Reading recently about a vulnerability in Google Glass that can be exploited if a victim takes a picture of a malicious QR code made me think about one of the current trends in absentee balloting. A number of localities in the US are trying out absentee ballot schemes where a voter goes to a website and makes his/her choices through a web form, then prints out a ballot that contains his/her choices as a marked ballot plus a barcode (typically a 2D QR code). The ballot is then mailed back to the locality with whatever signature forms are required. When the ballot arrives at the locality, election officials scan the QR code to duplicate the ballot showing the voter’s choices, (hopefully) compare that the voter selections actually match the marks, and then the ballot goes forward. (Commercial products with this feature include Everyone Counts and Scytl.)
The motivation for this process, usually called “ballot duplication” or “ballot remaking”, is that automatic scanning can be difficult due to discrepancies in the printing process on individual printers, or damage to the paper during printing mailing. This process has existed for many years without the QR code – if you hand-mark an absentee ballot, and it gets bent or wet (or has coffee stains!), then the election office will remake it simply by hand-copying your choices onto a fresh ballot, and marking the old one so it doesn’t get counted twice. (I believe that localities will put a serial number on both the original and remarked ballot, just to be sure they know which remarked ballot came from which original, but without any indication of whose ballot it is.)
There’s a number of recognized risks in these automatic remaking systems, including (1) the voter is coerced when they fill out the web form, (2) the ballot marking software doesn’t correctly record the voter’s intent in the barcode and the cross-checking isn’t done so the discrepancy is noted, (3) malware on the voter’s computer causes it to generate the wrong ballot and barcode, (4) the duplication process works incorrectly and it isn’t noticed, (5) the voter hand-marks something after printing the ballot and that’s not noticed in the cross-check, etc.
One that I’ve wondered about, but haven’t seen discussed is the risk of the QR code being malicious. So I found the Google Glass vulnerability very interesting – basically, until Google fixed this bug, if an attacker could get a Google Glass wearer to take a picture of a QR code, they could install malware in the Google Glass device. This is exactly the same issue as getting an election office to take a picture of the QR code on a ballot (which would be a normal part of ballot processing) – is it possible for a voter to install malware into the ballot processing system by sending a deliberately malformed QR code?
Clearly this isn’t going to be easy – the voter would need to have some clue what software is being used for the QR processing, and would have to find a vulnerability in it. Assuming the attacker doesn’t have a copy of the setup as used by the election officials for processing ballots, testing would be difficult, since it’s highly non-interactive (the attacker mails in his/her ballot with the malformed QR code, and then has to observe the election results to see if their attack worked). [By contrast, say, to a website where even if the attacker doesn't have a copy of the software, s/he can test it and see how it react to a stimulus.]
Assuming that this vulnerability exists in a voting system, it’s not too hard to deal with – some level of comparing the mailed-in ballot to the duplicated ballot would detect mismatches, and if the level is too high, then the duplicated ballots could be assumed to be wrong. Of course this assumes the ballot duplication system is standalone and not used for other purposes – if it were networked, then an attack launched in this way might spread to other computers where it might have more observable activities.
But if election officials aren’t aware of the risk, they may not go to the extra step (and expense) of checking the duplicated ballots and/or isolating the ballot duplication system from their network.
The bottom line is that anywhere an attacker can provide input into a computer system, it’s a part of the attack surface. Ignoring an attack surface, even one as simple as a QR code, is at the system owner’s peril.
Although it’s a long shot, it’s still an interesting attack vector – one I had hypothesized, and having seen this attack, believe is somewhat more likely to be possible.
And for amusement, it’s related to the Bobby Tables attack in Sweden, which is nicely written up here and summarized by Bruce Schneier.