Computer and Communications Security},
    year = {2014},
    month = nov,
}