Re: Not your ordinary barcode

From: Douglas W. Jones <jones_at_cs_dot_uiowa_dot_edu>
Date: Thu Apr 22 2004 - 15:09:01 CDT

On Apr 21, 2004, at 6:01 PM, Popkin, Laird (WMG Corp) wrote:

> I believe that these days OCR is implemented in the readers' firmware,
> so
> that it looks like text to the computer. So unless we're worried about
> someone hacking scanner firmware to mis-recognize OVC ballots, I think
> we're OK.

There is a longstanding problem with "commercial off-the-shelf" or
COTS software being used in voting systems without proper oversight.
I can point to one case where a COTS window manager (an upgrade to
Windows 95) actually led to the complete disclosure of each voter's
selections to the next person using that voting machine. As a result,
we cannot safely assume that COTS software, even if embedded in a
secondary component like a scanner, will be exempt from oversight.

Imagine yourself in the position of chief corporate sabotage officer
of Evil DRE Vendor Inc, wondering where to put your money to kill off
the competition from open software. You learn that we're using scanners
that do text recognition in firmware, so you do some digging and find
that most of the makers of such scanners are buying their text
recognition software from FlyByNight Industries. After consulting with
your software gurus, you devise the following scheme:

   1) Find the names of the programmers at FlyByNight
   2) Do some background checks, find the ones in financial trouble
   3) Carefully approach them, feeling them out to see if they'd be
       willing to help you with your project.
   4) First, target for a little help someone willing to give you
       a current listing of the firmware.
   5) Work out a patch in terms of that listing.
   6) Next, with a convenient charge of blackmail in hand, get your
       target to add your patch to the company's firmware.

What does the patch do? It monitors the text being produced by the
OCR software. If it sees words like "OFFICIAL BALLOT" and "Precinct"
and other key words and phrases on a page it scans, note in RAM that
this page met the criteria for possibly being a ballot. If 87
consecutive pages meet the criteria for being possible ballots,
without the scanner being rebooted (power cycled), go haywire.

Of course, you put this patch in after the system has been approved
by the independent testing labs but before large numbers of counties
start putting the things into production use.

So, if you use the scanner to scan anything but a stack of ballots,
no problem, and if you use it at a normal demo, no problem. On
election day, however, you end up with breakdowns all over the place
and the voting system is discredited.

The lesson from this story is that you can't really trust the embedded
firmware in auxiliary products. A similar attack could be made on the

The defense at both the printer and scanner level is probably to avoid
trusting the firmware of either with the ASCII representation of the
text. Ask the scanner for pixels, send pixels to the printer, and
make an effort to assure yourself that neither device contains OCR
software of any kind.

                Doug Jones
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Fri Apr 30 23:17:16 2004

This archive was generated by hypermail 2.1.8 : Fri Apr 30 2004 - 23:17:29 CDT