Return of the Insecure Brazilian Voting Machines presented at BlackHatAsia2019 2019

by Diego F. Aranha,

Summary : This talk presents a detailed and up-to-date security analysis of the voting software used in upcoming Brazilian elections by more than 140 million voters. It is mainly based on results obtained recently in a restricted hacking challenge organized by the Superior Electoral Court (SEC), the national electoral authority. During the event, multiple serious vulnerabilities (hard-coded cryptographic keys and insufficient integrity checks, among others) were detected in the voting software, which, when combined, compromised the main security properties of the equipment, namely ballot secrecy and software integrity. We trace the history of the vulnerabilities to a previous security analysis, providing some perspective about how the system evolved in the past 6 years. As far as we know, this was the most in-depth compromise of an official large-scale voting system ever performed under such severely restricted conditions. Joint work with Pedro Y. S. Barbosa, Thiago N. C. Cardoso, Caio Lüders and Paulo Matias.