- There seem to be user interface race conditions, which can not be
triggered by human interaction with the machine, but are revealed by
no delay playback of the human actions, i.e. unmodified macros.
(See photos in report)
3. Back door
The TS6 is likely to have an additional back door for accessing
windows, though this could not tested in Emery County ? also it is
unknown if any of this in any form has been carried over to TSx.
Further source code analysis of the well-known "CVS.TAR" file1, which
contains source code for the TS6 and has been widely used in
touch-screen system security studies, has revealed this feature.
The fact that this backdoor has not been published before underlines
the fact that source code reviews performed this far have been not
conclusive.
The start-up program for the ballot station is looking for the
existence of [redacted] on the memory card. The file itself can be
empty, because the found file, based on the name alone, is a trigger
for alternative execution of a general purpose file management utility
program instead of the ballot station, therefore enabling access to
Operating System. This back door has also been documented in
[redacted]:
[redacted]
4. Automatic deletion of files, including election file-extension
files:
In case the memory card is full, the system will, without any
interaction with the user, start to delete files from the card to free
up memory. This deletion will also take out files with election file
extensions from the election subdirectory. There is no way to verify
which logic the system follows when choosing the files to be deleted.
5. Memory card test file merits further study:
From the publicly available documentation there is reference to memory
card testing with 16-bit "gray-code algorithm" using the file:
[redacted]
This functionality should be studied. Vulnerabilities are unknown.
6. Other file names should be examined:
The following references were found from the publicly available
documentation:
[redacted]
[redacted]
triggered by human interaction with the machine, but are revealed by
no delay playback of the human actions, i.e. unmodified macros.
(See photos in report)
3. Back door
The TS6 is likely to have an additional back door for accessing
windows, though this could not tested in Emery County ? also it is
unknown if any of this in any form has been carried over to TSx.
Further source code analysis of the well-known "CVS.TAR" file1, which
contains source code for the TS6 and has been widely used in
touch-screen system security studies, has revealed this feature.
the fact that source code reviews performed this far have been not
conclusive.
The start-up program for the ballot station is looking for the
existence of [redacted] on the memory card. The file itself can be
empty, because the found file, based on the name alone, is a trigger
for alternative execution of a general purpose file management utility
program instead of the ballot station, therefore enabling access to
Operating System. This back door has also been documented in
[redacted]:
[redacted]
4. Automatic deletion of files, including election file-extension
files:
In case the memory card is full, the system will, without any
interaction with the user, start to delete files from the card to free
up memory. This deletion will also take out files with election file
extensions from the election subdirectory. There is no way to verify
which logic the system follows when choosing the files to be deleted.
5. Memory card test file merits further study:
From the publicly available documentation there is reference to memory
card testing with 16-bit "gray-code algorithm" using the file:
[redacted]
This functionality should be studied. Vulnerabilities are unknown.
6. Other file names should be examined:
The following references were found from the publicly available
documentation:
[redacted]
[redacted]
(Note: You can view every article as one long page if you sign up as an Advocate Member, or higher).
