Last year (2012) Thomas Wright announced that we would be using an electronic voting system at the State Nominating Convention, and I was at first hesitant at the idea. Something didn’t sit right with me, so when the invitation came to preview the system before the convention I jumped at the idea and played with it with about 50-100 other volunteers, skeptics and supporters.
After seeing the demonstration and playing with the clicker for a few minutes I was no longer skeptical and relatively satisfied with the system. I chose to volunteer at the convention as I was not a State Delegate at the time and requested to work at the clicker troubleshooting desk. As I worked at the convention I came up with a few additional concerns that I have shared a number of times.
One concern was how can the delegates be sure that too many clickers weren’t activated and how do they remain accounted for during the process? Another concern was what stops someone from bringing their own clicker they bought online into the convention and trading it in at the troubleshooting desk claiming it isn’t working?
These concerns were never addressed to my knowledge.
Last week I was thinking about the voting system and decided to see if there was anything online related to the security of these clickers. I came across a couple of websites detailing how they had hacked the clicker system and what they had done with it. After some further research I wrote the following letter to Thomas Wright and the GOP Party Leadership. I have not heard back from Thomas, and have decided to post my concerns out in the open. I hope you understand that my goal is a fair and transparent Convention and Election, I don’t want to derail the clickers out of spite or because I hate change. I am a software tester by profession and naturally attempt to break systems that I have access to. Had I found (or if I find) the system was secure and my other concerns were addressed, I would be an active supporter of the system.
Here is my letter to the Party Leadership:
Dear State Party Leadership,
I am writing to accomplish 2 things. 1 – To inform you about the risk of hacking/spoofing that is very real in using the electronic clickers from Turning Technologies and 2 – to encourage you to abandon the use of these devices for anything more than informal polling data. They are not secure and should never be used for credentialed voting or balloting.
The electronic voting devices or clickers use a radio transmitter that operates on the 2.4GHz frequency, this is the same frequency that is used for wifi connections. The specific radio that is used inside these clickers is the nRF24L01 wireless transceiver which is available on ebay for a couple of dollars. This radio is not encrypted but instead sends the MAC address (clicker ID) each time it sends a vote or response, if the receiver on the other end is on the same channel it will look up the MAC address and check if it is a valid device and if so will accept the vote. If the device was not registered (someone brought one from home) the vote will be rejected.
Using only a device’s MAC Address to authenticate users is not secure since there are many ways to clone or spoof a MAC Address. Some simple code can be written or found online to accomplish such an exploit on computers; a similar exploit can be accomplished for the nRF24L01 radio. With easily and readily available hardware anyone can spoof the device ID of these clickers. This type of exploit has already been used to spoof the nRF24L01 radio in order to insert a custom MAC address.
What this means to the party, is that with the 2 dollar radio off ebay and a 15-30 dollar microcontroller called an arduino, one could take the MAC address spoofing code and make a simple device that mimics or clones any device ID desired.
More troubling still is that the nRF24L01 radio is not send only, it can also receive messages back from the host to indicate to the user that the vote was received. Using the same arduino device the radio can be programmed to listen and effectively see the MAC addresses and votes of every device within its range. After just one or two votes on listen mode, the person holding the 2 dollar radio and the arduino board can do a number of things including:
- Display all active MAC addresses of devices being used in its range on any channel or a specific channel.
- Jam all other devices within its range from being able to cast any votes at all.
- Listen to the responses coming in and respond with the most popular answer/vote (sometimes used in college classes where these devices are used for quizzes and tests)
- Respond as if it were all the known devices with a random vote overwriting the original users vote.
- Respond as if it were all the known devices with a specific vote gaining 100% of the vote.
Again I must insist that the elections committee and the State GOP abandon these devices for any credentialed balloting or voting. This exploit can very easily be done by anyone attending the convention with very minimal cost and effort. Please feel free to email any questions or concerns you have with the info I have provided.
I encourage you to review some of the links below to see people who have documented using these devices as I have described above and would ask that you forward these concerns to the elections chairperson, with me copied, as I was unable to find their contact information on the party website.
Sincerely,
Jared Belcher
Salt Lake County
Senate District 6 Chair
http://www.taylorkillian.com/
2012/11/turning-point-clicker- emulation-with.html http://hackaday.com/2012/11/
16/emulating-a-student- clicker-with-an-arduino/ http://travisgoodspeed.
blogspot.com/2010/07/ reversing-rf-clicker.html http://www.ebay.com/sch/i.
html?_trksid=p2050601.m570. l1313.TR0.TRC0&_nkw=nRF24L01&_ sacat=0&_from=R40