Reading recently about a vulnerability in Google Glass that can be exploited if a victim takes a picture of a malicious QR code made me think about one of the current trends in absentee balloting. A number of localities in the US are trying out absentee ballot schemes where a voter goes to a website and makes his/her choices through a web form, then prints out a ballot that contains his/her choices as a marked ballot plus a barcode (typically a 2D QR code). The ballot is then mailed back to the locality with whatever signature forms are required. When the ballot arrives at the locality, election officials scan the QR code to duplicate the ballot showing the voter’s choices, (hopefully) compare that the voter selections actually match the marks, and then the ballot goes forward. (Commercial products with this feature include Everyone Counts and Scytl.)
The motivation for this process, usually called “ballot duplication” or “ballot remaking”, is that automatic scanning can be difficult due to discrepancies in the printing process on individual printers, or damage to the paper during printing mailing. This process has existed for many years without the QR code – if you hand-mark an absentee ballot, and it gets bent or wet (or has coffee stains!), then the election office will remake it simply by hand-copying your choices onto a fresh ballot, and marking the old one so it doesn’t get counted twice. (I believe that localities will put a serial number on both the original and remarked ballot, just to be sure they know which remarked ballot came from which original, but without any indication of whose ballot it is.)
There’s a number of recognized risks in these automatic remaking systems, including (1) the voter is coerced when they fill out the web form, (2) the ballot marking software doesn’t correctly record the voter’s intent in the barcode and the cross-checking isn’t done so the discrepancy is noted, (3) malware on the voter’s computer causes it to generate the wrong ballot and barcode, (4) the duplication process works incorrectly and it isn’t noticed, (5) the voter hand-marks something after printing the ballot and that’s not noticed in the cross-check, etc.
One that I’ve wondered about, but haven’t seen discussed is the risk of the QR code being malicious. So I found the Google Glass vulnerability very interesting – basically, until Google fixed this bug, if an attacker could get a Google Glass wearer to take a picture of a QR code, they could install malware in the Google Glass device. This is exactly the same issue as getting an election office to take a picture of the QR code on a ballot (which would be a normal part of ballot processing) – is it possible for a voter to install malware into the ballot processing system by sending a deliberately malformed QR code?
Clearly this isn’t going to be easy – the voter would need to have some clue what software is being used for the QR processing, and would have to find a vulnerability in it. Assuming the attacker doesn’t have a copy of the setup as used by the election officials for processing ballots, testing would be difficult, since it’s highly non-interactive (the attacker mails in his/her ballot with the malformed QR code, and then has to observe the election results to see if their attack worked). [By contrast, say, to a website where even if the attacker doesn’t have a copy of the software, s/he can test it and see how it react to a stimulus.]
Assuming that this vulnerability exists in a voting system, it’s not too hard to deal with – some level of comparing the mailed-in ballot to the duplicated ballot would detect mismatches, and if the level is too high, then the duplicated ballots could be assumed to be wrong. Of course this assumes the ballot duplication system is standalone and not used for other purposes – if it were networked, then an attack launched in this way might spread to other computers where it might have more observable activities.
But if election officials aren’t aware of the risk, they may not go to the extra step (and expense) of checking the duplicated ballots and/or isolating the ballot duplication system from their network.
The bottom line is that anywhere an attacker can provide input into a computer system, it’s a part of the attack surface. Ignoring an attack surface, even one as simple as a QR code, is at the system owner’s peril.
Although it’s a long shot, it’s still an interesting attack vector – one I had hypothesized, and having seen this attack, believe is somewhat more likely to be possible.
And for amusement, it’s related to the Bobby Tables attack in Sweden, which is nicely written up here and summarized by Bruce Schneier.
I whined uselessly about this flaw when our county rolled out e-slate voting machines in ~2004-2006ish. The supposed paper trail they print onto a roll stored in the machine for the voter to verify (& that the county has 0 incentive to ever audit) also contains a 2d barcode with unknown non voter verifiable contents. It would probably be scanned and used during a paper recount rather than the verified human readable text. Ie: the paper trail is now 200% useless.
Any voting system using non paper ballots is an expensive fraud.
Google Glass (and Android in general) use QR Codes for actions, not just data. The vulnerability comes from this ability – there was an earlier one that would dial if the QR code had tel: URIs. Connecting to wireless (without confirming), or going to web sites or other things is at issue.
For your voting system, the QR code would likely just have data, and there would be no reason for the system to perform any action from scanning the QR code. There might be vulnerabilities (think a very large QR code and buffer overflow) but they would be different in that there should be no automated actions.
There are bar-code scanners at all stores. Has there been even one vulnerability when all they can do is automatically enter a string of numbers or ASCII into a data field? There is the typical “cover expensive laptop UPC with cheap laptop UPC” and use the self-scan. But that isn’t a technical vulnerability with the self-scan. Can you get malicious code to have it give $19.95 in change in the cash dispenser for a fake coupon?