Security Now 211

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 211

Security Now 211: Hacking Electronic Voting Machines

As of Monday August 31st at 6:00 PM MT:

  • The full 1:17:37 of SN 211 is now available from iTunes.

As of Sunday August 30th at 3:15 PM CT:

  • The file currently available on, and the file at Steve's site are still not complete. They are only 15.6 MB with a running time of 33:47.
  • Additionally, attempting to redownload the episode in iTunes by deleting the episode, closing the drop down list and, while holding shift (option key on mac), reopening the list of episodes, continues to result in downloading an incomplete episode.

News & Errata

08:03 - 12:48

  • The US Department of Agriculture (USDA) has banned the use of any browser apart from Internet Explorer

12:49 - 16:20

  • The Chaos Computer Club have said that within a month or two they will issue a public demo and release code so that anyone equipped with a laptop and an antenna can listen to GSM phone calls. And the story is that GSM has been cracked.

16:21 - 20:50

  • Trailers for Avatar have been released and you can view them on Apple's site

Spinrite Story

20:51 - 26:32 Sean(Unknown)

A listener purchased a copy of Spinrite from a flea market but it turned out to be an illegal copy. He destroyed the copy and planned to purchase another one from Steve. But Steve gave him a free copy.

Hacking Electronic Voting Machines

29:30 - 01:16:21

29:30 - 37:20

  • The voting machines we are discussing are not simply applications built on top of Windows
  • They are very beautifully designed, tight little voting machine using an 8 bit Zilog Z80 processor
  • They are "Sequoia AVC Advantage"
  • It is still in use in New Jersey, Louisiana, and other places
  • The machines specifically are version 5.00D
  • They were originally purchased in 1997 by Buncombe County, North Carolina
  • It can address 64K of memory

37:21 - 41:44

  • At this time PC's in general needed more data space so:
  • You could then buy a RAM add-in card that used bank switching.
  • Where there's a huge amount of RAM, and you could cause pieces of it, a bank at a time, to be accessible in a certain address range that was within this 640K space
  • So you'd basically swap in and out chunks of a much larger memory.
  • There just weren't enough addressing bits to uniquely address as much RAM as you now had in your machine.
  • So you could use them a bank at a time, a piece at a time.
  • The voting machine used this same technology
  • With its 64k 0- 16K was its BIOS, which was always mapped into the address space starting at the beginning.
  • Then any other one of the 16K chunks in these three 64K ROMs could be mapped into the second 16K space.
  • That left 32K for RAM.
  • And so the first 32K was ROM
  • And the second 32K was RAM
  • They also made it so that it was impossible to execute code from RAM.
  • Any attempt to execute out of that lower 32K, any attempt to fetch an instruction from the RAM, that upper RAM half of the instruction area of the addressing region, immediately causes a halt of the system.
  • It caused a hard jump into the BIOS to put an error code on the LCD display, and then it halts

41:45 - 43:36

  • When the researchers first got the machine they came up with a schematic for the circuit board and dumped out the 3 ROM's

43:37 - 49:44 Stacks

  • A subroutine is a piece of code that you might want to run at multiple places within the code. But instead of repeating the code throughout the program you have it in one location and the program can jump to it and then return to where it was.
  • Before the invention of stacks if you wanted to run a subroutine the first word of the subroutine was always left blank so the operating system could place the return address there so after it had ran the subroutine, it could return to where it was within the program
  • The problem with this is the subroutine couldn't call itself as it would overwrite the return address and you couldn't call any other code within the program.
  • The stack is like a separate scratch pad that you can store return values on and it returns values in a last-in, first-out mode
  • Meaning that if you put a value in, that's the value you get out. And as you take values out, they come out in the reverse order that you put them in.
  • The Z80 was a stack oriented machine

49:45 - 57:15

  • So the problem they still had was not being able to provide any of there own code in RAM
  • But they could provide pointers to code in ROM
  • Also spread throughout the code for this voting machine, were subroutines, all ending in a return instruction
  • And they didn't want necessarily to do what these subroutines did. But they looked at the last few instructions prior to the return instruction and said, okay, is that useful for something?
  • And so they searched the code for all the return instructions and looked at the code just prior to it
  • So what they did was they aggregated sets of little tiny bits of work at the end of all these different subroutines into what they called "gadgets."
  • They were able to come up with little tiny fragments of work which when aggregated together created a complete pseudo instruction set that's called a Turing complete

57:16 - 01:06:06

  • They then looked for buffer overruns in the code and found one that allowed them to get 12 bytes on the stack
  • This wouldn't normally be a problem as they aren't networked but they had an auxiliary cartridge slot
  • So they'd turn the machine on with their special funky cartridge plugged into the empty auxiliary slot
  • Go to the main menu
  • Tell it to load from the auxiliary cartridge
  • That allows them to get their special file in, which trips up the file system interpreter in a way that lets 12 bytes end up on the stack.
  • And that gives them a foothold.
  • Those 12 bytes are pointers into existing ROM code, the end of subroutines, just little fragments, a few instructions at the end that they've figured out how to knit together.
  • And that then loads additional code, which gets them into the machine.
  • And once they get this corpus collected, they have the ability to do anything.

01:06:07 - 01:16:21

  • This machine also had a hardware timer to make sure the system isn't misbehaving
  • Every so often the software resets this time before it times out
  • If it does time out the machine locks up
  • So they had to make sure to reset the timer



  • GoToMyPC-1
  • Ad Time: 0:36-0:51 and 26:32-29:30
  • Go To My PC


Production Information

  • Recorded Date: August 26, 2009
  • Release Date: August 27, 2009
  • Duration: 1:17:37
  • Log line:
  • Edited by: Tony (Finished by Erik)
  • Notes: Used MP2 backup from Marantz for entire show. First SN recorded with Axia.
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.