Exploring the World of Ethical Hacking: From Web Vulnerabilities to Election Security

All right. So, there are uh 4.8 million votes that were given in the two elections in no Norway last year. They were giving on given on paper ballots. They were stamped and they were counted by humans and machines. I sent uh 739 requests for election information. From this

Welcome to my talk. I'm Havanigo. My daytime job is working as a software architect. That's the one where I currently work with In my spare time, I uh dig into things. I scrape information. I request information from public entities. Uh I find security issues and leaks. And fun fact, this picture I have on Twitter is me sitting sitting inside an excavator. So today I will take you on a journey to say see where I'm coming from with responsible disclosure and to what I'm uh looking at now which is uh elections. So I hope you will learn a couple of things along the way.

So, I'm a hacker by heart. I always uh I'm always curious about things. I'm looking into services that involve me and my data. Uh so, if you are my bank or if you run a government site, I will scrape the data. And this is also where it started out with the Matusen app where I got 15 minutes of ramp light and some media attention. Uh the app was rushed into production. There were no security measures at all. Uh the API had an auto incrementing uh customer ID as input. It's in one of the screenshots here. Um with that ID which is uh deterministic. You can get any receipts and u some partial credit card information.

I was originally looking into the app to download my own data. So my interest was mainly getting hold of my old receipts but I got a bit more. Uh so this find was by accident. Uh there's a lightning talk for there if you want to know more about that exact instance.

So I make often make services that I want myself. One of the largest is no postlist. And this is a service I have made to get alerts on what's happening in public entities, keeping track of things. Uh, one such alert is the one you have on the right there where I'm alerted about a new document in one of my complaints about election. To make the service, I scrape about 500 different municipal and government entities uh on a regular basis. So this is a good source for for public information on uh from the whole country. So if you do your own research or or looking into things, this is a good source. Speaking of uh looking into things, I do

my own research on uh the election. I take an independent look at it. I I collect the data. I'm uh making the data available for others, freeing them. Um so when I'm I have collected it uh that effort is uh is shared with others. I make reports uh so that we can see unreported discrepancies where that is um present and also learn a lot about the election process, how votes are handled, uh how the counting is done. Um, and I also um also went sort of undercover uh to just see how how this thing works. It's perfectly fine to to sign up as a election official on the election day. There's a lot of need for

that. And uh and then if you have a security mind set as well, you will see a lot of things. But these are usually normal people that are uh um are participating in the the counting and polling station work that has been done. So I've done that uh two times um by adding the local polling station. So this has given me a unique insight. Before we dive into uh elections, I want to have a look at responsible disclosure. Getting things fixed, improving things uh and also disclosing it so that we all can learn from it. That is after all the end state of this. Defining responsible disclosure or coordinated vulnerability disclosure which is the popular term these days

is the process of uh reporting a security issue uh that you have found. You report in confident in secret to the owners or whoever is running the service. You collaborate with them to uh to validate the find and see that this is actually an issue. transparently share um what you have done and also expect some transparency back from the from the companies. I think companies should always uh confirm a find and optionally also give some information and context to to what uh what has happened and how we got there >> reasonable time to to fix it. Uh could be days, could be months uh depending on power. >> Yeah. More power also. If it's very serious, I will say there

is enough in my future service and then of course disclosing it to the public so that others can know and also learn from it.

So how do I usually find things? Well, I see see issues all over the place basically. So uh what I report is both technical issues like um some code or configuration that is wrong and you get access to data you shouldn't have but it can also be u pure leaks of information people um publishing this I see that a lot with the public entities that they um use systems that might be that isn't supposed to be there and the people publishing is not aware of So if I if I start using a new digital service, I usually take a couple minutes, you get a feel for for how is the relation. >> Um is this is the system either old or

is auto incrementing variables parameters, sort parameters, all kinds of things parameters. If you change them, what does the system spit out? does um does it make sense to to check for this? Um if I see a JVT token, I try to modify that and see that they actually validate the token. Just basic basic things that uh every system should be on. Um so I get a just a feeling of how the security best practices is in this system and uh and yeah if you if you do that on the system you can find things. So I don't do like a a complete penetration test because that is not my job. I'm not here to to to do a job for

for any company that I that I'm where I use the services. There are other people that can do that. And I'm not going that thorough into the cells either. >> I I don't bount this either because I'm not like hunting for this. I'm not uh I'm not I'm not here to to find it. I'll just find it more by accident. As I said, I also find information leaks uh like the national ID number or in the fut uh that plus the name can uh can be used in different circumstances. Um so in 2018 I was responsible for the most alerts to uh the Norwegian data uh protection authority data tino. Um it wasn't me directly but it was uh was

different municipals that was reporting things I had reported to them uh as um sort of GDPR um getting my uh less personal data in my database. I also uh collaborated a little bit with NRK and they did some some articles about this type of data. So that hopefully my hope is that that will reduce the number of these cases so that I will have less of this in my database. So GDPR for me

uh most of the alerts I send is to medium and large companies and public entities. Uh with when alerting to them I usually have quite a good response rate in in Norway. Um, I've been in been alerting a couple of smaller ones and they are quite hard to like uh get to do something. They usually don't have any in-house resources to to fix the problem. But for for medium to large companies, I find this uh method effective. I usually alert a couple of people high up in the organization chain. So the CEO, the chief of technology, the information security officer and other relevant sort of IT related uh persons in the organization. One that is quite easy to find is the

data protection officer or in Norwegian Pundan. This is usually a single person um but also might be a mailbox but they do know uh what GDPR is and what a leak is and what the risks are. So usually they are quite uh on alert when you when you send them something. If there's a communication or press team I might give them a copy. If I'm not getting a response, uh, I can send it directly to to the data, the Norwegian Data Protection Authority, and that might get things rolling. They are a bit overloaded, so uh, so I tend to not do that anymore. I rarely get to use the security.txt, which some insecurity uh, like to like to put up

there um, because that file doesn't exist where I need it. But if I've had a couple of times I've I've gotten to use that. So for the for the email I typically send, I have a quite um quite sort of clickbaity scary title and then also tell it very uh bluntly how how it is to to the non-technical persons that will be on this email. So uh the CEO the data protection officer should be able to read the first paragraph and get to understand um what this is about and and that we should look into it of of course I I report things that are serious. So um so that's why uh I think that is uh wise

but in sort of the body of the email I I usually just include um a lot of technical information so that the person that is fixing it should be able to fix it without too much more information. I give them all the information about uh what I did and um what uh what I um what might fix this problem or or how this is u is technically I usually don't talk about the publishing the find or giving them a deadline because um it very much depends on on what they need to do on the other end and I don't know their

are back which means that this is actually active. It's reading this and and uh yeah so it's a quite hard uh parameter to use. It was the sort um so I uh tried out the SQL map. It's a tool for uh for doing injection. So I ran that and uh and got some basic system information and the names of the table from one public entity here and ran that for about eight hours to get that because this was a timebased blind SQL injection. So it's the timing on how fast it responds that determines if uh if the the letter you are looking for is the right one. So you need to look for letter by letter. Uh quite uh time

inensive to to extract data that way but it is possible for the for the alerts here. I sent it to the creator of the system and also the one that I ran this tool on and their service provider. There's a company running the service for that municipal. I then later also alerted all the rest of the customers because I of course have lists of these because I scrape all of the instances in uh of this system. So does uh organizations push back and put legal on the case? I have not experienced that myself. the first day with Ramatusen, they were uh pointing the finger at me. Uh that made the media case more spicy. So they had

more to do on the media team that day. Uh but they uh yeah, they didn't do anything more than uh more than that. But there it is very important to remember the boundaries. If you behave, they will behave. If you um if you do too much uh then you will likely have precautions on whatever action you did. So don't do too much. Do enough to prove the issue but don't make a copy of the database because that is never necessary. I often think that if I have enough uh to make a few slides on a presentation that is usually enough for me to to to prove this issue and it's also usually the same data that I will provide in the

in the alert email that I send them. So you will have uh have some there as well.

So let's uh turn it up turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn turn it it over to election keep our security mindset uh with us so the last uh couple of years I've spent a lot of time checking the Norwegian election as I said said I collect data I try to find systemic issues and make the right people aware so this is not necessarily uh like the other cases said the application security is not like that it's more the election as a whole and it's uh is more

on the system and not like specific um issues. So a little election 101, there are two essential factors we need to speak about. It's trust and anonymity. Everybody should trust the results of the election. They must understand how the election works. uh they must know about checks that is in place in the election to get the right result. Um it should be transparent so that everybody can audit the election. The outcome of the election must be hard to change meaning that we uh must require many steps and also have many people conspiring to make a change in the election. If one single person or point in election can be can be changed without uh many people being involved

that will be be an issue for um for a free election. We also need anonymity. This is uh so that you under no circumstance should be able to identify what somebody voted for that is not so you can avoid uh pressure on people. So in the society we should not have like u posters saying 50% off for yellow voters or only red voters allowed green voters pay double or even worse violence which which can happen. So it's very important that uh that you can't know what somebody voted it for. The Norwegian election we have three main uh elections every second year that is the county and municipal election together and then the parliament by itself. Next up is the parliament which

is next year. So then the county and municipal election was last year.

There are two main types of voting in Norway. You have the early day voting and election day voting. Uh all the voting are done on physical paper ballots. So no electronic uh count electronic voting in the polling stations. So there's not a computer where you can click on a button for which party you want to vote for. At the polling station, you will be ID checked before you deliver your vote. In early voting, you can vote anywhere in the country. If you vote somewhere other than where you live, uh that vote will go into an envelope, as you see in the picture here, and uh will be mailed back to where you live. So, your vote will

always get back to uh to your local uh municipal. At election day, it's only possible to vote where you live, and that's because your vote will be counted in uh in that uh place. So the votes are in. Let's uh count them. The first preliminary counting is manual meaning that uh humans will do the counting. Uh we will have a look at that on the next slide. And here I just want to give a big thanks to Patricia which was mentioned before the before the talk. uh she was on the barricades in 2017 and is one of the reasons why mandatory manual counting is uh is present in the law today. She put a spotlight on issues um with

unreliable electronic counting which was on the full way into the Norwegian election. So most uh most of the municipals they will do the first count at the polling station with the employees that are present at that time. So I've been on that uh last shift sort of at my polling station and have been attending the the counting the this is the first counting and that that is what they will be reporting to the public and also to the media when they do the live uh live reporting on election day. The second and final counting can either be manual or electronic but most municipals will do this electronically today. uh all the large uh places will will have scanners.

I've had that for a long time. After they are done, they will uh send the election material further to the county for another count there with other equipment. Uh that one is also electronic. So manual counting just to get a sort of feel for for how this uh actually works. In the first picture here, you have people sorting them into uh the two different elections. It will then also be sorted by different parties and if it's is if the ballot is stamped. So if it's not stamped that will be put aside because that is not a valid vote on the on the right here you have uh the after the counting is done. So here we

have sorted the the ballots and also counted them and put a post-it note with how many uh votes are in this stack and that is recounted by another person. So two people are counting that this type of manual counting will have some errors. Uh the discrepancies should be checked and noted uh and spot checks should be done.

The accounting goes into the electoral record or Norwegian Valk protocol. This is the official document from that municipal. So that is what they what the end result for them will be. This is printed and signed by the local election board exemplified here by Oslo um in the picture. So there will be about 357 of these per election which makes it above 700 for for the two elections last year. All right. So uh let look look further into the the security and also my investigations for for last election. To sum up where we use digital systems in these uh uh in the Norwegian election today we have two main uh systems that we use. We have the EVA admin and the EVA

scanning. Both are owned and maintained by the directorate of elections. So centrally uh managed. The admin application is a web portal and the scanning application is a desktop application. First we have the voter registry where everybody who can vote will be present imported data from fulk register the central register in Norway. This is used to do the ID check when you cast your vote at the polling station. Then we have the electronic counting that is done in the scanning solution desktop application with connected scanners. After that the result is imported into the admin application again where the the lectural record is produced the PDF and then the the results are published after that is approved in the in the

application and over to the result page and media. So some questions. Can we audit these election systems? Are they secure? Can election results be changed without anybody knowing? Are some voters excluded maybe for technical reasons that you didn't think of, intentional or intentional or not? uh where can we add votes in this uh election and what can we check? So I've tried to to answer some of these questions or get answers to them. How can we audit these uh systems? Do we have the source code? That would be a good start. No, we only have parts of it. Uh we are missing the essential parts. So you can't run the code which makes makes it uh

yeah sort of security by obscurity still by rear have released the source code. The source code is no longer being updated. Last update was in uh 2019. So my trust in the elections uh go down without that type of source code. Um the argument against is national security and criminal activity can happen but I um I would argue that this is um this piece of code is the execution of the law. So um if you um if you don't have the the procedure the code that is executing the law you you are missing a big uh big piece of of how it's done. So we should have access to it. I think um if you if this procedure uh this

whatever the application does if that was done by a human you would have that procedure and we do have that procedure for a lot of the things that is happening in the election but not when it's a digital system because then it's scary. I spent a lot of time times uh time to to try to get a hold of the source code through freedom of information requests but uh have stopped looking into that because even if we have the running code uh can we trust the system? Is it the same version that is running? We don't know. And uh if given that we are u are anonymous in the actual election uh can we make it verifiable? We could make

some hashing algorithms and stuff for for making this vote so you can check that your vote was present. But that's just an engineer's wet dream. Can't really do that without losing the anonymity. So in the digital system we only need one place to ex exploit to to change the result and lose that uh that that check. Uh this uh this image you have been looking at is the election system Eva admin. It's me that is logged in to the production environment. This is uh this is not a bug. Uh this is me as an election official that is doing my job. So it's not a security issue unless you consider me a security issue. So all systems are buggy. I know systems

are buggy. I code things. I work with systems. Uh I make them. I know that things go wrong. And this also includes selection systems. So last election there was at least two instances of um issues related to code or code changes. Uh I've read the incident report. It started out with first a critical inc issue in the Oslo election. Then they had an emergency release for that bug and that resulted in another critical issue which often happens. Um and the second was one was found by me in the election um records you see behind here. So I expect this to happen in a system. It's not unusual that bugs occur and things happen. But this these are bugs

without the intent intention of changing the result and even that change the result and that just shows that systems are buggy. So can we audit the election without the digital system without these uh pieces of procedure that we can't uh can't look into? So a little a couple of slides back we had this um this on the wall. So I'm changing out the first one to to be uh the paper ballots and the manual counting. And this is why the manual counting is so important because then we can check against the result. We have a manual count that has not gone through any uh system and we can check that against the results hopefully. And this is all made possible by the

changes in 2018 where it became mandatory to do this manual count after pressure for SEC from security professionals like yourself. But first look into let's look into the data collection from last year.

So there is um so saying this meeting could have been uh have been an email. Well this could have been an API all these emails due to lack of uh transparency on important data. the directorate of elections. From the ele director of elections uh we need to collect all these records directly from the municipals by asking each one of them. So the the the data uh was collected by uh by sending about 1,300 emails. A lot of this is the like the first request and then a lot of reminders and nagging to a certain degree. Most of them are uh quite similar emails. So it's not like I'm typing out all these but still the replies uh

uh might be uh questions, might be the correct PDF that I'm looking for or it might be something else. The the the results are um very different in in form and and shape. So last year I uh used some AI to read a lot of these emails and summarize them and also extract data points from them. So in a way I just made the missing API um and integrated with the municiples by uh the very ineffective uh channel of communication which is email. It's quite slow. As you can see, not all um municipals managed to respond in time. I've sent some complaints, but I haven't uh tried to get it up to 100. It's about 80 to

90% um because I I really want to look into the data. I don't want to spend more time on this data collection. So, over to the data. Father Communa, here's an example of of some of the data. the municipal election. Here they found uh 95 extra votes in the final count. The this um according to my code that changed the seats between two parties. I have simulated the preliminary seats and got the final seats from the from the actual PDF and the comment was discrepancy checked by scanning twice. So we ran the scanning twice, same equipment, all the same stuff was the same result. We trust the system. This is the typical example of uh how

the thrust is uh in computers among election officials. A lot of them don't see the see it with the same same security mindset that we would have done, but I wouldn't trust my own code this much. Uh that's sure for the um for the then for the last election electoral records. Here are some of the interesting numbers uh that I've taken out. So as the previous slides, there was uh 22 municipals that had change of seeds between the first preliminary uh count and the final count. Some of these might have been explained. There might be votes that my my code doesn't pick up, but some of them are also like this one larger one that we just saw.

Usually, this is picked up by others also, so it's not like it's going completely unnoticed, but but still there are some uh discrepancies. I also have another check for um if the difference in vote count is more than 1%. The changes of 1% for one party. So one party is losing u 100 vote and another one is gaining. This isn't typical uh typical of what you see. If that is 1% difference we have 34 of those and that is a lot. We also have a lot on the on the ballot stuffing meaning that there are more votes in the ballot than voters because when you check your ID you will be crossed out. you will be marked that you

have voted. Uh and that count uh count of how many are crossed out shouldn't be uh be less than the votes. So if there are more votes than people that should be have voted that is of course an issue. Some of these are quite minor but might uh point to something that should be looked into or that um the whole election process should have better data on this. 17 of them was due to the emergency uh release of the election system while they were doing the election counting. So due to the release while we were doing counting it started uh yeah we got some uh some bugs there. This is the one that we previously looked into.

I did a separate study of Hugalan where I'm from to try to see if we can all to answer exactly the question I I just asked. Can we audit the digital systems? Do we have a record of something that is have is not extracted from that system. Uh you're not meant to to read all of this but just have a look that there are many red boxes. So let's go to the summary. So I found that five of the 23 municipals in Organ can be audited outside the main election system. So outside that admin system and and when I say I can audit them this means that I got a copy of uh some handwritten notes from the actual

counting the manual counting that they have done. A lot of them said that they had just thrown out those um those notes. Some said they had shredded them because it's I don't know secret or something. Um so so the these are the kind of comments that that have I responded they responded with when they uh when they answered. I think we can get this number a lot higher by asking all the municipals ahead of time you should keep these because these are important but I don't see it as important right now. So then it's just sort of uh by accident that some kept them and and others don't. But this is the count that we want want to

have higher to be able to audit from end to end. But still it's really hard to scale an attack against an election that is on paper ballots and with so many places of counting. Unless you hit the digital systems of course uh where you have one vulnerability and uh you can change the whole election outcome. But there's also a new spanner that is thrown into the machine. Um the Norwegian government is investigating the and collecting information on both electronic counting at the polling station, meaning that you get a not a laptop or some kind of machine and you hit a button for for your vote. and also looking into online voting which is another very bad idea.

So in the light of uh what I've presented so far I hope you see some argument against if you need it in a more short form and uh good explanation I will recommend this video. it is really good and does um go into all the all the different arguments for for for this. And just a couple of words on the on the online uh voting. Same argument as on the previous slide, but just a lot more attack surface. Should you should you really be allowed to send HTTP requests to an election system? Today we are not allowed. we are blocked from doing that and that's a good thing. But also other aspects like social engineering

um who is actually doing the voting the undue pressure on people who was press pres present at uh the voting and pressuring the voter the one that sent in the votes. And if you say yes to online voting uh why not do it by phone? call in your vote. Would you trust uh the guy on the other end to write down the right vote and um follow the procedure that is uh is there? All right. So, uh let's uh let's recap. We started out by looking at responsible disclosure uh alerting owners, giving fair time to respond and that you should behave uh if you wander into this. Next we looked looked at this election with a security

mindset. Uh can um can can voters understand uh the election? Can you understand election? Can you audit election? To some degree we can uh but there are room for improvements. My biggest uh scares are in this order. the online voting, electronic voting at the polling stations, and no human count of ballots. I wouldn't trust an election with any of these. So, I'm ending on a call to to action. Uh you should observe your local election. You can I can only be at one place at one time. So, uh go to your polling station. Uh watch the account. You are completely allowed to do that and that's also stated in the new election law. Thankfully uh I was

rejected at one last uh last election but another one let me watch. You're allowed to take pictures, videos uh you are allowed to see how the counting is done. Um you should look for how uh the ballots are stored after preliminary counting, how they are transported. I've seen a couple of things. uh the procedure says this but it's not always followed if people aren't uh aren't looking. So let's have a look at the election. Thank you. [Applause] Thank you very much. a very timely and uh interesting and slightly concerning talk. Uh we have a few minutes for questions. Uh does anybody have any questions for Paul Vod? No, I have uh I have a question to get

things going. Uh you mentioned uh that you went undercover >> and I'm wondering what about the situation? uh makes you feel like you have to be undercover uh when you're >> Yeah. It's it's is it's not going secretly undercover and uh hiding my identity. It's just that you the the your local municipal will be asking for people to man the polling station and uh everybody can basically sign up for for stuff like that. You will then be in as an employee of the municipal for for that day. So, um, it's not, uh, it's not a very undercover secret thing. Yeah. >> Oh, we have a question at the back. Coming back to you.

>> So, my question is, uh, since you're that critical of the electronic systems for voting, are you distrustful of electronic systems per se? Is there any systems that you feel are a success when it comes to verifying identities or behaving in the electronic age for citizens? >> Didn't quite get the last part there, but um but the first part uh the digital systems they are being checked. They they are being penetration tested. They are likely good systems but it's a systemic thing to not trust them uh completely because there can be issues and you likely don't know where the issues are. >> Right. So the the last part was um if you don't trust your identity in the

election system do you trust your identity in other systems like NAV or Scott the Totten? >> Yeah we we need digital systems to uh to make this work otherwise it will be uh too too much. Uh but you should always have have rights in in every situation and you do have that with NAV as well. Um but uh electronic systems are of course effective to to do do things at a larger scale. >> All right. Thank you very much. This is obviously a sensitive topic and if you would like to discuss it with Halvot uh more privately then he will be available for questions and discussions. Thank you very much. [Applause]