#Hackers can change election result ? (Part II)
& Other News
• How to Hack an Election (Englsh an Spanish version)
• Senator Caiado says printed vote can restore credibility to Brazilian Democracy
• The Return of Software Vulnerabilities in the Brazilian Voting Machine By Prof. Aranha
• Latin America has the biggest skills gap in the world. Here’s how to bridge it (World Economic Forum)
SEE ALSO: https://youtu.be/wOsNfSw8boo
[ENGLISH VERSION]
SOURCE/LINK: https://www.bloomberg.com/features/2016-how-to-hack-an-election/
SEE VIDEO: https://youtu.be/EbfK6dFq8Vw
Bloomberg the Company & Its ProductsBloomberg Anywhere LoginBloomberg Terminal Demo Request
◦ Company
◦ Bloomberg London
◦ About
◦ Careers
◦ Diversity and Inclusion
◦ Philanthropy and Engagement
◦ Sustainability
◦ Tech
Communications
◦ Press Announcements
◦ Press Contacts
Follow
◦ Facebook
◦ Twitter
◦ LinkedIn
◦ Instagram
◦ Products
◦ Bloomberg Terminal
◦ Execution and
Order Management
◦ Data and Content
◦ Financial Data
Management
◦ Integration and
Distribution
◦ Bloomberg
Tradebook
Industry Products
◦ Bloomberg Law
◦ Bloomberg Tax
◦ Bloomberg Government
◦ Bloomberg Environment
◦ Bloomberg New Energy Finance
◦ Media
◦ Bloomberg Markets
◦ Bloomberg
Technology
◦ Bloomberg Pursuits
◦ Bloomberg Politics
◦ Bloomberg Opinion
◦ Bloomberg
Businessweek
◦ Bloomberg Live Conferences
◦ Bloomberg Apps
◦ Bloomberg Radio
◦ Bloomberg Television
◦ News Bureaus
Media Services
◦ Bloomberg Media Distribution
◦ Advertising
◦ Bloomberg
Connecting decision makers to a dynamic network of information, people and ideas, Bloomberg quickly and accurately delivers business and financial information, news and insight around the world.
For Customers
• Bloomberg Anywhere Remote Login
• Software Updates
• Manage Contracts and Orders
Support
Americas+1 212 318 2000
EMEA+44 20 7330 7500
Asia Pacific+65 6212 1000
Share on Facebook Share on Twitter Share on Reddit
How to Hack an Election
Andrés Sepúlveda rigged elections throughout Latin America for almost a decade. He tells his story for the first time.
By Jordan Robertson, Michael Riley, and Andrew Willis | March 31, 2016
Photographs by Juan Arredondo
From
Versión en español
It was just before midnight when Enrique Peña Nieto declared victory as the newly elected president of Mexico. Peña Nieto was a lawyer and a millionaire, from a family of mayors and governors. His wife was a telenovela star. He beamed as he was showered with red, green, and white confetti at the Mexico City headquarters of the Institutional Revolutionary Party, or PRI, which had ruled for more than 70 years before being forced out in 2000. Returning the party to power on that night in July 2012, Peña Nieto vowed to tame drug violence, fight corruption, and open a more transparent era in Mexican politics.
Two thousand miles away, in an apartment in Bogotá’s upscale Chicó Navarra neighborhood, Andrés Sepúlveda sat before six computer screens. Sepúlveda is Colombian, bricklike, with a shaved head, goatee, and a tattoo of a QR code containing an encryption key on the back of his head. On his nape are the words “</head>” and “<body>” stacked atop each other, dark riffs on coding. He was watching a live feed of Peña Nieto’s victory party, waiting for an official declaration of the results.
When Peña Nieto won, Sepúlveda began destroying evidence. He drilled holes in flash drives, hard drives, and cell phones, fried their circuits in a microwave, then broke them to shards with a hammer. He shredded documents and flushed them down the toilet and erased servers in Russia and Ukraine rented anonymously with Bitcoins. He was dismantling what he says was a secret history of one of the dirtiest Latin American campaigns in recent memory.
For eight years, Sepúlveda, now 31, says he traveled the continent rigging major political campaigns. With a budget of $600,000, the Peña Nieto job was by far his most complex. He led a team of hackers that stole campaign strategies, manipulated social media to create false waves of enthusiasm and derision, and installed spyware in opposition offices, all to help Peña Nieto, a right-of-center candidate, eke out a victory. On that July night, he cracked bottle after bottle of Colón Negra beer in celebration. As usual on election night, he was alone.
Sepúlveda’s career began in 2005, and his first jobs were small—mostly defacing campaign websites and breaking into opponents’ donor databases. Within a few years he was assembling teams that spied, stole, and smeared on behalf of presidential campaigns across Latin America. He wasn’t cheap, but his services were extensive. For $12,000 a month, a customer hired a crew that could hack smartphones, spoof and clone Web pages, and send mass e-mails and texts. The premium package, at $20,000 a month, also included a full range of digital interception, attack, decryption, and defense. The jobs were carefully laundered through layers of middlemen and consultants. Sepúlveda says many of the candidates he helped might not even have known about his role; he says he met only a few.
His teams worked on presidential elections in Nicaragua, Panama, Honduras, El Salvador, Colombia, Mexico, Costa Rica, Guatemala, and Venezuela. Campaigns mentioned in this story were contacted through former and current spokespeople; none but Mexico’s PRI and the campaign of Guatemala’s National Advancement Party would comment.
As a child, he witnessed the violence of Colombia’s Marxist guerrillas. As an adult, he allied with a right wing emerging across Latin America. He believed his hacking was no more diabolical than the tactics of those he opposed, such as Hugo Chávez and Daniel Ortega.
Many of Sepúlveda’s efforts were unsuccessful, but he has enough wins that he might be able to claim as much influence over the political direction of modern Latin America as anyone in the 21st century. “My job was to do actions of dirty war and psychological operations, black propaganda, rumors—the whole dark side of politics that nobody knows exists but everyone can see,” he says in Spanish, while sitting at a small plastic table in an outdoor courtyard deep within the heavily fortified offices of Colombia’s attorney general’s office. He’s serving 10 years in prison for charges including use of malicious software, conspiracy to commit crime, violation of personal data, and espionage, related to hacking during Colombia’s 2014 presidential election. He has agreed to tell his full story for the first time, hoping to convince the public that he’s rehabilitated—and gather support for a reduced sentence.
Usually, he says, he was on the payroll of Juan José Rendón, a Miami-based political consultant who’s been called the Karl Rove of Latin America. Rendón denies using Sepúlveda for anything illegal, and categorically disputes the account Sepúlveda gave Bloomberg Businessweek of their relationship, but admits knowing him and using him to do website design. “If I talked to him maybe once or twice, it was in a group session about that, about the Web,” he says. “I don’t do illegal stuff at all. There is negative campaigning. They don’t like it—OK. But if it’s legal, I’m gonna do it. I’m not a saint, but I’m not a criminal.” While Sepúlveda’s policy was to destroy all data at the completion of a job, he left some documents with members of his hacking teams and other trusted third parties as a secret “insurance policy.”
Sepúlveda provided Bloomberg Businessweek with what he says are e-mails showing conversations between him, Rendón, and Rendón’s consulting firm concerning hacking and the progress of campaign-related cyber attacks. Rendón says the e-mails are fake. An analysis by an independent computer security firm said a sample of the e-mails they examined appeared authentic. Some of Sepúlveda’s descriptions of his actions match published accounts of events during various election campaigns, but other details couldn’t be independently verified. One person working on the campaign in Mexico, who asked not to be identified out of fear for his safety, substantially confirmed Sepúlveda’s accounts of his and Rendón’s roles in that election.
Sepúlveda says he was offered several political jobs in Spain, which he says he turned down because he was too busy. On the question of whether the U.S. presidential campaign is being tampered with, he is unequivocal. “I’m 100 percent sure it is,” he says.
Sepúlveda grew up poor in Bucaramanga, eight hours north of Bogotá by car. His mother was a secretary. His father was an activist, helping farmers find better crops to grow than coca plants, and the family moved constantly because of death threats from drug traffickers. His parents divorced, and by the age of 15, after failing school, he went to live with his father in Bogotá and used a computer for the first time. He later enrolled in a local technology school and, through a friend there, learned to code.
In 2005, Sepúlveda’s older brother, a publicist, was helping with the congressional campaigns of a party aligned with then-Colombian President Alvaro Uribe. Uribe was a hero of the brothers, a U.S. ally who strengthened the military to fight the Revolutionary Armed Forces of Colombia (FARC). During a visit to party headquarters, Sepúlveda took out his laptop and began scanning the office’s wireless network. He easily tapped into the computer of Rendón, the party’s strategist, and downloaded Uribe’s work schedule and upcoming speeches. Sepúlveda says Rendón was furious—then hired him on the spot. Rendón says this never happened.
For decades, Latin American elections were rigged, not won, and the methods were pretty straightforward. Local fixers would hand out everything from small appliances to cash in exchange for votes. But in the 1990s, electoral reforms swept the region. Voters were issued tamper-proof ID cards, and nonpartisan institutes ran the elections in several countries. The modern campaign, at least a version North Americans might recognize, had arrived in Latin America.
Rendón had already begun a successful career based partly, according to his critics—and more than one lawsuit—on a mastery of dirty tricks and rumormongering. (In 2014, El Salvador’s then-President Carlos Mauricio Funes accused Rendón of orchestrating dirty war campaigns throughout Latin America. Rendón sued in Florida for defamation, but the court dismissed the case on the grounds that Funes couldn’t be sued for his official acts.) The son of democracy activists, he studied psychology and worked in advertising before advising presidential candidates in his native Venezuela. After accusing then-President Chávez of vote rigging in 2004, he left and never went back.
Sepúlveda’s first hacking job, he says, was breaking into an Uribe rival’s website, stealing a database of e-mail addresses, and spamming the accounts with disinformation. He was paid $15,000 in cash for a month’s work, five times as much as he made in his previous job designing websites.
Sepúlveda was dazzled by Rendón, who owned a fleet of luxury cars, wore big flashy watches, and spent thousands on tailored coats. Like Sepúlveda, he was a perfectionist. His staff was expected to arrive early and work late. “I was very young,” Sepúlveda says. “I did what I liked, I was paid well and traveled. It was the perfect job.” But more than anything, their right-wing politics aligned. Sepúlveda says he saw Rendón as a genius and a mentor. A devout Buddhist and practitioner of martial arts, according to his own website, Rendón cultivated an image of mystery and menace, wearing only all-black in public, including the occasional samurai robe. On his website he calls himself the political consultant who is the “best paid, feared the most, attacked the most, and also the most demanded and most efficient.” Sepúlveda would have a hand in that.
Rendón, says Sepúlveda, saw that hackers could be completely integrated into a modern political operation, running attack ads, researching the opposition, and finding ways to suppress a foe’s turnout. As for Sepúlveda, his insight was to understand that voters trusted what they thought were spontaneous expressions of real people on social media more than they did experts on television and in newspapers. He knew that accounts could be faked and social media trends fabricated, all relatively cheaply. He wrote a software program, now called Social Media Predator, to manage and direct a virtual army of fake Twitter accounts. The software let him quickly change names, profile pictures, and biographies to fit any need. Eventually, he discovered, he could manipulate the public debate as easily as moving pieces on a chessboard—or, as he puts it, “When I realized that people believe what the Internet says more than reality, I discovered that I had the power to make people believe almost anything.”
According to Sepúlveda, his payments were made in cash, half upfront. When he traveled, he used a fake passport and stayed alone in a hotel, far from campaign staff. No one could bring a smartphone or camera into his room.
Most jobs were initiated in person. Sepúlveda says Rendón would give him a piece of paper with target names, e-mail addresses, and phone numbers. Sepúlveda would take the note to his hotel, enter the data into an encrypted file, then burn the page or flush it down the toilet. If Rendón needed to send an e-mail, he used coded language. To “caress” meant to attack; to “listen to music” meant to intercept a target’s phone calls.
Rendón and Sepúlveda took pains not to be seen together. They communicated over encrypted phones, which they replaced every two months. Sepúlveda says he sent daily progress reports and intelligence briefings from throwaway e-mail accounts to a go-between in Rendón’s consulting firm.
Each job ended with a specific, color-coded destruct sequence. On election day, Sepúlveda would purge all data classified as “red.” Those were files that could send him and his handlers to prison: intercepted phone calls and e-mails, lists of hacking victims, and confidential briefings he prepared for the campaigns. All phones, hard drives, flash drives, and computer servers were physically destroyed. Less-sensitive “yellow” data—travel schedules, salary spreadsheets, fundraising plans—were saved to an encrypted thumb drive and given to the campaigns for one final review. A week later it, too, would be destroyed.
For most jobs, Sepúlveda assembled a crew and operated out of rental homes and apartments in Bogotá. He had a rotating group of 7 to 15 hackers brought in from across Latin America, drawing on the various regions’ specialties. Brazilians, in his view, develop the best malware. Venezuelans and Ecuadoreans are superb at scanning systems and software for vulnerabilities. Argentines are mobile intercept artists. Mexicans are masterly hackers in general but talk too much. Sepúlveda used them only in emergencies.
The assignments lasted anywhere from a few days to several months. In Honduras, Sepúlveda defended the communications and computer systems of presidential candidate Porfirio Lobo Sosa from hackers employed by his competitors. In Guatemala, he digitally eavesdropped on six political and business figures, and says he delivered the data to Rendón on encrypted flash drives at dead drops. (Sepúlveda says it was a small job for a client of Rendón’s who has ties to the right-wing National Advancement Party, or PAN. The PAN says it never hired Rendón and has no knowledge of any of his claimed activities.) In Nicaragua in 2011, Sepúlveda attacked Ortega, who was running for his third presidential term. In one of the rare jobs in which he was working for a client other than Rendón, he broke into the e-mail account of Rosario Murillo, Ortega’s wife and the government’s chief spokeswoman, and stole a trove of personal and government secrets.
In Venezuela in 2012, the team abandoned its usual caution, animated by disgust with Chávez. With Chávez running for his fourth term, Sepúlveda posted an anonymized YouTube clip of himself rifling through the e-mail of one of the most powerful people in Venezuela, Diosdado Cabello, then president of the National Assembly. He also went outside his tight circle of trusted hackers and rallied Anonymous, the hacktivist group, to attack Chávez’s website.
After Sepúlveda hacked Cabello’s Twitter account, Rendón seemed to congratulate him. “Eres noticia :)”—you’re news—he wrote in a Sept. 9, 2012, e-mail, linking to a story about the breach. (Rendón says he never sent such an e-mail.) Sepúlveda provided screen shots of a dozen e-mails, and many of the original e-mails, showing that from November 2011 to September 2012 Sepúlveda sent long lists of government websites he hacked for various campaigns to a senior member of Rendón’s consulting firm, lacing them with hacker slang (“Owned!” read one). Two weeks before Venezuela’s presidential election, Sepúlveda sent screen shots showing how he’d hacked Chávez’s website and could turn it on and off at will.
Chávez won but died five months later of cancer, triggering an emergency election, won by Nicolás Maduro. The day before Maduro claimed victory, Sepúlveda hacked his Twitter account and posted allegations of election fraud. Blaming “conspiracy hackings from abroad,” the government of Venezuela disabled the Internet across the entire country for 20 minutes.
In Mexico, Sepúlveda’s technical mastery and Rendón’s grand vision for a ruthless political machine fully came together, fueled by the huge resources of the PRI. The years under President Felipe Calderón and the National Action Party (also, as in Partido Acción Nacional, PAN) were plagued by a grinding war against the drug cartels, which made kidnappings, street assassinations, and beheadings ordinary. As 2012 approached, the PRI offered the youthful energy of Peña Nieto, who’d just finished a successful term as governor.
Sepúlveda didn’t like the idea of working in Mexico, a dangerous country for involvement in public life. But Rendón persuaded him to travel there for short trips, starting in 2008, often flying him in on his private jet. Working at one point in Tabasco, on the sweltering Gulf of Mexico, Sepúlveda hacked a political boss who turned out to have connections to a drug cartel. After Rendón’s security team learned of a plan to kill Sepúlveda, he spent a night in an armored Chevy Suburban before returning to Mexico City.
Mexico is effectively a three-party system, and Peña Nieto faced opponents from both right and left. On the right, the ruling PAN nominated Josefina Vázquez Mota, its first female presidential candidate. On the left, the Democratic Revolution Party, or PRD, chose Andrés Manuel López Obrador, a former Mexico City mayor.
Early polls showed Peña Nieto 20 points ahead, but his supporters weren’t taking chances. Sepúlveda’s team installed malware in routers in the headquarters of the PRD candidate, which let him tap the phones and computers of anyone using the network, including the candidate. He took similar steps against PAN’s Vázquez Mota. When the candidates’ teams prepared policy speeches, Sepúlveda had the details as soon as a speechwriter’s fingers hit the keyboard. Sepúlveda saw the opponents’ upcoming meetings and campaign schedules before their own teams did.
Money was no problem. At one point, Sepúlveda spent $50,000 on high-end Russian software that made quick work of tapping Apple, BlackBerry, and Android phones. He also splurged on the very best fake Twitter profiles; they’d been maintained for at least a year, giving them a patina of believability.
Sepúlveda managed thousands of such fake profiles and used the accounts to shape discussion around topics such as Peña Nieto’s plan to end drug violence, priming the social media pump with views that real users would mimic. For less nuanced work, he had a larger army of 30,000 Twitter bots, automatic posters that could create trends. One conversation he started stoked fear that the more López Obrador rose in the polls, the lower the peso would sink. Sepúlveda knew the currency issue was a major vulnerability; he’d read it in the candidate’s own internal staff memos.
Just about anything the digital dark arts could offer to Peña Nieto’s campaign or important local allies, Sepúlveda and his team provided. On election night, he had computers call tens of thousands of voters with prerecorded phone messages at 3 a.m. in the critical swing state of Jalisco. The calls appeared to come from the campaign of popular left-wing gubernatorial candidate Enrique Alfaro Ramírez. That angered voters—that was the point—and Alfaro lost by a slim margin. In another governor’s race, in Tabasco, Sepúlveda set up fake Facebook accounts of gay men claiming to back a conservative Catholic candidate representing the PAN, a stunt designed to alienate his base. “I always suspected something was off,” the candidate, Gerardo Priego, said recently when told how Sepúlveda’s team manipulated social media in the campaign.
In May, Peña Nieto visited Mexico City’s Ibero-American University and was bombarded by angry chants and boos from students. The rattled candidate retreated with his bodyguards into an adjacent building, hiding, according to some social media posts, in a bathroom. The images were a disaster. López Obrador soared.
The PRI was able to recover after one of López Obrador’s consultants was caught on tape asking businessmen for $6 million to fund his candidate’s broke campaign, in possible violation of Mexican laws. Although the hacker says he doesn’t know the origin of that particular recording, Sepúlveda and his team had been intercepting the communications of the consultant, Luis Costa Bonino, for months. (On Feb. 2, 2012, Rendón appears to have sent him three e-mail addresses and a cell phone number belonging to Costa Bonino in an e-mail called “Job.”) Sepúlveda’s team disabled the consultant’s personal website and directed journalists to a clone site. There they posted what looked like a long defense written by Costa Bonino, which casually raised questions about whether his Uruguayan roots violated Mexican restrictions on foreigners in elections. Costa Bonino left the campaign a few days later. He indicated recently that he knew he was being spied on, he just didn’t know how. It goes with the trade in Latin America: “Having a phone hacked by the opposition is not a novelty. When I work on a campaign, the assumption is that everything I talk about on the phone will be heard by the opponents.”
The press office for Peña Nieto declined to comment. A spokesman for the PRI said the party has no knowledge of Rendón working for Peña Nieto’s or any other PRI campaign. Rendón says he has worked on behalf of PRI candidates in Mexico for 16 years, from August 2000 until today.
In 2012, Colombian President Juan Manuel Santos, Uribe’s successor, unexpectedly restarted peace talks with the FARC, hoping to end a 50-year war. Furious, Uribe, whose father was killed by FARC guerrillas, created a party and backed an alternative candidate, Oscar Iván Zuluaga, who opposed the talks.
Rendón, who was working for Santos, wanted Sepúlveda to join his team, but Sepúlveda turned him down. He considered Rendón’s willingness to work for a candidate supporting peace with the FARC a betrayal and suspected the consultant was going soft, choosing money over principles. Sepúlveda says he was motivated by ideology first and money second, and that if he wanted to get rich he could have made a lot more hacking financial systems than elections. For the first time, he decided to oppose his mentor.
Sepúlveda went to work for the opposition, reporting directly to Zuluaga’s campaign manager, Luis Alfonso Hoyos. (Zuluaga denies any knowledge of hacking; Hoyos couldn’t be reached for comment.) Together, Sepúlveda says, they came up with a plan to discredit the president by showing that the guerrillas continued to traffic in drugs and violence even as they talked about peace. Within months, Sepúlveda hacked the phones and e-mail accounts of more than 100 militants, including the FARC’s leader, Rodrigo Londoño, also known as Timochenko. After assembling a thick file on the FARC, including evidence of the group’s suppression of peasant votes in the countryside, Sepúlveda agreed to accompany Hoyos to the offices of a Bogotá TV news program and present the evidence.
It may not have been wise to work so doggedly and publicly against a party in power. A month later, Sepúlveda was smoking on the terrace of his Bogotá office when he saw a caravan of police vehicles pull up. Forty black-clad commandos raided the office to arrest him. Sepúlveda blamed his carelessness at the TV station for the arrest. He believes someone there turned him in. In court, he wore a bulletproof vest and sat surrounded by guards with bomb shields. In the back of the courtroom, men held up pictures of his family, making a slashing gesture across their throats or holding a hand over their mouths—stay silent or else. Abandoned by former allies, he eventually pleaded guilty to espionage, hacking, and other crimes in exchange for a 10-year sentence.
Three days after arriving at Bogotá’s La Picota prison, he went to the dentist and was ambushed by men with knives and razors, but was saved by guards. A week later, guards woke him and rushed him from his cell, saying they had heard about a plot to shoot him with a silenced pistol as he slept. After national police intercepted phone calls revealing yet another plot, he’s now in solitary confinement at a maximum-security facility in a rundown area of central Bogotá. He sleeps with a bulletproof blanket and vest at his bedside, behind bombproof doors. Guards check on him every hour. As part of his plea deal, he says, he’s turned government witness, helping investigators assess possible cases against the former candidate, Zuluaga, and his strategist, Hoyos. Authorities issued an indictment for the arrest of Hoyos, but according to Colombian press reports he’s fled to Miami.
When Sepúlveda leaves for meetings with prosecutors at the Bunker, the attorney general’s Bogotá headquarters, he travels in an armed caravan including six motorcycles speeding through the capital at 60 mph, jamming cell phone signals as they go to block tracking of his movements or detonation of roadside bombs.
In July 2015, Sepúlveda sat in the small courtyard of the Bunker, poured himself a cup of coffee from a thermos, and took out a pack of Marlboro cigarettes. He says he wants to tell his story because the public doesn’t grasp the power hackers exert over modern elections or the specialized skills needed to stop them. “I worked with presidents, public figures with great power, and did many things with absolutely no regrets because I did it with full conviction and under a clear objective, to end dictatorship and socialist governments in Latin America,” he says. “I have always said that there are two types of politics—what people see and what really makes things happen. I worked in politics that are not seen.”
Sepúlveda says he’s allowed a computer and a monitored Internet connection as part of an agreement to help the attorney general’s office track and disrupt drug cartels using a version of his Social Media Predator software. The government will not confirm or deny that he has access to a computer, or what he’s using it for. He says he has modified Social Media Predator to counteract the kind of sabotage he used to specialize in, including jamming candidates’ Facebook walls and Twitter feeds. He’s used it to scan 700,000 tweets from pro-Islamic State accounts to learn what makes a good terror recruiter. Sepúlveda says the program has been able to identify ISIS recruiters minutes after they create Twitter accounts and start posting, and he hopes to share the information with the U.S. or other countries fighting the Islamist group. Samples of Sepúlveda’s code evaluated by an independent company found it authentic and substantially original.
Sepúlveda’s contention that operations like his happen on every continent is plausible, says David Maynor, who runs a security testing company in Atlanta called Errata Security. Maynor says he occasionally gets inquiries for campaign-related jobs. His company has been asked to obtain e-mails and other documents from candidates’ computers and phones, though the ultimate client is never disclosed. “Those activities do happen in the U.S., and they happen all the time,” he says.
In one case, Maynor was asked to steal data as a security test, but the individual couldn’t show an actual connection to the campaign whose security he wanted to test. In another, a potential client asked for a detailed briefing on how a candidate’s movements could be tracked by switching out the user’s iPhone for a bugged clone. “For obvious reasons, we always turned them down,” says Maynor, who declines to name the candidates involved.
Three weeks before Sepúlveda’s arrest, Rendón was forced to resign from Santos’s campaign amid allegations in the press that he took $12 million from drug traffickers and passed part of it on to the candidate, something he denies.
According to Rendón, Colombian officials interviewed him shortly afterward in Miami, where he keeps a home. Rendón says that Colombian investigators asked him about Sepúlveda and that he told them Sepúlveda’s role was limited to Web development.
Rendón denies working with Sepúlveda in any meaningful capacity. “He says he worked with me in 20 places, and the truth is he didn’t,” Rendón says. “I never paid Andrés Sepúlveda a peso.”
Last year, based on anonymous sources, the Colombian media reported that Rendón was working for Donald Trump’s presidential campaign. Rendón calls the reports untrue. The campaign did approach him, he says, but he turned them down because he dislikes Trump. “To my knowledge we are not familiar with this individual,” says Trump’s spokeswoman, Hope Hicks. “I have never heard of him, and the same goes for other senior staff members.” But Rendón says he’s in talks with another leading U.S. presidential campaign—he wouldn’t say which—to begin working for it once the primaries wrap up and the general election begins.
—With Carlos Manuel Rodríguez and Matthew Bristow
Editor: Bryant Urstadt
Producer: Laura Ratliff
Feb 28, 2018
How Defective Guns Became the Only Product That Can’t Be Recalled
Feb 9, 2018
Americans Will Struggle to Grow Old at Home
Mar 2, 2018
China Is Turning Ethiopia Into a Giant Fast-Fashion Factory
Feb 7, 2018
Inside North Korea’s Hacker Army
Mar 15, 2018
This Multibillion-Dollar Corporation Is Controlled by a Penniless Yoga Superstar
Feb 16, 2018
WWE Is Laying the Smackdown on the World
Terms of Service Trademarks Privacy Policy ©2018 Bloomberg L.P. All Rights Reserved
Careers Made in NYC Advertise Ad Choices Website Feedback Help
==//==
[SPANISH VERSION]
SOURCE/LINK: https://www.bloomberg.com/features/2016-como-manipular-una-eleccion/
Bloomberg the Company & Its ProductsBloomberg Anywhere LoginBloomberg Terminal Demo Request
◦ Company
◦ Bloomberg London
◦ About
◦ Careers
◦ Diversity and Inclusion
◦ Philanthropy and Engagement
◦ Sustainability
◦ Tech
Communications
◦ Press Announcements
◦ Press Contacts
Follow
◦ Facebook
◦ Twitter
◦ LinkedIn
◦ Instagram
◦ Products
◦ Bloomberg Terminal
◦ Execution and
Order Management
◦ Data and Content
◦ Financial Data
Management
◦ Integration and
Distribution
◦ Bloomberg
Tradebook
Industry Products
◦ Bloomberg Law
◦ Bloomberg Tax
◦ Bloomberg Government
◦ Bloomberg Environment
◦ Bloomberg New Energy Finance
◦ Media
◦ Bloomberg Markets
◦ Bloomberg
Technology
◦ Bloomberg Pursuits
◦ Bloomberg Politics
◦ Bloomberg Opinion
◦ Bloomberg
Businessweek
◦ Bloomberg Live Conferences
◦ Bloomberg Apps
◦ Bloomberg Radio
◦ Bloomberg Television
◦ News Bureaus
Media Services
◦ Bloomberg Media Distribution
◦ Advertising
◦ Bloomberg
Connecting decision makers to a dynamic network of information, people and ideas, Bloomberg quickly and accurately delivers business and financial information, news and insight around the world.
For Customers
• Bloomberg Anywhere Remote Login
• Software Updates
• Manage Contracts and Orders
Support
Americas+1 212 318 2000
EMEA+44 20 7330 7500
Asia Pacific+65 6212 1000
Share on Facebook Share on Twitter Share on Reddit
Cómo Hackear una Elección
Andrés Sepúlveda afirma haber alterado campañas electorales durante ocho años dentro de Latinoamérica.
Por Jordan Robertson, Michael Riley, and Andrew Willis | 31 de marzo, 2016
Fotografía por Juan Arredondo
De
Read in English
Justo antes de la medianoche Enrique Peña Nieto anunció su victoria como el nuevo presidente electo de México. Peña Nieto era abogado y millonario, proveniente de una familia de alcaldes y gobernadores. Su esposa era actriz de telenovelas. Lucía radiante mientras era cubierto de confeti rojo, verde y blanco en la sede central del Partido Revolucionario Institucional, o PRI, el cual había gobernado por más de 70 años antes de ser destronado en el 2000. Al devolver el poder al PRI en aquella noche de julio de 2012 Peña Nieto prometió disminuir la violencia ligada al narcotráfico, luchar contra la corrupción y dar inicio a una era más transparente en la política mexicana.
A dos mil millas de distancia (3.200 kilómetros), en un departamento en el lujoso barrio de Chicó Navarra en Bogotá, Andrés Sepúlveda estaba sentado frente a seis pantallas de computadores. Sepúlveda es colombiano, de constitución robusta, con cabeza rapada, perilla y un tatuaje de un código QR con una clave de cifrado en la parte de atrás de su cabeza. En su nuca están escritas las palabras “</head>” y “<body>”, una encima de la otra, en una oscura alusión a la codificación. Sepúlveda observaba una transmisión en directo de la celebración de la victoria de Peña Nieto, a la espera de un comunicado oficial sobre los resultados.
Cuando Peña Nieto ganó Sepúlveda comenzó a destruir evidencia. Perforó agujeros en memorias USB, discos duros y teléfonos móviles, calcinó sus circuitos en un microondas y luego los hizo pedazos con un martillo. Trituró documentos y los tiró por el excusado, junto con borrar servidores alquilados de forma anónima en Rusia y Ucrania mediante el uso de Bitcoins. Desbarataba la historia secreta de una de las campañas más sucias de Latinoamérica en los últimos años.
Sepúlveda, de 31 años, dice haber viajado durante ocho años a través del continente manipulando las principales campañas políticas. Con un presupuesto de US$600.000, el trabajo realizado para la campaña de Peña Nieto fue por lejos el más complejo. Encabezó un equipo de seis hackers que robaron estrategias de campaña, manipularon redes sociales para crear falsos sentimientos de entusiasmo y escarnio e instaló spyware en sedes de campaña de la oposición, todo con el fin de ayudar a Peña Nieto, candidato de centro derecha, a obtener una victoria. En aquella noche de julio, destapó botella tras botella de cerveza Colón Negra a modo de celebración. Como de costumbre en una noche de elecciones, estaba solo.
La carrera de Sepúlveda comenzó en 2005, y sus primeros fueron trabajos fueron menores - consistían principalmente en modificar sitios web de campañas y violar bases de datos de opositores con información sobre sus donantes. Con el pasar de los años reunió equipos que espiaban, robaban y difamaban en representación de campañas presidenciales dentro de Latinoamérica. Sus servicios no eran baratos, pero el espectro era amplio. Por US$12.000 al mes, un cliente contrataba a un equipo que podía hackear teléfonos inteligentes, falsificar y clonar sitios web y enviar correos electrónicos y mensajes de texto masivos. El paquete prémium, a un costo de US$20.000 mensuales, también incluía una amplia gama de intercepción digital, ataque, decodificación y defensa. Los trabajos eran cuidadosamente blanqueados a través de múltiples intermediarios y asesores. Sepúlveda señala que es posible que muchos de los candidatos que ayudó no estuvieran al tanto de su función. Sólo conoció a unos pocos.
Sus equipos trabajaron en elecciones presidenciales en Nicaragua, Panamá, Honduras, El Salvador, Colombia, México, Costa Rica, Guatemala y Venezuela. Las campañas mencionadas en esta historia fueron contactadas a través de ex y actuales voceros; ninguna salvo el PRI de México y el Partido de Avanzada Nacional de Guatemala quiso hacer declaraciones.
De niño, fue testigo de la violencia de las guerrillas marxistas de Colombia. De adulto se unió a derecha que emergía en Latinoamérica. Creía que sus actividades como hacker no eran más diabólicas que las tácticas de aquellos a quienes se oponía, como Hugo Chávez y Daniel Ortega.
Muchos de los esfuerzos de Sepúlveda no rindieron frutos, pero tiene suficientes victorias como para decir que ha influenciado la dirección política de América Latina moderna tanto como cualquier otra persona en el siglo XXI. "Mi trabajo era hacer acciones de guerra sucia y operaciones psicológicas, propaganda negra, rumores, en fin, toda la parte oscura de la política que nadie sabe que existe pero que todos ven", dice sentado en una pequeña mesa de plástico en un patio exterior ubicado en lo profundo de las oficinas sumamente resguardadas de la Fiscalía General de Colombia. Actualmente, cumple una condena de 10 años por los delitos de uso de software malicioso, conspirar para delinquir, violación de datos y espionaje conectados al hackeo de las elecciones de Colombia de 2014. Accedió a contar su versión completa de los hechos por primera vez con la esperanza de convencer al público de que se ha rehabilitado y obtener respaldo para la reducción de su condena.
Generalmente, señala, estaba en la nómina de Juan José Rendón, un asesor político que reside en Miami y que ha sido catalogado como el Karl Rove de Latinoamérica. Rendón niega haber utilizado a Sepúlveda para cualquier acto ilegal y refuta de forma categórica la versión que Sepúlveda entregó a Bloomberg Businessweek sobre su relación, pero admite conocerlo y haberlo contratado para el diseño de sitios webs. "Si hablé con él puede haber sido una o dos veces, en una sesión grupal sobre eso, sobre el sitio web", declara. “En ningún caso hago cosas ilegales. Hay campañas negativas. No les gusta, de acuerdo. Pero si es legal lo haré. No soy un santo, pero tampoco soy un criminal" (Destaca que pese a todos los enemigos que ha acumulado con el transcurso de los años debido a su trabajo en campañas, nunca se ha visto enfrentado a ningún cargo criminal). A pesar de que la política de Sepúlveda era destruir todos los datos al culminar un trabajo, dejó algunos documentos con miembros de su equipo de hackers y otros personas de confianza a modo de “póliza de seguro” secreta.
Sepúlveda proporcionó a Bloomberg Businessweek correos electrónicos que según él muestran conversaciones entre él, Rendón, y la consultora de Rendón acerca del hackeo y el progreso de ciberataques relacionados a campañas. Rendón señala que los correos electrónicos son falsos. Un análisis llevado a cabo por una empresa de seguridad informática independiente demostró que un muestreo de los correos electrónicos que examinaron parecen ser auténticos. Algunas de las descripciones de Sepúlveda sobre sus actividades concuerdan con relatos publicados de eventos durante varias campañas electorales, pero otros detalles no pudieron ser verificados de forma independiente. Una persona que trabajó en la campaña en México y que pidió mantener su nombre en reserva por temor a su seguridad, confirmó en gran parte la versión de Sepúlveda sobre su función y la de Rendón en dicha elección.
Sepúlveda dice que en España le ofrecieron varios trabajos políticos que habría rechazado por estar demasiado ocupado. Al preguntarle si la campaña presidencial de EEUU está siendo alterada, su respuesta es inequívoca. “Estoy cien por ciento seguro de que lo está”, afirma.
Sepúlveda creció en medio de la pobreza en Bucaramanga, ocho horas al norte de Bogotá en auto. Su madre era secretaria. Su padre era activista y ayudaba a agricultores a buscar mejores productos para cultivar que la coca, por lo que la familia se mudó constantemente debido a las amenazas de muerte de narcotraficantes. Sus padres se divorciaron y a los 15 años, tras reprobar en la escuela, se mudó donde su padre en Bogotá y utilizó un computador por primera vez. Más tarde se inscribió en una escuela local de tecnología y a través de un amigo que conoció ahí aprendió a programar.
En 2005, el hermano mayor de Sepúlveda, publicista, ayudaba en las campañas parlamentarias de un partido alineado con el entonces presidente de Colombia Álvaro Uribe. Uribe era uno de los héroes de los hermanos, un aliado de Estados Unidos que fortaleció al ejército para luchar contra las Fuerzas Armadas Revolucionarias de Colombia (FARC). Durante una visita a la sede del partido, Sepúlveda sacó su computador portátil y comenzó a analizar la red inalámbrica del recinto. Con facilidad interceptó el computador de Rendón, el estratega del partido, y descargó la agenda de Uribe y sus próximos discursos. Sepúlveda señala que Rendón se puso furioso y lo contrató ahí mismo. Rendón dice que esto nunca ocurrió.
Durante décadas, las elecciones en Latinoamérica fueron manipuladas y no ganadas, y los métodos eran bastante directos. Los encargados locales de adulterar elecciones repartían desde pequeños electrodomésticos a dinero en efectivo a cambio de votos. Sin embargo, en la década de 1990 reformas electorales se extendieron por la región. Los votantes recibieron tarjetas de identificación imposibles de falsificar y entidades apartidistas se hicieron cargo de las elecciones en varios países. La campaña electoral moderna, o al menos una versión con la cual Norteamérica estaba familiarizada, había llegado a Latinoamérica.
Rendón ya había lanzado una exitosa carrera que según sus críticos - y más de una demanda - estaba basada en el uso de trucos sucios y la divulgación de rumores. (En 2014, Carlos Mauricio Funes, el entonces presidente de El Salvador, acusó a Rendón de orquestar campañas de guerra sucia dentro de Latinoamérica. Rendón lo demandó en Florida por difamación, pero la corte desestimó el caso señalando que no se podía demandar a Funes por sus actos oficiales). Hijo de activistas a favor de la democracia, estudió sicología y trabajó en publicidad antes de asesorar a candidatos presidenciales en su país natal, Venezuela. Después de acusar en 2004 al entonces presidente Hugo Chávez de fraude electoral, dejó el país y nunca regresó.
Sepúlveda dice que su primer trabajo como hacker consistió en infiltrar el sitio web de un rival de Uribe, robar una base de dato de correos electrónicos y enviar correos masivos a los usuarios con información falsa. Recibió US$15.000 en efectivo por un mes de trabajo, cinco veces más de lo que ganaba en su trabajo anterior como diseñador de sitios web.
Rendón, que era dueño de una flota de automóviles de lujo, usaba relojes ostentosos y gastaba miles de dólares en trajes a medida, deslumbró a Sepúlveda. Al igual que Sepúlveda, Rendón era un perfeccionista. Esperaba que sus empleados llegaran a trabajar temprano y se fueran tarde. "Era muy joven, hacía lo que me gustaba, me pagaban bien y viajaba, era el trabajo perfecto". Pero más que cualquier otra cosa, sus políticas de derecha coincidían. Sepúlveda señala que veía a Rendón como un genio y mentor. Budista devoto y practicante de artes marciales, según su propio sitio web, Rendón cultivaba una imagen de misterio y peligro, vistiendo solo ropa negra en público e incluso utilizando de vez en cuando la vestimenta de un samurái. En su sitio web se denomina el estratega político “mejor pagado, más temido y también el más solicitado y eficiente”. Sepúlveda sería en parte responsable de aquello.
Rendón, indica Sepúlveda, se dio cuenta de que los hackers podían integrarse completamente en una operación política moderna, llevando a cabo ataques publicitarios, investigando a la oposición y hallando maneras de suprimir la participación de un adversario. En cuanto a Sepúlveda, su aporte era entender que los votantes confiaban más en lo que creían eran manifestaciones espontáneas de personas reales en redes sociales que en los expertos que aparecían en televisión o periódicos. Sabía que era posible falsificar cuentas y crear tendencias en redes sociales, todo a un precio relativamente bajo. Escribió un software, llamado ahora Depredador de Redes Sociales, para administrar y dirigir un ejército virtual de cuentas falsas de Twitter. El software le permitía cambiar rápidamente nombres, fotos de perfil y biografías para adaptarse a cualquier circunstancia. Con el transcurso del tiempo descubrió que manipular la opinión pública era tan fácil como mover las piezas en una tablero de ajedrez, o en sus palabras, “pero también cuando me di cuenta que las personas creen más a lo que dice Internet que a la realidad, descubrí que 'tenía el poder' de hacer creer a la gente casi cualquier cosa".
Según Sepúlveda, recibía su sueldo en efectivo, la mitad por adelantado. Cuando viajaba empleaba un pasaporte falso y se hospedaba solo en un hotel, lejos de los miembros de la campaña. Nadie podía ingresar a su habitación con un teléfono inteligente o cámara fotográfica.
La mayoría de los trabajos eran acordados en persona. Rendón entregaba a Sepúlveda una hoja con nombres de objetivos, correos electrónicos y teléfonos. Sepúlveda llevaba la hoja a su hotel, ingresaba los datos en un archive encriptado y luego quemaba el papel o lo tiraba por el excusado. Si Rendón necesitaba enviar un correo electrónico, empleaba lenguaje codificado. “Dar caricias” significaba atacar; “escuchar música” significaba interceptar las llamadas telefónicas de un objetivo.
Rendón y Sepúlveda procuraron no ser vistos juntos. Se comunicaban a través de teléfonos encriptados que reemplazaban cada dos meses. Sepúlveda señala que enviaba informes de avance diarios y reportes de inteligencia desde cuentas de correo electrónico desechable a un intermediario en la firma de consultoría de Rendón.
Cada trabajo culminaba con una secuencia de destrucción específica, codificada por colores. El día de las elecciones, Sepúlveda destruía todos los datos clasificados como “rojos”. Aquellos eran archivos que podían enviarlo a prisión a él y a quienes hubiesen estado en contacto con ellos: llamadas telefónicos y correos electrónicos interceptados, listas de víctimas de piratería informática e informes confidenciales que preparaba para las campañas. Todos los teléfonos, discos duros, memorias USB y servidores informáticos eran destruidos físicamente. Información "amarilla" menos sensible - agendas de viaje, planillas salariales, planes de recaudación de fondos - se guardaban en un dispositivo de memoria encriptado que se le entregaba a las campañas para una revisión final. Una semana después, también sería destruido.
Para la mayoría de los trabajos Sepúlveda reunía a un equipo y operaba desde casas y departamentos alquilados en Bogotá. Tenía un grupo de 7 a 15 hackers que iban rotando y que provenían de distintas partes de Latinoamérica, aprovechando las diferentes especialidades de la región. En su opinión, lo brasileños desarrollan el mejor malware. Los venezolanos y ecuatorianos son expertos en escanear sistemas y software para detectar vulnerabilidades. Los argentinos son artistas cuando se trata de interceptar teléfonos celulares. Los mexicanos son en su mayoría hackers expertos pero hablan demasiado. Sepúlveda sólo acudía a ellos en emergencias.
Estos trabajos demoraban desde un par de días a varios meses. En Honduras, Sepúlveda defendió el sistema computacional y comunicacional del candidato presidencial Porfirio Lobo Sosa de hackers empleados por sus opositores. En Guatemala, interceptó digitalmente datos de seis personajes del ámbito de la política y los negocios y dice que entregó la información a Rendón en memorias USB encriptadas que dejaba en puntos de entrega secretos. (Sepúlveda dice que este fue un trabajo pequeño para un cliente de Rendón ligado al derechista Partido de Avanzada Nacional (PAN). El PAN señala que nunca contrato a Rendón y dice no estar al tanto de ninguna de las actividades que relata Sepúlveda). En Nicaragua en 2011, Sepúlveda atacó a Ortega, quien se presentaba a su tercer período presidencial. En una de las pocas ocasiones en las que trabajó para otro cliente y no para Rendón, infiltró la cuenta de correo electrónico de Rosario Murillo, esposa de Ortega y principal vocera de comunicación del gobierno, y robó un caudal de secretos personales y gubernamentales.
En Venezuela en 2012, impulsado por su aversión a Chávez, el equipo dejó de lado su precaución habitual. Durante la campaña de Chávez para postular a un cuarto período presidencial, Sepúlveda publicó un video de YouTube anónimo en el que hurgaba en el correo electrónico de una de las personas más poderosas de Venezuela, Diosdado Cabello, en ese entonces presidente de la Asamblea Nacional. También salió de su estrecho círculo de hackers de confianza y movilizó a Anonymous, el grupo de hackers activistas, para atacar el sitio web de Chávez.
Tras el ataque de Sepúlveda a la cuenta de Twitter de Cabello, Rendón lo habría felicitado. “Eres noticia :)” escribió en un correo electrónico el 9 de septiembre de 2012 adjunto un enlace a una historia sobre la falla de seguridad. Sepúlveda proporcionó pantallazos de decenas de correos electrónicos y varios de los correos originales escritos en jerga hacker (“Owned!”, decía un correo, haciendo referencia al hecho de haber comprometido la seguridad de un sistema), que muestran que durante noviembre de 2011 y septiembre de 2012 Sepúlveda envió largas listas de sitios gubernamentales que había infiltrado para varias campañas a un alto miembro de la empresa de asesoría de Rendón. Dos semanas antes de la elección presidencial en Venezuela, Sepúlveda envió pantallazos mostrando cómo había infiltrado el sitio web de Chávez y cómo podía activarlo y desactivarlo a voluntad.
Chávez ganó las elecciones pero murió de cáncer cinco meses después, lo que llevó a realizar una elección extraordinaria en la que Nicolás Maduro fue electo presidente. Un día antes que Maduro proclamara su victoria, Sepúlveda hackeó su cuenta de Twitter y publicó denuncias de fraude electoral. El gobierno Venezolano culpó a “hackeos conspiradores del exterior” y deshabilitó internet en todo el país durante 20 minutos.
En México, el dominio técnico de Sepúlveda y la gran visión de una máquina política despiadada de Rendón confluyeron plenamente, impulsados por los vastos recursos del PRI. Los años bajo el gobierno del presidente Felipe Calderón y el Partido Acción Nacional, PAN) se vieron plagados por una devastadora guerra contra los carteles de drogas, lo que hizo que secuestros, asesinatos en la vía pública y decapitaciones fuesen actos comunes. A medida que se aproximaba el 2012, el PRI ofreció el entusiasmo juvenil de Peña Nieto, quien recién había terminado su período como gobernador.
A Sepúlveda no le agradaba la idea de trabajar en México, un país peligroso para involucrarse en el ámbito público. Pero Rendón lo convenció para realizar viajes breves desde el 2008 y volando frecuentemente en su avión privado. Durante un trabajo en Tabasco, en la sofocante costa del Golfo de México, Sepúlveda hackeó a un jefe político que resultó tener conexiones con un cartel de drogas. Luego que el equipo de seguridad de Rendón tuvo conocimiento de un plan para asesinar a Sepúlveda, este pasó la noche en una camioneta blindada Suburban antes de regresar a Ciudad de México.
En la práctica, México cuenta con tres principales partidos políticos y Peña Nieto enfrentaba tanto a oponentes de derecha como de izquierda. Por la derecha, el PAN había nominado a Josefina Vázquez Mota, la primera candidata del partido a presidenta. Por la izquierda, el Partido de la Revolución Democrática (PRD), eligió a Andrés Manuel López Obrador, ex Jefe de Gobierno del Distrito Federal.
Las primeras encuestas le daban 20 puntos de ventaja a Peña Nieto, pero sus partidarios no correrían riesgos. El equipo de Sepúlveda instaló malware en enrutadores en el comando del candidato del PRD, lo que le permitió interceptor los teléfonos y computadores de cualquier persona que utilizara la red, incluyendo al candidato. Realizó acciones similares contra Vázquez Mota del PAN. Cuando los equipos de los candidatos preparaban discursos políticos, Sepúlveda tenía acceso a la información tan pronto como los dedos de quien escribía el discurso tocaban el teclado. Sepúlveda tenía conocimiento de las futuras reuniones y programas de campaña antes que los propios miembros de cada equipo.
El dinero no era problema. En una ocasión Sepúlveda gastó US$50,000 en software ruso de alta gama que rápidamente interceptaba teléfonos Apple, BlackBerry y Android. También gastó una importante suma en los mejores perfiles falsos de Twitter, perfiles que habían sido mantenidos al menos un año lo que les daba una pátina de credibilidad.
Sepúlveda administraba miles de perfiles falsos de este tipo y usaba las cuentas para hacer que la discusión girara en torno a temas como el plan de Peña Nieto para poner fin a la violencia relacionada con el tráfico de drogas, inundando las redes sociales con opiniones que usuarios reales replicarían. Para tareas menos matizadas, contaba con un ejército mayor de 30.000 cuentas automatizadas de Twitter que realizaban publicaciones para generar tendencias en la red social. Una de las tendencias en redes sociales a las que dio inicio sembró el pánico al sugerir que mientras más subía López Obrador en las encuestas, más caería el peso. Sepúlveda sabía que lo relativo a la moneda era una gran vulnerabilidad. Lo había leído en una de las notas internas del personal de campaña del propio candidato.
Sepúlveda y su equipo proveían casi cualquier cosa que las artes digitales oscuras podían ofrecer a la campaña de Peña Nieto o a importantes aliados locales. Durante la noche electoral, hizo que computadores llamaran a miles de votantes en el estratégico y competido estado de Jalisco, a las 3:00a.m., con mensajes pregrabados. Las llamadas parecían provenir de la campaña del popular candidato a gobernador de izquierda Enrique Alfaro Ramírez. Esto enfadó a los votantes —esa era la idea— y Alfaro perdió por un estrecho margen. En otra contienda por la gobernación, Sepúlveda creó cuentas falsas en Facebook de hombres homosexuales que decían apoyar a un candidato católico conservador que representaba al PAN, maniobra diseñada para alienar a sus seguidores. “Siempre sospeché que había algo raro”, señaló el candidato Gerardo Priego al enterarse de cómo el equipo de Sepúlveda manipuló las redes sociales en la campaña.
En mayo, Peña Nieto visitó la Universidad Iberoamericana de Ciudad de México y fue bombardeado con consignas y abucheado por los estudiantes. El desconcertado candidato se retiró junto a sus guardaespaldas a un edificio contiguo, y según algunas publicaciones en medios sociales se escondió en un baño. Las imágenes fueron un desastre. López Obrador repuntó.
El PRI logró recuperarse luego que uno de los asesores de López Obrador fue grabado pidiéndole a un empresario US$6 millones para financiar la campaña de su candidato, que estaba corta de fondos, lo que presuntamente habría violado las leyes mexicanas. Pese a que el hacker dice desconocer el origen de esa grabación en particular, Sepúlveda y su equipo habían interceptado las comunicaciones del asesor Luis Costa Bonino durante meses. (El 2 de febrero de 2012, Rendón le envío tres direcciones de correos electrónicos y un número de celular de Costa Bonino en un correo titulado “Trabajo”). El equipo de Sepúlveda deshabilitó el sitio web personal del asesor y dirigió a periodistas a un sitio clonado. Ahí publicaron lo que parecía ser una extensa defensa escrita por Costa Bonino, que sutilmente planteaba dudas sobre si sus raíces uruguayas violaban las restricciones de México sobre la participación de extranjeros en elecciones. Costa Bonino abandonó la campaña pocos días después. Recientemente señaló que sabía que estaba siendo espiado, solo que no sabía cómo. Son gajes del oficio en Latinoamérica: “Tener un teléfono hackeado por la oposición no es una gran novedad. De hecho, cuando hago campaña, parto del supuesto de que todo lo que hable por teléfono va a ser escuchado por los adversarios”.
La oficina de prensa de Peña Nieto declinó hacer comentarios. Un vocero del PRI dijo que el partido no tiene conocimiento alguno de que Rendón hubiese prestado servicios para la campaña de Peña Nieta o cualquier otra campaña del PRI. Rendón afirma que ha trabajado a nombre de candidatos del PRI en México durante 16 años, desde agosto de 2000 hasta la fecha.
En 2012, el presidente colombiano Juan Manuel Santos, sucesor de Uribe, inesperadamente dio inicio a las conversaciones de paz con las FARC, con la esperanza de poner fin a una guerra de 50 años. Furioso, Uribe, cuyo padre fue asesinado por guerrilleros de la FARC, formó un partido y respaldó a un candidato independiente, Óscar Iván Zuluaga, quien se oponía al diálogo.
Rendón, que trabajaba para Santos, quería que Sepúlveda fuera parte de su equipo, pero este último lo rechazó. Consideró que la disposición de Rendón para trabajar con un candidato que apoyaba un acuerdo de paz con las FARC era una traición y sospechaba que el asesor estaba dejando que el dinero fuera más fuerte que sus principios. Sepúlveda señala que la ideología era su principal motivación, luego venía el dinero, y si su fin hubiera sido enriquecerse, podría haber ganado mucho más hackeando sistemas financieros en vez de elecciones. Por primera vez, decidió oponerse a su mentor.
Sepúlveda se sumó al equipo de la oposición y le reportaba directamente al jefe de campaña de Zuluaga, Luis Alfonso Hoyos. (Zuluaga niega conocimiento alguno del hackeo; Hoyos no pudo ser contactado para dar comentarios). Sepúlveda señala que juntos elaboraron un plan para desacreditar al presidente al mostrar que las guerrillas seguían dedicadas al narcotráfico y la violencia, pese a que hablaban de un acuerdo de paz. Transcurridos algunos meses, Sepúlveda había hackeado los teléfonos y cuentas de correos electrónicos de más de 100 militantes, entre ellos el líder de las FARC Rodrigo Londoño, también conocido como Timochenko. Tras elaborar un grueso archivo sobre las FARC, que incluía evidencia sobre cómo el grupo suprimía los votos de campesinos en zonas rurales, Sepúlveda accedió a acompañar a Hoyos a los estudios de un programa de noticias de TV en Bogotá y presentar la evidencia.
Quizás no fue muy astuto trabajar de forma tan obstinada y pública en contra de un partido en el poder. Un mes después, Sepúlveda fumaba un cigarillo en la terraza de su oficina en Bogotá cuando vio acercarse una caravana de vehículos policiales. Cuarenta agentes del Cuerpo Técnico de Investigación de la Fiscalía de Colombia vestidos de negro allanaron su oficina y lo arrestaron. Sepúlveda dice que su descuido en la estación de TV fue lo que condujo a su arresto. Cree que alguien lo delató. En tribunales, usó un chaleco antibalas y estuvo rodeado de guardias. En la parte trasera del tribunal hombres sostenían fotografías de sus familiares y pasaban sus dedos sobre sus gargantas, simulando cortar sus cuellos, o ponían sus manos sobres sus bocas dando a entender que debían mantener silencio o atenerse a las consecuencias. Abandonado por sus antiguos aliados, terminó por declararse culpable de espionaje, hackeo y otros crímenes a cambio de una sentencia de 10 años.
Tres días después de llegar a la cárcel La Picota en Bogotá, visitó al dentista y fue emboscado por hombres con cuchillos y navajas, pero fue socorrido por los guardias. Una semana más tarde, los guardias lo despertaron y lo sacaron rápidamente de su celda, señalando que tenían información sobre un plan para dispararle con una pistola con silenciador mientras dormía. Luego que la Policía Nacional interceptó llamadas telefónicas que daban cuenta de un nuevo complot, fue enviado a confinamiento solitario en una cárcel de máxima seguridad ubicada en una deteriorada zona del centro de Bogotá. Duerme con una manta antibalas y un chaleco antibalas al lado de su cama, detrás de puertas a prueba de bombas. Guardias van a verlo cada hora. Como parte de su acuerdo con la fiscalía, dice que se ha convertido en testigo del gobierno y ayuda a investigadores a evaluar posibles casos contra el ex candidato Zuluaga y su estratega Hoyos. Las autoridades emitieron una orden para el arresto de Hoyos, pero según informes de la prensa colombiana él escapó a Miami.
Cuando Sepúlveda sale a reuniones con fiscales en el búnker, la sede central de la Fiscalía General de Colombia, viaja en una caravana armada que incluye seis motocicletas que atraviesan la capital a 60 millas por hora y colapsan las señalas de teléfonos celulares a medida que transitan para bloquear el rastreo de sus movimientos o la detonación de bombas a lo largo del camino.
En julio de 2015, Sepúlveda se sentó en un pequeño patio central del Búnker, se sirvió un café de un termo y sacó un paquete de cigarrillos Marlboro. Dice que desea contar su historia porque la gente desconoce el alcance del poder que ejercen los hackers en las elecciones modernas o el conocimiento especializado que se requiere para detenerlos. “Yo trabajé con presidentes, personalidades públicas con mucho poder e hice muchísimas cosas que finalmente, de absolutamente ninguna me arrepiento porque lo hice con plena convicción y bajo un objetivo claro, acabar las dictaduras y los gobiernos socialistas en Latinoamérica", señala. "Yo siempre he dicho que hay dos tipos de política, la que la gente ve y la que realmente hace que las cosas pasen, yo trabajaba en la política que no se ve”.
Sepúlveda dice que se le permite usar un computador y una conexión a internet monitoreada como parte de un acuerdo para ayudar a la Fiscalía a rastrear y alterar a carteles de drogas empelando una versión de su software Depredador de Redes Sociales. El Gobierno no confirmó ni negó que tenga acceso a un computador o el uso que le da a este. Sepúlveda dice que ha modificado el software Depredador de Redes Sociales para contratacar el tipo de sabotaje que solía ser su especialidad, entre otras cosas tapar los muros de Facebook y los feeds de Twitter de los candidatos. Utilizó su software para analizar 700.000 tweets de cuentas de partidarios de ISIS para aprender qué se necesita para ser un buen reclutador de terroristas. Sepúlveda dice que el programa ha podido identificar a reclutadores de ISIS minutos después de haber creado cuentas de Twitter y comenzar a publicar y espera poder compartir la información con Estados Unidos u otros países que luchan contra el grupo islamista. Una firma independiente evaluó muestras del código de Sepúlveda y determinó que eran auténticas y sustancialmente originales.
Las afirmaciones de Sepúlveda respecto a que operaciones de este tipo ocurren en todos los continentes son plausibles, dice David Maynor, quien dirige una compañía de servicios de control de seguridad en Atlanta, llamada Errata Security. Maynor que de vez en cuando recibe solicitudes para trabajos relacionados a campañas electorales. Le han pedido que su compañía obtenga correos electrónicos y otros documentos de los computadores de candidatos, aunque el nombre del cliente final nunca es revelado. “Esas actividades ocurren en Estados Unidos, y ocurren todo el tiempo”, indica.
En una ocasión a Maynor se le pidió robar datos a modo de realizar un control de seguridad. Pero el individuo no pudo demostrar una conexión real con la campaña cuya seguridad deseaba poner a prueba. En otra oportunidad, un posible cliente le encargó un informe detallado sobre cómo rastrear los movimientos de un candidato cambiando el iPhone de un usuario por un dispositivo clonado e interceptado. “Por razones obvias, siempre rechazamos estas solicitudes”, indica que Maynor, quien no quiso nombrar a los candidatos involucrados.
Tres semanas después del arresto de Sepúlveda, Rendón fue obligado a renunciar a la campaña de Santos en medio de acusaciones en la prensa sobre cómo había aceptado US$12 millones de narcotraficantes y se los había entregado al candidato, hecho que él niega.
Según Rendón, funcionarios colombianos lo interrogaron poco tiempo después en Miami, lugar donde reside. Rendón señala que los investigadores colombianos le preguntaron sobre Sepúlveda y les dijo que la participación de Sepúlveda se limitaba al desarrollo de sitios web.
Rendón niega haber trabajado con Sepúlveda de forma significativa. “Él dice que trabajó conmigo en 20 lugares y no, no lo hizo”, afirma Rendón. “nunca le pagué un peso”.
El año pasado, medios colombianos señalaron que según fuentes anónimas Rendón trabajaba para la campaña presidencial de Donald Trump. Rendón dice que los informes son falsos. La campaña se acercó a él, pero los rechazó porque le desagrada Trump. “Según tengo entendido, no estamos familiarizados con este individuo”, señala la vocera de Trump, Hope Hicks. “No había escuchado su nombre, y tampoco lo conocen otros altos miembros de la campaña”. Sin embargo, Rendón dice estar en conversaciones con otra de las principales campañas presidenciales de Estados Unidos - no quiso decir cuál - para comenzar a trabajar con ellos una vez que concluyan las primarias y comiencen las elecciones generales.
—Con Carlos Manuel Rodríguez y Matthew Bristow
Editor: Bryant Urstadt
Productora: Laura Ratliff
Mar 6, 2018
A Former Anonymous Hacker’s Search for Redemption
Mar 9, 2018
Bitcoin Is Ridiculous. Blockchain Is Dangerous
Feb 26, 2018
Can Green Energy Beat Lebanon’s ‘Generator Mafias?’
Mar 8, 2018
We Leaned In. Now What?
Mar 15, 2018
This Multibillion-Dollar Corporation Is Controlled by a Penniless Yoga Superstar
Mar 1, 2018
Britain’s White-Collar Cops Are Getting Too Good at Their Job
Terms of Service Trademarks Privacy Policy ©2018 Bloomberg L.P. All Rights Reserved
Careers Made in NYC Advertise Ad Choices Website Feedback Help
==//==
SOURCE / LINK: https://goias24horas.com.br/71132-caiado-diz-que-voto-impresso-can-resgatar-credibilidad-de-democracia/
Senator Caiado says printed vote can restore credibility to Brazilian Democracy
March 13, 2018
Senator Ronaldo Caiado (Brazilian Democrats Party DEM) said Tuesday that the impression of voting for voter's conference could rescue "public confidence" in the electoral process. In an audience with the Secretary of Information Technology of the Superior Electoral Court (TSE), Giuseppe Janino, Caiado highlighted the importance of giving "total transparency" in these elections. "It is the feeling of confidence of the population that is at stake," he said.
The DEM leader in the Senate said there was no doubt about the effectiveness of the voting machine, but to reject a measure that would bring more credibility would only aggravate the high rates of non-attendance that the senator says are approaching 35 percent. "We are dealing with something greater than a technical issue," emphasized Caiado.
The senator also commented on the Superior Electoral Court (TSE's) allegations that it was impracticable to implement the process, that it would require $ 2 billion in expenses. According to him, the amount is equivalent to what was spent on the renovation of the “Mané Garrincha” stadium in Brasilia for the 2014 World Cup. "The voter's assurance that the electoral process is reliable is worth much more than one reform of a stadium and the population is looking forward for it.
SEE ALSO: https://youtu.be/wOsNfSw8boo
Posted in National
Share
Tweet
==//==
SOURCE/LINK: https://www.weforum.org/agenda/2018/03/latin-america-has-the-biggest-skills-gap-in-the-world-here-s-how-to-bridge-it
Latin America has the biggest skills gap in the world. Here’s how to bridge it
• Agenda
• Initiatives
• Reports
• Events
• About
• TopLink
•
• Regional Agenda
• Education and Skills
• Latin America
Latin America has the biggest skills gap in the world. Here’s how to bridge it
Upskilling and reskilling programmes are spreading across Latin America.
Image: REUTERS/Cheryl Ravelo/Files
13 Mar 2018
1. Monica Flores President, Latin America, ManpowerGroup
2. Angel Melguizo Chief Economist, Latin American Unit, OECD Development Centre, Organisation for Economic Co-operation and Development (OECD)
Latest Articles
This is the biggest threat to Latin America’s digital transformation
Jordi Botifoll 13 Mar 2018
Meet IBM's Simon, the world's first smartphone
Rob Smith 13 Mar 2018
Tax rules are changing around the world. This is what you need to know
Simone Musa 13 Mar 2018
More on the agenda
Explore context
Education and Skills
Explore the latest strategic trends, research and analysis
This article is part of the World Economic Forum on Latin America
In these times of heated economic debate, improving skills is one of the rare consensuses worldwide. Globalization and technological progress has made productivity more dependent on a broad, complex and difficult-to-achieve set of skills.
In Latin America, the lack of an adequate pool of skilled workers is making it harder to overcome the middle-income trap. This contrasts with the experience in most European and Asian economies, which have achieved sustained increases in income per capita by improving the stock and quality of education and skills, and developing an innovation-friendly environment.
Investing in skills would also help address inequality, since large differences in productivity go hand-in-hand with large differences in wages. Without this investment, the winners – that is, the most innovative firms and their high-skilled staff – will continue to take all.
What do we know about skills in Latin America?
Over four in 10 firms in Latin America say they have difficulty finding workers with the right skills, according to ManpowerGroup surveys. Companies in Argentina are worst hit, with 59% struggling to hire staff with the right skills; in Colombia that figure is 50%, and Peru 49%. For more than a decade now – that is, during the economic boom of the 2000s, the slowdown since 2012, the recession of 2015-2016, and the present recovery – Latin America has ranked as the region with the widest skills gap in the world.
What works to fill the gap?
What should be done? Education curricula and skills-enhancing programmes should provide technical training, as well as foundational skills. These are critical throughout people’s lives, helping to switch jobs (if wanted) and adapt to changing external conditions. There should be a combination of classroom and workplace learning, of both soft and technical skills, complemented by job search services.
Re-skilling and upskilling is the new name of the game. It is the skills of today’s workforce that will drive the economy for the next two decades. For that goal, collecting information on the skills individuals possess and the skills businesses need is a must.
How should this be done? This requires the involvement of employers at all stages: collecting information for the design, implementation and evaluation of training; designing programmes; and co-funding initiatives. It must be implemented under a whole-of-government approach that involves education, employment, innovation, planning and finance ministers.
Image: ManpowerGroup, 2016/2017 Talent Shortage Survey
Good practices in Latin America
Admittedly, these recommendations are easier said than done. But, let’s not fall into the traditional Latin American fracasomania, or addiction to failure. Some training programmes for youth in Argentina (Jóvenes con Más y Mejor Trabajo), Colombia (Jóvenes en Acción) or Brazil and Peru (ProJoven) tick almost all the boxes, and their impact evaluations show good results on employability, reliability and earnings.
The involvement of the private sector is also growing. Take Mexico, where upskilling and reskilling programmes are spreading. In one initiative women in marketing, sales and customer services saw their wages multiplied by five times. In the car and machinery industries, which are traditionally affected by skills shortages, training programmes are being developed following the pioneering example of Volkswagen’s training institute. And public institutions in Mexico and Peru are taking steps towards co-ordination and a whole-of-government approach to skills strategies.
Looking forward? Better data for better action
Predictions for the labour market over the long-term are increasingly extreme: technology eating our jobs, robots replacing drivers, the threat of a world without work. As skill needs change ever faster, some statistics suggest employers do not always know which skills they require even 18 months from now, not just over the long-term.
That is why we need to invest in capacities to anticipate skill needs, detect future skills mismatches, and build the processes to ensure that this information is effectively used in decision making. Unfortunately, this field is even more complex and little studied, so there are few good practices.
For this reason, ManpowerGroup Latin America and the OECD Development Centre, with ANDI for Colombia, recently launched an online survey to get detailed information on the skills gap in Latin America.
Information is directly gathered from companies, by country, by company size, and by activity (agriculture, trade, communications and transport, construction, manufacturing, mining and extractives, and services). This point is crucial for the debate about a post-manufacturing economy that we will be holding at the World Economic Forum on Latin America in São Paulo this week.
Latin American companies are highlighting an even more acute skills gap than previously thought. Three in four companies (from a sample of more than 1,200 companies across Latin America) say they have problems filling vacancies, despite the availability of candidates. Interestingly enough, this shortage is bigger among large companies (of more than 250 employees), where it affects four in five.
The skills gap affects both manufacturing and services, which are key in the agenda of upgrading and diversifying Latin America’s economy, as shown in previous studies. Looking at the results by industry, four in five companies in mining and extractives, manufacturing, and in services, report skills gaps.
When companies talk about a skills gap, they are often referring to soft skills. Among the top seven ‘missing skills’, emotional intelligence, communication skills and critical thinking are mentioned three times more frequently than IT skills, and two times more frequently than financial knowledge. Speaking English ranks in the middle.
Skills is the new currency, let’s invest
Today’s economy requires increasingly complex skills. Formal education systems are struggling to provide timely solutions. This detachment between formal education and business skill demands is especially severe on soft skills, which are not usually included in formal education curricula.
The good news is that most governments, companies and citizens in Latin America and worldwide are increasingly aware of this priority. Skills have become the global currency of 21st Century economies to spur growth and reduce inequalities. Forget about bitcoin, let’s all invest in skills.
Share
Escrito por
Monica Flores, President, Latin America, ManpowerGroup
Angel Melguizo, Chief Economist, Latin American Unit, OECD Development Centre, Organisation for Economic Co-operation and Development (OECD)
The views expressed in this article are those of the author alone and not the World Economic Forum.
Subscribe for updates
A weekly update of what’s on the Global Agenda
Featured: Education and Skills View all
Latin America has the biggest skills gap in the world. Here’s how to bridge it
Monica Flores and Angel Melguizo 13 Mar 2018
These are the top universities by subject in Latin America
Rob Smith 12 Mar 2018
5 things parents can do to help develop STEM skills
Kym Simoncini · The Conversation 12 Mar 2018
Lego is making plant-based plastic pieces
Brian Spaen · Green Matters 06 Mar 2018
If you want your child to get a good job, let them play more
Jenny Anderson · Quartz 05 Mar 2018
The best time of day to learn a new language is just before you go to bed
Burr Settles and Masato Hagiwara · Quartz 28 Feb 2018
Being a great boss comes down to knowing when to use two distinct skills
Robin Camarote · Business Insider 27 Feb 2018
Subscribe for updates
A weekly update of what’s on the Global Agenda
Follow Us
About
Our Mission
Leadership and Governance
Center for the Fourth Industrial Revolution
Our Members and Partners
The Fourth Industrial Revolution
Communities
History
Klaus Schwab
Our Impact
Pictures
Media
A Global Platform for Geostrategic Collaboration
Mapping Global Transformations
Contact Us
Careers
Open Forum
Code of Conduct
World Economic Forum LLC
Privacy and Terms of Use
日本事務所
Sustainability
Media
News
Accreditation
Subscribe to our news
Members & Partners
Member login to TopLink
Strategic Partners' area
Partner Institutes' area
Global sites
Center for the Fourth Industrial Revolution
Open Forum
Global Shapers
Schwab Foundation for Social Entrepreneurship
EN ES FR 中文 日本語
© 2018 World Economic Forum
Privacy Policy & Terms of Service
==//==
SOURCE/LINK: https://www.researchgate.net/publication/323470546_The_Return_of_Software_Vulnerabilities_in_the_Brazilian_Voting_Machine
(In)security of e-voting in Brazil
Diego F. Aranha, UNICAMP
dfaranha@ic.unicamp.br
@dfaranha
http://www.ic.unicamp.br/~dfaranha
Veja tudo>
18 Referências
Faça o download do texto completo PDF
O Retorno de Vulnerabilidades de Software na Urna Eletrônica Brasileira
Pré-impressão (PDF disponível) · Março de 2018 com 17.623 Leituras
DOI: 10.13140 / RG.2.2.16240.97287
•
• Diego F. Aranha
• 12.56
• Universidade de Campinas
• Pedro Yóssis Silva Barbosa
• Universidade Federal de Campina Grande (UFCG)
• Thiago Nunes Coelho Cardoso
• Universidade Federal de Minas Gerais
• Paulo Matias
◦ 8.4
◦ Universidade Federal de São Carlos
Abstrato
Este artigo apresenta uma análise de segurança detalhada e atualizada do software de votação utilizado nas eleições brasileiras. Baseia-se nos resultados obtidos pelos autores em um recente desafio de hacking organizado pelo Tribunal Superior Eleitoral (SEC), a autoridade eleitoral nacional. Durante o evento, várias vulnerabilidades graves foram detectadas no software de votação, que quando combinado comprometeu as principais propriedades de segurança do equipamento, a saber, segredo da cédula e integridade do software. O armazenamento inseguro de chaves criptográficas, codificadas diretamente no código-fonte e compartilhado entre todas as máquinas, permitiu a inspeção completa de conteúdo dos cartões de memória de instalação do software, após o que foram detectadas duas bibliotecas compartilhadas que faltam assinaturas de autenticação. O código de injeção nessas bibliotecas abriu a possibilidade de executar código arbitrário no equipamento, violando a integridade do software em execução. Nosso progresso é descrito cronologicamente, para ilustrar dificuldades e limitações na metodologia de teste escolhida pela autoridade eleitoral e para informar como as equipes que participam de desafios futuros podem otimizar seu desempenho. Rastreamos o histórico das vulnerabilidades para uma análise de segurança anterior, fornecendo algumas perspectivas sobre como o sistema evoluiu nos últimos 5 anos. Tanto quanto sabemos, este foi o compromisso mais profundo de um sistema oficial de votação em larga escala já realizado em condições tão severas.
Descubra a pesquisa mundial
• 14+ milhões de membros
• 100 milhões de publicações
• 700k + projetos de pesquisa
Entre de graça
Arquivo (PDF)
Disponível a partir de: Diego F. Aranha, 11 de março de 2018
Faça o download do texto completo PDF
Outras fontes de texto completo
O Retorno de Vulnerabilidades de Software na Máquina de Votação Brasileira
Diego F. Aranha
Universidade de Campinas
Pedro Y'
Ossis Silva Barbosa
Universidade Federal de Campina Grande
Thiago Nunes Coelho Cardoso
Hekima
Caio L¨
o Ara'
ujo
Universidade Federal de Pernambuco
Paulo Matias
Universidade Federal de S~
ao Carlos
Abstrato
Este artigo apresenta uma segurança detalhada e atualizada
análise do software de votação utilizado na eleição brasileira.
ções. Baseia-se nos resultados obtidos pelos autores em
um recente desafio de hacking organizado pelo Superior
Tribunal eleitoral (SEC), a autoridade eleitoral nacional.
Durante o evento, várias vulnerabilidades graves foram
detectado no software de votação, que quando combinado
comprometeu as principais propriedades de segurança dos equipamentos
o segredo da cédula e a integridade do software. o
armazenamento inseguro de chaves criptográficas, di-
Diretamente no código fonte e compartilhado entre todas as máquinas, al-
Inspeção completa de conteúdo completo da instalação do software
cartões de memória, após o que faltam duas bibliotecas compartilhadas
assinaturas de autenticação foram detectadas. Código de injeção
nessas bibliotecas abriu a possibilidade de executar arbi-
código geral no equipamento, violando a integridade do
executando o software. Nosso progresso é descrito cronologicamente
portanto, para ilustrar dificuldades e limitações no teste -
metodologia escolhida pela autoridade eleitoral, e
para informar como as equipes participam de desafios futuros
podem otimizar seu desempenho. Rastreamos a história de
as vulnerabilidades a um anterior análise de segurança, pro-
fornecendo alguma perspectiva sobre como o sistema evoluiu
nos últimos 5 anos. Tanto quanto sabemos, este foi o
o compromisso mais aprofundado de uma votação oficial de grande escala -
sistema já executado sob tão severamente restrito
condições.
1. Introdução
O Brasil é uma das maiores democracias do mundo, com
um esperado 144 milhões de eleitores no próximo 2018
eleições gerais1. As eleições são realizadas a cada 2 anos
no mês de outubro, alternando entre municipalidades
1 Baseado em estatísticas de 2016 (em português): http: //www.tse.
jus.br/eleitor-e- eleicoes / estatisticas / eleicoes /
Eleicoes-anteriores / estatisticas- eleitorais-2016
eleições (membros do conselho da cidade e prefeitos), e
Eleições gerais (membros da câmara baixa, senadores,
governadores e o presidente).
Máquinas de votação eletrônicas de Recodificação Direta (DRE)
foram introduzidas pela primeira vez no país em 1996, depois do fre-
relatórios de fraude durante o transporte e tabulação de
votações em papel e eleições tornaram-se totalmente eletrônicas
ano 2000. Os registros de documentos verificados pelo eleitor foram brie fly
experimentado em 2002, mas considerado muito caro e
pesado pela autoridade eleitoral. Desde então, mul-
As contas tiple foram introduzidas no Congre Brasileiro
==//==
SOURCE/LINK: https://youtu.be/8fDfvwpDor4
Especialista revela toda podridão do voto eletrônico
See all ›
18 References
Download full-text PDF
The Return of Software Vulnerabilities in the Brazilian Voting Machine
Preprint (PDF Available) · March 2018 with 17,623 Reads
DOI: 10.13140/RG.2.2.16240.97287
•
• Diego F. Aranha
• 12.56
• University of Campinas
• Pedro Yóssis Silva Barbosa
• Universidade Federal de Campina Grande (UFCG)
• Thiago Nunes Coelho Cardoso
• Federal University of Minas Gerais
• Paulo Matias
◦ 8.4
◦ Universidade Federal de São Carlos
Abstract
This paper presents a detailed and up-to-date security analysis of the voting software used in Brazilian elections. It is based on results obtained by the authors in a recent hacking challenge organized by the Superior Electoral Court (SEC), the national electoral authority. During the event, multiple serious vulnerabilities were detected in the voting software, which when combined compromised the main security properties of the equipment , namely ballot secrecy and software integrity. The insecure storage of cryptographic keys, hard-coded directly in source code and shared among all machines, allowed full content inspection of the software installation memory cards, after which two shared libraries missing authentication signatures were detected. Injecting code in those libraries opened the possibility of executing arbitrary code in the equipment, violating the integrity of the running software. Our progress is described chronologically , to illustrate difficulties and limitations in the testing methodology chosen by the electoral authority, and to inform how teams participating in future challenges can optimize their performance. We trace the history of the vulnerabilities to a previous security analysis, providing some perspective about how the system evolved in the past 5 years. As far as we know, this was the most in-depth compromise of an official large-scale voting system ever performed under such severely restricted conditions.
Discover the world's research
• 14+ million members
• 100+ million publications
• 700k+ research projects
Join for free
File (PDF)
Available from: Diego F. Aranha, Mar 11, 2018
Download full-text PDF
Other full-text sources
The Return of Software Vulnerabilities in the Brazilian Voting Machine
Diego F. Aranha
University of Campinas
Pedro Y´
ossis Silva Barbosa
Federal University of Campina Grande
Thiago Nunes Coelho Cardoso
Hekima
Caio L¨
uders de Ara´
ujo
Federal University of Pernambuco
Paulo Matias
Federal University of S˜
ao Carlos
Abstract
This paper presents a detailed and up-to-date security
analysis of the voting software used in Brazilian elec-
tions. It is based on results obtained by the authors in
a recent hacking challenge organized by the Superior
Electoral Court (SEC), the national electoral authority.
During the event, multiple serious vulnerabilities were
detected in the voting software, which when combined
compromised the main security properties of the equip-
ment, namely ballot secrecy and software integrity. The
insecure storage of cryptographic keys, hard-coded di-
rectly in source code and shared among all machines, al-
lowed full content inspection of the software installation
memory cards, after which two shared libraries missing
authentication signatures were detected. Injecting code
in those libraries opened the possibility of executing arbi-
trary code in the equipment, violating the integrity of the
running software. Our progress is described chronolog-
ically, to illustrate difficulties and limitations in the test-
ing methodology chosen by the electoral authority, and
to inform how teams participating in future challenges
can optimize their performance. We trace the history of
the vulnerabilities to a previous security analysis, pro-
viding some perspective about how the system evolved
in the past 5 years. As far as we know, this was the
most in-depth compromise of an official large-scale vot-
ing system ever performed under such severely restricted
conditions.
1 Introduction
Brazil is one of the largest democracies in the world, with
an expected 144 million voters in the upcoming 2018
general elections1. Elections are conducted every 2 years
in the month of October, alternating between municipal
1Based on 2016 statistics (in Portuguese): http://www.tse.
jus.br/eleitor-e- eleicoes/estatisticas/eleicoes/
eleicoes-anteriores/estatisticas- eleitorais-2016
elections (members of the city council and mayors), and
general elections (members of the lower house, senators,
governors and the president).
Direct Recoding Electronic (DRE) voting machines
were first introduced in the country in 1996, after fre-
quent reports of fraud during transport and tabulation of
paper ballots, and elections became fully electronic in
the year 2000. Voter-verified paper records were briefly
experimented with in 2002, but deemed too costly and
cumbersome by the electoral authority. Since then, mul-
tiple bills were introduced in Brazilian Congress to rein-
troduce paper records, the last one demanding deploy-
ment this year, with an ongoing debate about how the
law should be interpreted and what is the mandated cov-
erage in number of polling places [15].
As a response to the frequent calls for increased trans-
parency, the Superior Electoral Court (SEC) started orga-
nizing hacking challenges in 2009, officially called Pub-
lic Security Tests of the Electronic Voting System. These
are restricted events, where pre-approved external and in-
dependent researchers can examine the security mecha-
nisms implemented within the system, find vulnerabil-
ities and provide suggestions for improvement. After
the first hacking challenges conducted in 2009 and 2012,
the event became mandatory and now happens from 6
months to one year before the elections [24].
Under a turbulent and polarized political environment,
frequently contaminated by corruption scandals, the de-
bate around the security and transparency of Brazilian
machines is growing in popularity. Access to voting
equipment by researchers is still notably restricted, with
the hacking challenges thus presenting a unique oppor-
tunity to perform independent security analysis. The
first such analysis was performed in 2012, and a full re-
port was published afterwards by Aranha et al. [2]. In
the occasion, the authors were able to mount an attack
against ballot secrecy based on insecure random number
generation, and also document many other security is-
sues with the system. As the main concerns, the authors
1
detected insecure storage and massive sharing of cryp-
tographic keys, insufficient integrity verification, and a
faulty software development process conducted under an
inadequate adversarial model.
Our contributions. We continue and update the ef-
forts regarding the analysis of Brazilian voting machine
software and its security, by presenting our findings col-
lected in the 2017 edition of the hacking challenge. In
summary, we were able to:
(i) Recover the symmetric cryptographic key protect-
ing the memory cards that install software before
the elections, allowing decryption and full inspec-
tion of their contents. Because this symmetric key
is shared among all machines, recovering it in a real
election would have nationwide impact.
(ii) Find two software libraries missing digital signa-
tures for authentication or any kind of integrity
check, allowing direct injection of arbitrary code in
their functions. Consequently, it was possible to in-
directly modify the programs linked against them,
such as the official voting application.
(iii) Exploit the code injection capabilities to break bal-
lot secrecy for selected votes, by manipulating cryp-
tographic keys generated on-the-fly; to receive com-
mands from a regular keyboard; and to manipulate
logging records generated by the voting software.
(iv) More importantly, inject code to manipulate the
strings presented by the software to the voter in real
time and advertise a hypothetical candidate or polit-
ical party.
The code injection capabilities were later extended to
manipulate the outcome of a simulated election, since all
requirements to do so were satisfied by the vulnerabilities
detected at that point. Substantial progress was made to-
ward this goal by erasing all votes in an electronic ballot,
which triggered an empty ballot consistency error in the
voting software. The attack was then adapted to manipu-
late votes stored in memory, but the event was interrupted
before we could validate a supposedly correct version of
the payload in the real hardware.
Paper outline. The remaining sections are organized
as follows. In Section 2, we describe the standard Brazil-
ian election procedure, the software ecosystem and some
of its the security mechanisms. In Section 3, we summa-
rize the history and discuss the format, limitations and
results in previous hacking challenges of the Brazilian
voting machines. Section 4 continues by reporting about
our day-to-day progress when participating in the 2017
hacking challenge. Section 5 reviews related work and
analyzes our findings in context, tracing a historical per-
spective with relation to other security analysis of the
same system. Section 6 finishes the paper.
2 Background
A surprising characteristic of Brazilian elections is that
the entire election administration is under control of a
single institution. The Superior Electoral Court (SEC)
is responsible for performing voter registration, design-
ing election procedures, recruiting election officials, or-
ganizing the logistics on election day, deciding and im-
plementing what election technology will be used, and
any other remaining operational tasks. As part of the ju-
dicial branch of government, the SEC also resolves all
legal disputes regarding elections. It is presided by a
Supreme Court judge, who accumulates a seat to report
on electoral issues involving constitutional matters.
Brazil witnessed rampant fraud on paper ballot elec-
tions during the transaction to a democracy in the 80s,
motivating the electoral authority to consider the deploy-
ment of electronic devices for collecting votes. In 1982,
the SEC started the move to digital by employing elec-
tronic transmission of election results. A few years later,
voter registration data was migrated to digital storage
and, in 1991, the first personal computers were used as
voting equipment in small referendums.
The first DRE voting machines were introduced in
1996 at small scale, in only 56 municipalities. The ma-
chines were manufactured by Unisys and equipped with
an Intel 80386 processor. In terms of software, the ma-
chines employed a DOS-compatible operating system
called VirtuOS manufactured by the Brazilian company
Microbase. Later models were subsequently introduced
almost every other year and manufacturing was trans-
ferred at some point to Procomp, the Brazilian subsidiary
of Diebold Incorporated.
The later models maintained the same initial design
and interface, but adopted more recent hardware compo-
nents and software. For example, machines from 2002 to
2006 were deployed with the Microsoft Windows Com-
pact Edition operating system and newer models exclu-
sively run the GNU/Linux operating system. The latest
model, introduced in 2015, includes a Hardware Secu-
rity Module (HSM) of sorts (called MSD – Master Secu-
rity Device) for computing critical cryptographic opera-
tions, storing cryptographic keys and verifying software
integrity during the boot process. Software-wise, initial
versions of the voting software were also produced by
Diebold-Procomp, but the SEC took ownership of the
software development process in 2006. The team re-
sponsible for software development consists in a mix of
in-house and contracted developers. In 2008, the SEC
started enrolling voters for biometric identification using
fingerprints and the effort recently reached half of the
voting population.
2
2.1 Voting equipment
The Brazilian voting machine, or “urna eletrˆ
onica” in
Portuguese, consists of a classical DRE device without
any type of voter-verified paper record. The machine is
composed of an election official terminal, used to authen-
ticate electors by their registration number or fingerprint,
and a voter terminal where votes are cast via a keyboard
reminiscent of a modern telephone. The full machine is
shown in Figure 1. Candidates and their political parties
are selected by typing the corresponding numbers in the
voter terminal. It is also possible to either cast a blank
vote, change or confirm a vote by pressing the colored
buttons (from left to right, respectively).
The two terminals are connected by a long cable, a
questionable design aspect in terms of ballot secrecy.
The cable provides access to the voter data stored by
the voter terminal. This means that the voting machine
simultaneously observes voter identification information
and the votes being cast. Besides the keyboards for in-
put, communication to and from the voting machine is
possible via memory cards and a small printer. Mem-
ory components include internal and external flash cards
responsible for storing the operating system, the compo-
nents of the voting machine software, and data related to
candidates and voters. During an election, the files stor-
ing the current state are redundantly stored in both the
internal and external memories, so they can be recovered
in case either is permanently damaged.
External flash cards are inserted in a slot in the back of
the machine. A software installation card, called an in-
stall card (or “flash de carga”), is used to transfer official
voting machine software to the internal memory before
the elections. Another flash memory card, called voting
card (or “flash de votac¸ ˜
ao”), is inserted during elections
in the same external slot for providing voter and candi-
date registration numbers. There is another slot in the
back of the machine to attach a USB stick called Memory
of Results (or MR – “Mem´
oria de Resultados”). The MR
stores election results and other data that is made pub-
licly available later. These external interfaces are pro-
tected by tamper-evident seals signed by electoral judges
in a public ceremony.
2.2 Official voting procedures
Elections using the Brazilian voting machine follow pro-
cedures typical of DRE-based elections and a very sim-
ilar workflow. The preparation steps performed before
elections can be found below:
(i) Development of software components: contrary to
other countries, election software is continuously
maintained and updated by the SEC. Inspectors
from political parties and other institutions can ex-
amine the source code under a Non-Disclose Agree-
ment (NDA) in the SEC headquarters for a few
months before the elections and provide suggestions
for improvement.
(ii) Distribution of software components: a specific ver-
sion of the software is frozen and compiled in a
public ceremony, to be later transmitted electroni-
cally to the local branches of the SEC a few days
before the election. Hence each new election runs
on a more recent version of the codebase. Upon re-
ceipt of the official voting machine software, staff
in the local branches generate the install cards us-
ing Desktop computers. These memory cards are
then transported across the states to multiple places
where voting machines are stored in-between elec-
tions. Each card installs up to 50 voting machines.
(iii) Installation of voting machine software through in-
stall cards: voting software is installed in the ma-
chines through the flash memory cards using a soft-
ware module called SCUE2. The machine boots
from the install card and the system self-checks the
integrity of its own files before they are copied to the
internal memory. Afterwards, the machine can then
be initialized from internal memory, and a hardware
test is performed on first boot.
(iv) Distribution of the voting machines: uniquely iden-
tified voting machines are assigned to the corre-
sponding polling places. Each assignment is dig-
itally signed using a pairing-based Boneh-Boyen
short signature scheme [7], instantiated with a
160-bit Barreto-Naehrig curve [5], and the result-
ing signature is used as witness, called correspon-
dence code (or “resumo da correspondˆ
encia”). A
database containing the assignments is published af-
terwards.
In the election day, a uniform procedure is executed
across all polling stations, simplified below for clarity:
1. Voting machine prints the zero tape (or “zer´
esima”)
between 7AM and 8AM. This is an official public
document supposedly attesting that no votes were
computed for any candidates before the start of the
elections.
2. The election official opens the voting session at
8AM by typing a command in the election official
terminal.
3. The voters provide identification information and
are authorized to cast votes in the machines.
2From the Portuguese “Sistema de Carga da Urna Eletrˆ
onica”, or
Voting Machine Installation Software.
3
Figure 1: The two terminals of the Brazilian DRE voting machine. In the left, the election official terminal has a
fingerprint recognition device visible in the top; while the voter terminal is on the right. The cable connecting the two
allows software executed in the election official terminal to authenticate voter data (registration number or fingerprint)
stored in the voter terminal.
4. The election official closes the voting session at
5PM, local time, if no additional voters remain in
the queue.
5. The voting machine prints the poll tape (or “Bo-
letim de Urna”), containing per-machine totals for
each candidate. Copies of this physical document
are signed by election officials, distributed among
inspectors from the political parties and should be
fixed on an accessible location in the polling place.
6. The voting machine records electronic versions of
the authenticated public products of the election.
They consist of a digital version of the poll tape
containing the partial results; a chronological record
of events registered by the machine (LOG); and the
Digital Record of the Vote (DRV), an electronic
shuffled list of the actual votes. These files are dig-
itally signed and stored in the MR.
7. The election official violates the seal and retrieves
the MR containing the public products.
8. The election official boots a networked Desktop
computer in the polling place using JE Connect, a
dedicated LiveUSB containing a GNU/Linux distri-
bution. This system establishes a secure connec-
tion with the election authority infrastructure using
a Virtual Private Network (VPN).
9. The election official attaches the MR to this com-
puter and transmits the public products of the elec-
tion to the centralized tabulation system.
10. The central tabulator combines all the partial results
and the official result of the election is declared.
The whole process of transmission and tabulation usu-
ally takes a few hours. After three days, digital ver-
sions of the poll tapes received by the tabulation system
are made available in the SEC website for independent
checking, and other election products can be obtained by
the political parties through a formal process. Malicious
manipulation of the tabulation phase can only be detected
by manual comparison of printed and digital versions of
the poll tapes.
2.3 The software ecosystem
The whole software codebase has a complexity in the or-
der of tens of millions of lines of code, including all of
its components. The version made available in the latest
hacking challenge was tagged with the string The Hour
of the Star” (or “A Hora da Estrela”) in homage to a
novel authored by Brazilian writer Clarice Lispector.
The voting machine software source code alone has
more than ten million lines [8] and is organized as a cus-
tomized GNU/Linux distribution (UENUX) for the In-
tel 32-bit architecture. Besides the typical userland li-
braries, it includes the official voting application (VOTA
– “Votac¸ ˜
ao Oficial”), the voting machine software in-
stallation system (SCUE – “Sistema de Carga da Urna
Eletrˆ
onica”), a forensic tool to recover damaged data
(RED – “Recuperador de Dados”), a system for man-
ually typing partial results in case a voting machine mal-
functions (SA – “Sistema de Apurac¸ ˜
ao”), and an appli-
cation manager (GAP – “Gerenciador de Aplicativos”).
Low-level software includes a customized bootloader
4
(based on Syslinux3), kernel and drivers. The bootloader
boots from a nonstandard offset and the BIOS is modi-
fied to take this into account. Among the customizations
in the GNU/Linux kernel there is the inclusion of device
drivers and modification of some standard security mech-
anisms. The codebase is currently shifting from the 2.6
to the 3.18 branch of the kernel.
Encryption. There are several security mechanisms
implemented in the voting machine software, where the
main security goal is to enforce integrity checking and
authentication of the hardware and software. This is at-
tempted by combining multiple layers of encryption, to
prevent inspection and extraction of sensitive informa-
tion by outsiders, and several authentication primitives.
As examples of low-level mechanisms, the bootloader
contains an AES-256 encryption key to decrypt the ker-
nel image in the ECB mode of operation during initial-
ization of the system. The kernel has keys embedded
to encrypt/decrypt individual files in a MINIX file sys-
tem under the AES-XTS mode; and to implement an
encrypted repository of cryptographic keys in AES-256,
CBC mode. The latter set of keys, here called authenti-
cation keys include private keys to digitally sign the pub-
lic products of an election, public keys and certificates
for signature verification, and secret keys to authenticate
poll tapes using SipHash [4]. Figure 2 presents how the
encryption layers are organized, with modules in the top
containing the keys to decrypt modules immediately be-
low.
Bootloader
Kernel
file system authentication
keys
Figure 2: Chained layers of encryption in the install card.
Arrows denote possession of encryption keys to decrypt
the next layer.
Authentication. In terms of authentication, the BIOS,
bootloader and kernel images are digitally signed using
ECDSA, instantiated with the NIST P-521 curve. Figure
3 presents the voting machine chain of trust. The chain
starts with the MSD, and each component authenticates
the next in sequence until userland applications are suc-
cessfully loaded and executed.
Kernel modules, executable binaries and shared li-
braries are digitally signed with RSA-4096 and the sig-
3Syslinux bootloader: http://www.syslinux.org
MSD
BIOS
Bootloader
Kernel
initje scue other executables
detached signatures (.vst)
Figure 3: Voting machine chain of trust, starting with the
MSD. Arrows denote signature verification. Detached
signatures for installation files are verified by the SCUE
module.
natures appended to the corresponding files. The public
key for verification is embedded in the kernel and used
by the loader to prevent tampering with these files. All
files in the install and voting cards, and the public files
resulting at the end of an election are digitally signed,
with signatures computed by the MSD. These detached
signatures are stored in VST files, this time using an El-
gamal signature scheme instantiated with the NIST P-
256 elliptic curve. This module was designed and im-
plemented by technicians from the cryptography sec-
tor (CEPESC – “Centro de Pesquisa e Desenvolvimento
para a Seguranc¸a das Comunicac¸ ˜
oes”) of the Brazilian
Intelligence Agency (ABIN – “Agˆ
encia Brasileira de In-
teligˆ
encia”). The poll tapes have QR codes encoding
partial results in a machine-readable format, to facilitate
automated comparisons with published results [3], and
these are digitally signed using Ed25519 [6].
Random numbers. Many of the deployed crypto-
graphic algorithms for encryption and authentication re-
quire random numbers, and there are multiple algorithms
across the codebase. The Elgamal signatures computed
by the MSD rely on the xorshift family [21] of pseudo-
random number generators (PRNG). The mechanism
for shuffling votes inside the DRV file is implemented
through a combination of two other generators: reading
directly from /dev/urandom or from a customized user-
land PRNG based on a 32-bit variant of the 64-bit version
of an obscure algorithm called Sapparot-2 [20].
Additional software components are InfoArquivos
and RecArquivos, parts of the system for transmission
of results and tabulation; and GEDAI (or “Gerenci-
ador de Dados, Aplicativos e Interface com a Urna
Eletrˆ
onica”), a software subsystem to manage and gener-
ate install/voting cards and empty MR sticks in the Win-
dows platform. It is worthy noting that the machines run-
ning GEDAI execute an operating-system-level suite of
security software in an attempt to prevent tampering dur-
5
ing the generation of install cards. This suite is called
SIS (or “Subsistema de Instalac¸ ˜
ao e Seguranc¸a”) and is
provided by the Brazilian company Modulo Security.
3 The hacking challenges
The Public Security Tests of the Brazilian voting system,
or TPS – “Testes P´
ublicos de Seguranc¸a” in Portuguese,
allow independent experts to evaluate the security mech-
anisms implemented in the voting system. Experts at-
tempt to violate the classical security goals of any vot-
ing system, namely ballot secrecy and integrity, and are
asked to later suggest proper improvements to restore the
security of the affected mechanisms. The format and
scope of the event evolved with time, and the challenges
recently became mandatory as an official event in the
election calendar.
3.1 History
In the first edition of the TPS, organized in 2009, re-
searchers did not have access to the source code of the
voting machine software and the chosen model was a
competition with money prizes. As a result, the winning
strategy by Sergio Freitas da Silva was a black-box at-
tack against ballot secrecy using a radio receiver to cap-
ture keyboard emanations [11]. Afterwards, the electoral
authority reportedly shielded the keyboard as mitigation.
In 2012, independent experts had the first opportunity
to examine voting machine software source code with-
out NDA restrictions. The format of the challenge was
slightly tweaked and monetary awards were discontin-
ued. The reduced limitations were enough to bring out
the first vulnerability reports concerning the software. In
particular, the winning attack strategy was an accurate
in-order recovery of the votes cast, successfully mounted
in a realistically-sized simulated election. The attack
was based only on public data published in the DRV
file and superficial knowledge about how the votes were
stored in a hash table. The main attack vector was a
vulnerability in the vote shuffling code involving a call
to srand(time(0)) with a subsequent printing of the
timestamp in the zero tape. With knowledge of the times-
tamp and the order of voters in the voting queue, it would
be possible to break ballot secrecy for an entire polling
station. Alternately, by obtaining the time an important
vote was cast (by a judge or some other authority), it
would be possible to discover the position of the voter
in the queue using the LOG file and break ballot secrecy
for the selected voter. Other detected design flaws in-
clude massive sharing of cryptographic keys, insecure
storage of secret key material and inadequate choice of
algorithms. Aranha et al. [2] provide a detailed first-hand
account of the event, vulnerabilities and aftermath.
The challenges resumed only in 2016, when the NDA
introduced in that edition ended up alienating a large por-
tion of the local technical community. This edition saw
the first successful attack against the integrity of results,
presented again by Sergio Silva [13]. He demonstrated
how checksums implemented in the poll tapes did not
provide authentication, allowing anyone with knowledge
of the underlying algorithm to compute correct check-
sums for fake results. The manipulated results could then
be transmitted to the central tabulator using a subsys-
tem used to transmit results whenever the voting machine
malfunctions.
After substantial pressure from the technical commu-
nity, the NDA was considerably relaxed in the subse-
quent year, to allow participants to publicly discuss their
findings after coordinated disclosure of any vulnerabili-
ties detected during the event. The scope was also ex-
tended to include software components from the tabula-
tion system, the MSD firmware and the GEDAI system
for generating install cards. Although it has been pro-
gressively deployed in the past ten years, the fingerprint
identification system is still considered out of scope.
3.2 The 2017 edition
This work reports our findings collected during last
year’s edition of the TPS. It was comprised of five main
phases: registration and pre-approval, code inspection,
submission of testing plans, the actual trials, and the re-
porting of results. Rules were described in an official
call for participation published in the SEC website [14].
Multiple committees were involved in the organization,
the main ones were the organizing committee composed
of SEC staff, and an independent overseeing committee
who monitored progress of the participants.
During the registration phase, between August 10 and
September 10, individual researchers and teams up to
five members submitted their identification information
and institutions they officially represented. Although the
SEC states that any Brazilian citizen over 18 years is eli-
gible, there is a screening process in place: only after the
SEC verifies the documents and pre-approves the appli-
cants, they become able to inspect source code.
The code inspection phase started with an opening talk
by the SEC staff describing the rules of the challenge
and an overview of the system and its implemented secu-
rity mechanisms. Teams with pre-approved registration
whose members signed the NDA were allowed to spend
four days at the SEC headquarters in Bras´
ılia, between
October 3 and 6, inspecting the source code. Participants
were allowed to use only computers and tools provided
by SEC and take notes on paper. A metal detector pre-
vented entrance of memory devices for copying the code-
base, but there was no rigorous control about what pieces
6
of paper entered or left the inspection environment. The
inspection computers were offline, but connected com-
puters were available in a different section of the room
for Internet access. Figure 4 presents a layout of the
room and its main sections. The rules explicitly stated
that researchers would not have access to cryptographic
keys [14].
In the next phase, each individual or team had to sub-
mit at least one testing plan to be formally approved as
a participant. A testing plan must explain the intended
attack in some detail, what portion of the attack surface
of the system was targeted, the possible outcome in case
of success, and the potential impact in the electoral pro-
cess. All attacks described in a testing plan must be
within the scope defined by the organization. The SEC
then decided what testing plans were compatible with the
rules, selecting which teams were allowed to take part
in the event, with a maximum of 25 participants. There
were tie-breaking criteria for when the capacity would be
reached, such as prioritizing teams who did not ask for
travel expenses to be covered. The authors did not ask
for a stipend to maintain financial independence and in-
crease likelihood of selection. At the end, after merging
participants from different groups, a total of 16 partic-
ipants were finally approved, consisting of 4 individual
researchers and 3 teams (labeled Group 1 – the authors,
3 and 4).
Group 1
Group 4
Internet-connected computers
code inspection
computers
Metal detector
Group 3
SEC staff
Figure 4: Layout for the room where the TPS was con-
ducted, highlighting the areas for Internet access, code
review and the stands where groups worked in the trials.
Group 4 was formed by merging Group 2 with individual
participants from the Brazilian Federal Police.
During the trials, teams had five days to execute the
previously submitted plans, between November 27 and
December 1, from 9AM to 6PM. The first day was re-
served for preparing the environment and tools. The
other four remaining days were used for executing the
testing plans against the system, again using SEC com-
puters. The execution of each step of the plans was
closely followed by SEC personnel, and every action
and result were recorded in a log. If a team decided
that some aspect of a testing plan had to be changed,
a modification had to be submitted and approval ob-
tained by the overseeing committee. In the beginning
of this stage, access to paper became tightly controlled
and numbered sheets were distributed to all participants.
All pages were checked at the end of each day to prevent
code portions from being exfiltrated through paper. Ad-
ditionally, leaving the code inspection area to the stands
or Internet-connected computers with notes containing
pieces of source code was not allowed.
The whole process was painfully bureaucratic and
many forms had to be filled and signed by the team leader
along the way: submission of modifications or entirely
new testing plans for approval; software requisition, to
ask software to be installed in the testing machines; au-
thorization for external materials to enter the testing envi-
ronment; authorization for installing software brought by
the participants; official inquiry to the organization com-
mittees, to ask technical questions and clarify operational
issues; notification of vulnerabilities and mitigation; and
experimental conclusions in the last day. For each new
request, a sequential number had to be obtained and re-
served in a centralized control sheet before submission.
After the public security tests were finished, two re-
ports were published. The first one, written by the over-
seeing committee, contains the results obtained by indi-
vidual teams and suggestions for improving the public
test as a whole [10]. The second report was written by
SEC staff and discusses the vulnerabilities found by re-
searchers and the measures taken by the SEC for mitiga-
tion [16].
4 Chronology
This section presents our day-to-day progress when par-
ticipating in the TPS, from before the event (code inspec-
tion and preparation of the testing plans) to the actual
trials (the five days of testing).
4.1 Code Inspection
In accordance with the event schedule, we were able
to inspect the source code of the voting system. In-
spection was performed in the computers provided by
the SEC, with Ubuntu 14.04 and some software already
7
pre-installed, such as the Eclipse development environ-
ment, a Python interpreter and the standard command
line tools. We were not able to enter or leave the code in-
spection area with any electronic material nor any digital
storage media (not even read-only media). For example,
we could not bring the source code of a vanilla Linux
kernel to check for differences with the SEC custom ker-
nel. We were not able to install other software in these
machines, like more powerful text editors such as vim4,
a C compiler, neither any of our preferred tools.
The main tools we used for searching vulnerabilities
were the grep5command and the nano6text editor. We
quickly realized that some symbols and files were miss-
ing, such as the bootloader source code. We were sur-
prised to find out that the SEC staff restricted access
to cryptographic keys by attempting to remove all key
material from the source code, thus presenting a modi-
fied and incomplete codebase to the participants.
Using grep, we found many potential vulnerabilities.
An important one was related to the file system encryp-
tion scheme used for the install cards. It employed an
encryption scheme based on 256-bit AES-XTS, but the
keys were hard-coded into the kernel. To encrypt, AES-
XTS uses two keys, as presented in Figure 5. Below
we describe each of the variables observed during the
inspection of the encryption scheme:
•key1: First part of the AES-XTS key. It is 256 bits
long and its value was hard-coded into the kernel.
•key2: Second part of the AES-XTS key. It is also
256 bits long and was computed in accordance to
Listing 1, where the get byte(n)function returns the
n-th byte from the first partition of the install card.
•i: The initialization vector. During the code inspec-
tion, we noticed that iwas chosen as the inode num-
ber of the file being encrypted in the file system.
•αis the primitive element of GF(2128 ), where GF
denotes Galois Field.
•Pj: The j-th block of plaintext. All blocks except
possibly the last one have a length of 128 bits.
•Cj: The j-th 128-bit block of ciphertext.
The SEC implementation of AES-XTS deviates from
the standard one in that it computes αjmod256 instead
of αj. This actually weakens the algorithm, since in-
ternal state is now restarted at every 4096-byte block.
As we were unable to find any technical justification for
this change, we suspect it was an attempt at obfuscation.
4Vim – the ubiquitous text editor: http://www.vim.org
5GNU Grep: https://www.gnu.org/software/grep
6GNU Nano text editor: https://www.nano-editor.org
AES
Encrypt
AES
Encrypt
Figure 5: Install card file system encryption scheme
based on AES-XTS (adapted from [22]).
Listing 1 Obtaining key2used to encrypt/decrypt the in-
stall cards using AES-XTS.
function GE T KE Y2
key2← {}
o f f set1←512 +7
o f f set2←512 +128
b←get byte(o f f set1)
for n←0to 32 do
key2[n]←get byte(o f f set2+n)⊕b
return key2
The decryption uses the same block scheme presented in
Figure 5. The only difference is that the ciphertext now
serves as input (in place of Pj), and the plaintext is ob-
tained as output (in place of Cj).
Despite cryptographic keys being removed by the SEC
staff, the file system encryption key key1was still visible
in the 3.18 branch of the kernel due to an operational flaw
during the sanitization of the codebase. At this point,
we also knew it was possible to extract key1by reverse
engineering the kernel (after it is decrypted by the boot-
loader).
4.2 Submitted testing plans
We submitted and had approved four test plans ranging
from retrieving cryptographic keys to using extraneous
USB devices for manipulating the voting system. Each
one is described in detail in the next subsections, and they
illustrate how large is the attack surface of the system.
Extraction of cryptographic keys. During the code
inspection phase, multiple references to cryptographic
keys were found in the source code, although most of the
particular files containing the definitions were removed
8
from the available source. Because cryptographic keys
are shared among all DRE machines, obtaining the key
from a single card means that all DREs could be com-
promised.
This test plan consisted of, through reverse engineer-
ing, trying to extract the cryptographic keys using only
the install card used for distributing and installing the
voting software. The keys could later be used to decrypt
sensitive files or authenticate files containing fake results.
Breach of ballot secrecy. In a previous challenge,
Aranha et al. found a vulnerability that allowed to vi-
olate ballot secrecy for entire polling places or selected
voters [2]. This was possible because the pseudo-random
number generator used for shuffling votes in the DRV
was seeded with a timestamp, a predictable value. This
value, easily obtained from the zero tapes, allowed the
reversal of the shuffling algorithm and the obtaining of
the votes in the same order that they were cast. After the
2012 edition of the hacking challenges, the SEC report-
edly replaced the shuffling mechanism with a new one.
This testing plan consisted of checking if this vulnera-
bility was indeed fixed and that the DRV pseudo-random
number generator was improved to protect ballot secrecy.
Insertion of malicious USB devices. The DRE has
two USB ports in the main voter terminal and another
one in the election official terminal. All of those are con-
nected to the same bus shared by internal USB devices,
including the MSD. The MSD is actually an ARM7 mi-
crocontroller exposed to the system as an USB Human
Interface Device (HID). Both the firmware and the de-
vice drivers for the MSD are custom-made for the DRE.
Although the device drivers implement a challenge-
response protocol aiming to authenticate the presence of
the HSM, we found during code inspection that the pars-
ing code in the driver apparently lacked bounds check-
ing and did not appear to be carefully designed to avoid
buffer overflows.
This testing plan consisted of using programmable
USB devices, like Raspberry Pi Zero and FaceDancer,
to impersonate the MSD. By fuzzing its communication
protocol, potential code execution vulnerabilities [23]
could be found.
Remote code execution on the web platform. The
web platform of the tabulation system was part of the
scope of the tests for the first time. The platform is com-
prised of two main components: RecArquivos, the appli-
cation which receives and processes the digital version
of the poll tapes produced by the voting machines, and
InfoArquivos, the application which monitors the tab-
ulation status. Access to the web platform is allowed
only through a VPN, however the VPN credentials could
probably be extracted from the JE Connect LiveUSB de-
signed by the SEC to set up the VPN connection from
inside insecure networks.
Both web applications are hosted in JBoss 6, an ap-
plication server for which multiple vulnerabilities have
been disclosed [17]. The SEC did not reveal which re-
lease of JBoss 6 was running on their servers, so we
planned to scan for these vulnerabilities in order to check
whether the servers had the latest patches applied. We
also intended to check the web applications source code
for other potential Remote Code Execution vulnerabili-
ties. Compromising those servers could allow for tam-
pering with tabulation results. Although results could
probably be corrected afterwards by checking the paper
version of poll tapes, the attack would potentially slow
down and undermine trust in the electoral process.
4.3 Day 1: Assembling the work environ-
ment
In the beginning of the first day, November 28, we spent
a few hours filling paperwork and some time recogniz-
ing the testing environment and the equipment available.
The routine of filling forms, realizing that we missed
some important package or dependency, and asking for
authorization of new incoming software would repeat in
the following days. We quickly realized that the single
computer provided by the SEC would not be sufficient
for the whole team to work and asked for more com-
puters running Ubuntu. This was another opportunity to
review the source code, since it had been a few weeks
since the end of the code inspection phase. We decided
to switch all machines to Kali Linux7and took notes on
what to bring on the next day in terms of software and
equipment.
We also made progress decrypting the install cards.
Because we were not absolutely certain that the value
of key1found in the source code was correct, we quickly
wrote a small Python decryption script in the code in-
spection computers invoking command-line OpenSSL8
to decrypt each individual block. Due to the unavailabil-
ity of real install cards at that point and a C compiler in
the code inspection computers, we tested the program on
an encrypted stub file we found in the codebase. The
program was painfully slow due to the constant spawn
of child processes, but sufficient to validate our hypoth-
esis. Handling padding was a nuisance, because addi-
tional bytes were added to fill the last block and written
to the file system, but the reported file sizes did not take
those into account.
7Kali Linux – Penetration Testing and Ethical Hacking Linux Dis-
tribution: https://www.kali.org
8OpenSSL Cryptography and SSL/TLS Toolkit: https://www.
openssl.org
9
4.4 Day 2: Decrypting install cards
With new computers, we started the day by installing
Kali Linux in all machines, a very time-consuming pro-
cess which took the whole day. In parallel, we continued
to explore the testing environment. We also received a
somewhat distracting visit of international observers in-
vited by the SEC to follow the challenge.
Our first attempt was to plug a regular keyboard from
the regular computers in one of the USB ports of the
voting machine. With this, we could observe that the
keys pressed were echoed in the screen during the boot
process, and therefore, we concluded that the machine
had hardware and driver components that enabled the
usage of regular USB keyboards. However, using se-
quence keys like <Ctrl> + <Alt> + <F1> and others,
we were not able to drop in a terminal. We then started
following our testing plans.
For the first one, named “Extraction of cryptographic
keys”, the idea was to try to decrypt the real install cards
with the key1value found during the code inspection
stage. If that went wrong, we would try to get the cor-
rect key1value through reverse engineering of the boot-
loader and kernel image. We generated an install card
using the provided GEDAI machine and reimplemented
the AES-XTS decryption program, memorizing and typ-
ing down the decryption key a few bytes at a time. We
ended up rewriting the whole program by adapting code
from another AES-XTS implementation [25] to increase
performance.
In our first decryption attempt, we chose to decrypt
an Extensible Linking Format (ELF) file called initje,
a modified version of the Unix init daemon, because
we knew how the header format (also known as magic
number) looked like. In this first attempt, the decryp-
tion was successful, i.e., we obtained a file with \x7fELF
as the initial bytes. After that, we wrote a script to de-
crypt/encrypt files in the install card, and proceeded to
inspect them looking for additional vulnerabilities to es-
calate access.
4.5 Day 3: Executing our code
During the third day, we better analyzed the chain of trust
established by the DRE voting machine. Basically, sub-
systems verify signatures of subsystems running next, as
shown in Figure 3. The process starts with the verifica-
tion of the BIOS signature by the MSD and ends with
the validation of single files using a detached signature
file with extension VST.
VST files contain file paths along with their signatures
in a custom binary format, described in ASN.1 syntax.
During the installation and initialization of the voting
machine, the files with entries in the VST are checked
and the signatures validated. We observed that extrane-
ous files could be added to the install card without trig-
gering any security alert.
By inspecting the VST files we noticed that two
shared libraries used by the voting system did not
have corresponding detached signatures. These were
used for logging (libapilog.so) and HMAC-based
Extract-and-Expand Key Derivation Functions (HKDF)
(libhkdf.so). In order to check if this was indeed
an attack vector, we replaced the opcodes of the func-
tions in the mentioned libraries by the opcodes of an
exit system call. The installation process worked as
expected, storing the two compromised files in the vot-
ing machine. During the boot, the system successfully
called the syscall, halting the process. This possibility of
arbitrary code execution was the main attack vector used
throughout the rest of the challenge.
During the rest of the day, other tests were made so
the SEC staff could validate and register our findings.
We observed which infected function was the first one
to be called, and in one of the attacks, a custom text was
printed in the terminal presented during the kernel initial-
ization. Using the write syscall outputting to stdout,
we printed the text “FRAUD!” in the terminal. Extending
the attack, a simple read-echo loop was created in order
to show the possibility of using a regular USB keyboard,
writing into the stdout messages read from stdin.
At the end of the second day, our team decided to
abandon the other testing plans to focus on the recently
acquired capabilities obtained after the decryption of in-
stall cards. Because the first testing plan was already
considered successful, we submitted two more, called Vi-
olation of ballot secrecy for selected votes and Arbitrary
code execution in the DRE voting machine, which were
an escalation from the success in the first one.
4.6 Day 4: Manipulating logging, violating
ballot secrecy for selected voters
After exploring the possibility of running arbitrary code
and using a regular USB keyboard in the DRE voting
machine, the next attack was to include a full-featured
shell like BusyBox9in order to make it easier to de-
bug the running system and prototype new attacks. The
first attempt was adding the binary into the install card,
which allowed storing non-signed files, and executing it
through the execve syscall. This attack was unsuccess-
ful because, before executing a binary, the kernel checks
for a signature appended in the end of the file. Since the
BusyBox binary was not signed, the kernel disallowed
the execution. The second attempt was to embed the shell
inside one of the non-signed shared libraries. This was a
9BusyBox: https://busybox.net
10
promising idea, but since our attack vector was already
relocated in memory, we needed to either implement an
ELF loader or modify the whole binary to be position-
independent code. Because of the time constraints and
limited tooling, we did not pursue this idea further.
To illustrate other possibilities of exploiting our code
injection, we performed more attacks to the DRE ma-
chine. In the first one, the constant string INFO of the
logging library was replaced by the XXXX string, show-
ing the possibility of modifying events in the LOG. We
verified the success of the attack by simulating an en-
tire election and observing the modifications in the cor-
responding file stored in the MR.
In another attack, we infected the HKDF library to
force the derived cryptographic keys to be known values.
The HKDF algorithm was used as the key derivation al-
gorithm for encrypting the DRV. This file contains every
vote cast in the voting machine and is randomly shuffled
in order to avoid the identification of votes based on se-
quential observations. We replaced the opcodes of the
key generation function with the opcodes of the follow-
ing instructions: xor eax, eax; ret. This code just
returns the function without any errors. Since the func-
tion was supposed to store the generated key in a C++
vector passed as argument, this code is equivalent to just
returning a zeroed key, since the std::vector construc-
tor initializes the content with zeros when only the count
argument is supplied.
With the library always producing a zeroed key, the
DRV file could be trivially decrypted. During the elec-
tion, a temporary version of this file is stored both in in-
ternal memory and the voting card. Since the voting card
can be manually removed from the voting machine with-
out serious consequences, this file could be copied and
decrypted, with differences computed at every vote, thus
allowing for the violation of ballot secrecy. We demon-
strated this attack to the SEC staff in the context of at-
tacking selected votes (by judges, politicians or other fig-
ures of authority), since extracting cards during the elec-
tion might raise suspicion. The attack against ballot se-
crecy could have been further improved by injecting code
which automates the manual activities and stores the dif-
ferences in chronological order inside the voting card.
With the intent of compromising the memory space of
the voting application itself (VOTA), we tried to stati-
cally analyze its binary using a disassembler, in order to
look for addresses of interesting code excerpts or global
variables in the compiled application. However, the bi-
nary was packed with UPX10 and could not be unpacked
by the standard UPX command line tool. Thus, we de-
cided to bring the UPX source code on the next day to
facilitate debugging of the unpacking issues.
10UPX: the Ultimate Packer for eXecutables – https://upx.
github.io
4.7 Day 5: Tampering with screen contents
and votes
In the morning, we received a formal visit of the presi-
dent of the SEC and were asked to give a live demonstra-
tion to the overseeing committee of progress so far. The
increased media coverage was distracting and greatly im-
paired our team’s ability to concentrate on the work. De-
spite that, we proceeded to debug the binary unpacking
issue found in the previous day, and it turned out to be
a simple matter of UPX getting confused by the digital
signature appended to executables. Removing the sig-
nature allowed us to normally unpack binaries using the
standard UPX tool.
With the unpacked VOTA application binary at hand,
we noted that it lacked common exploit mitigation tech-
niques, because it was not in a Position Independent
Executable (PIE) format. This simplified our work for
exploitation because targeted contents were in fixed ad-
dresses, eliminating the need to compute addresses from
the process memory mappings. However, both of the un-
signed libraries which could be used as attack vectors
were linked against multiple executables, whereas we
wanted to compromise just the VOTA application. We
chose to insert our payloads in the HKDF library, which
was linked to only two of the executables – SCUE and
VOTA. In order to check whether the library code was
running inside the memory space of VOTA, we read a 32-
bit word from some address which exists both in SCUE
and VOTA but contains different values in each appli-
cation. If it detected our code was not running inside
VOTA, it would just jump and skip the payload.
In order to verify whether we would be able to use the
mprotect syscall to change the permissions of read-only
memory pages, we wrote a payload to modify VOTA’s
version string, located in its .rodata section. The orig-
inal string was “The Hour of the Star”, but we modified
to “The Hour of the Threat” (in Portuguese, “A Hora da
Treta”). The test was successful and the new string could
be found in the installation log and inside the Memory of
Results (MR).
To escalate this simple payload to a useful and vis-
ible attack, we decided to modify a string in the voter
screen, which is clearly visible during the voter’s interac-
tion with the equipment. The selected string was “YOUR
VOTE GOES TO” (in Portuguese, “SEU VOTO PARA”).
A reproduction of the DRE screen after this attack is
shown in Figure 6(b) – at the top left corner, a message
appears asking the voter to cast a vote for candidate num-
ber “99”.
Once the ability to modify any desired memory page
was demonstrated, we proceeded to improve the HDKF
library infection technique. Until this moment, we sim-
ply overwrote the hkdf() library function which actu-
11
(a)
(b)
Figure 6: Reproduction of the in-memory modification of one of the strings contained in the VOTA application. (a)
Original DRE. (b) Compromised DRE – the voting software now advertises the choice of a hypothetical candidate.
ally computes a key. Because of this, our payloads al-
ways caused the DRV key to be zeroed, similar to the
attack against ballot secrecy described in Section 4.6.
Although an apparently corrupt DRV file would hardly
raise any suspicions, since the DRV file is only inspected
when an audit is performed, we implemented a method to
avoid this drawback by preserving HKDF functionality.
As illustrated in Figure 7, we replaced the SHA-224
implementation (which was present in the library but
not used by any of the applications) with our payload.
Then, we overwrote just an excerpt of the hkdf() code
with instructions for redirecting the execution flow to
the SHA224Init function, which address we compute
into the eax register taking into account that, unlike the
main executable, the library contains Position Indepen-
dent Code (PIC) and is loaded at a random address. Af-
ter running the payload, the SHA224Init function re-
stores eax to its original value, runs a copy of the origi-
nal excerpt moved from hkdf(), and returns. Since the
ret instruction pops the stack, an excerpt containing in-
structions that manipulate the stack would present issues,
however we fortunately did not face this problem.
add eax, SHA224Init - A
call eax
A:
; payload added here
sub eax, SHA224Init - A
ret
code
moved
hkdf:
SHA224Init:
push ebp
mov ebp, esp
; [...]
call __x86.get_pc_thunk.ax
; [...]
pre-existing
code
Figure 7: A simple library code infection technique we
employed to furtively compromise libhkdf.so.
Continuing to analyze the VOTA binary with a
disassembler, we found a method called AddVote
(in Portuguese, “AdicionaVoto ”) with signature
void(uint8 t office, int type, std::string
&vote). This method was called only when the vote to
be cast was already rendered on the screen and the voter
pressed the DRE’s confirm button. In other words, it was
possible to modify its behavior to change votes before
storing them, without the voter ever noticing anything
abnormal.
To compromise AddVote(), we wrote a Python script
to generate a payload to infect the method with the code
presented in Listing 2. This code loads in eax a ref-
erence to the std::string which holds the vote, then
loads to edi a pointer to the string’s characters, and fi-
nally writes a ‘9’ character to two subsequent memory
addresses (starting at edi).
Listing 2 Code injected in the AddVote method to ma-
nipulate votes in favor of candidate number “99”.
mov eax, [ebp+0x14]; std::string&
mov edi, [eax]; char*
mov al,'9'
stosb
stosb
Nevertheless, when we tested that payload in the DRE,
it caused a segmentation fault just before the VOTA ap-
plication was expected to appear in screen. Since that
meant the AddVote() method was never actually called,
we quickly found the mistake. To overwrite AddVote(),
our Python script was issuing lodsb/w/d instructions
instead of stosb/w/d. As esi contained zero (we cor-
rectly loaded the address to edi), this caused a null
pointer dereference.
Testing a new payload in the DRE took more than 30
minutes due to the sanity self-checks required by the in-
stallation process. Therefore we decided a member of
our team would test a simpler payload, which just re-
placed the AddVote() method with the ret instruction
12
opcode, while another member would simulate the com-
plete payload in the computer, to ensure no more typos
were present before loading it into the DRE.
Since the simple payload prevented votes from being
stored in the electronic ballot (a std::vector contain-
ing votes for all the election offices), we observed the
following behavior when it was loaded in the DRE: the
voter could type and confirm votes for all the offices,
however just after pressing the confirm button for the last
office, a consistency check triggered an alert message in
the DRE screen stating that the ballot was empty.
Although the complete payload worked correctly
when simulated in the computer without requiring any
further bug fixes, the tests were interrupted on time at
6PM and we were not allowed to proceed testing it on
the DRE voting machine.
5 Discussion
DRE voting machines are largely criticized in academic
literature, mainly due to its design and implementation
flaws, and because these electronic voting systems do
not allow for external audits/recounts in case the election
outcome is disputed. Models manufactured by Diebold
were especially subject of multiple security analysis [9].
The impact of the vulnerabilities discovered ranged from
manipulation of election results to viral infection of vot-
ing equipment. Most of the problems were a direct result
of insecure engineering practices and the enormous com-
plexity of the voting software, comprising around a mil-
lion lines of source code. Other works focused on com-
parably simpler voting systems found similar problems,
such as the software attacks on Dutch Nedap DRE ma-
chines by Gonggrijp and Hengeveld [18], and hardware
attacks against the Indian EVMs discussed by Halder-
man et al. [26]. Paper records are not a panacea either,
and hybrid systems with electronic and physical records,
such as the one used in parts of Argentina, were also
found vulnerable to realistic attacks when analyzed by
academics [1].
Most of the publicly available literature regarding the
Brazilian system has scope limited to official voting pro-
cedures, election legislation and informal analysis. The
Brazilian Computer Society (the national equivalent of
the Association for Computer Machinery – ACM) com-
missioned a report in 2012 which found important con-
cerns about the security and transparency guarantees of
Brazilian electronic elections [19]. The report suggests
many improvements to the election workflow, but no de-
tailed software vulnerabilities were discussed, although
the authors had the opportunity to observe some software
development inside the SEC.
Until recently, only inspectors from political parties
had the clearance to examine the voting software source
code during a time period before the elections. For this,
they must sign an NDA which prevents any public disclo-
sure of the problems observed in the code. These limita-
tions explain the lack of rich literature about the security
features of Brazilian DRE machines.
The report published by Aranha et al. after the 2012
edition of the TPS [2] was the first technical document
containing a detailed analysis of the security mechanisms
implemented in the voting system. However, the report
focuses more on the vulnerabilities of the ballot shuffling
mechanism and how the researchers were able to exploit
them under the restrictions of the hacking challenge, al-
though some discussion is dedicated to point out the in-
secure storage of cryptographic keys and inherent lim-
itations of the software integrity checking mechanism.
Our work should help filling this gap and to accurately
update the state of Brazilian voting technology to the in-
ternational technical community. We split the discussion
in the software integrity and ballot secrecy properties and
finish arguing how our results invalidate official security
claims published by the SEC.
5.1 Software integrity
Decrypting the install cards was all that was needed to
discover two shared libraries without detached signa-
tures, and thus amenable for arbitrary code injection at-
tacks. Circumventing the encryption mechanism thus
gave disproportionate capabilities to an attacker, an un-
expected effect. Although we obtained the encryption
key directly from the source code, which greatly accel-
erated our progress, we claim that an external attacker
would also be able to recover the encryption key embed-
ded in the bootloader and proceed with decrypting the
kernel image. On possession of a decrypted kernel im-
age, the attacker would become capable of both decrypt-
ing the install cards and removing the second encryp-
tion layer protecting the application-level authentication
keys. The latter provides a huge amount of power to the
adversary, who becomes capable of forging files and cor-
responding digital signatures protecting poll tapes, soft-
ware components, the LOG and the DRV. Interestingly,
in the last day of the hacking challenges, Group 4, com-
posed of forensic experts from the Brazilian Federal Po-
lice, was able to recover the kernel image in plaintext
through reverse engineering by moving the bootloader to
a standard address and running it inside a virtual machine
emulator.
We thus conclude that the integrity of software, and
consequently the results, depends ultimately on the se-
crecy of a symmetric key embedded into the bootloader.
This key is trivially accessible by the whole voting soft-
ware development team, and is visible to external attack-
ers because it is stored in plaintext inside the install cards.
13
In fact, this mechanism does not amount to encryption
per se, but only to a much weaker form of obfuscation. In
retrospect, these vulnerabilities are not exactly new. The
report by Aranha et al. [2] already pointed out how the
file system encryption keys were insecurely stored in the
source code in the 2012 version of the voting software.
At that time, the same key and initialization vector (IV)
were shared among all voting machines, for encrypting
files using AES-256 in CBC mode. The only improve-
ments we observed in the 2017 version were switching
to variable IVs and adopting the XTS mode.
The two shared libraries without detached signatures
were not signed because generating the list of files to
be signed is apparently not an automated process. In
their report, the SEC development team states that the
libraries still had kernel-level RSA signatures appended
to the files, but a bug in the verification code (and its
unit test) prevented the manipulation to be detected [16].
This suggests a development process in need of urgent
revision of its critical procedures.
The staff also states that cryptographic keys for en-
crypting the file system will not be hard-coded anymore
in future versions of the software, but computed on-the-
fly with help of the BIOS [16], increasing the level of
obfuscation. This design choice was justified by the
SEC with observing that not all voting machines have the
MSD device available, which limits the possibility of us-
ing its idle space for storing cryptographic keys. Because
any voting machine must be able to replace any other
voting machine on election day, it is considered risky to
have different versions of the software in operation. This
suggests further that overall security of the system is dic-
tated by the oldest model in operation, in this case the
2007 one without the MSD.
We recommend the SEC to revise its development pro-
cess, adopting best practices by automating critical pro-
cedures and implementing negative testing countermea-
sures. The list of files to be signed should not be gener-
ated by manually hard-coding file names in a script, and
testing of signature verification should not only be eval-
uated under ideal circumstances (correct key and mes-
sage). We further recommend the install card encryption
keys (and other cryptographic keys) to be segregated in
the minimal unit possible (polling place, neighborhood
or city), to reduce overall impact in case one of these keys
leak. In the longer term, all cryptographic keys should be
moved inside the MSD security perimeter.
5.2 Ballot secrecy
The DRV file stores a table separated into sections, where
each section is devoted to a different race. This table
shuffles the votes cast by the voters to disassociate the
order of the voters and their votes. It was introduced by
law to replace the paper trail after failure of implement-
ing paper records in 2002. As claimed by the SEC, it
supposedly permits independent verification of election
results [12], but the file is produced by the same software
which tallies the votes. Any successful attack against the
tallying software can also compromise the integrity of
the DRV. For this reason, Aranha et al. [2] concludes that
the DRV file does not serve any security purpose besides
violating ballot secrecy if designed or implemented in-
securely. For this reason, preventing attacks against the
DRV relies on a the implementation of a secure random
number generation algorithm.
There are multiple such algorithms being used across
the code base to satisfy the randomness needs of the
plethora of cryptographic primitives for encryption and
authentication deployed in the voting software. The El-
gamal signatures computed by the MSD rely on the weak
xorshift family [21] of pseudo-random number gener-
ators (PRNG). The mechanism for shuffling votes inside
the DRV file, a critical component for ballot secrecy, was
implemented through a combination of two other gener-
ators: reading directly from /dev/urandom or from a
customized PRNG based on a 32-bit variant of the 64-bit
version of the obscure Sapparot-2 algorithm [20]. The
generator alternates between the two algorithms in case
any of them fails. In its original version, the Sapparot-2
algorithm is clearly not suited for cryptographic applica-
tions, as explicitly advertised by the author 11.
Although a significant improvement over the
previous shuffling mechanism implemented with
srand()/rand(), the modifications we observed
are clearly not sufficient. Even if the new version of
the implemented mechanism appears much harder to
exploit due to frequent mixing of operating system
entropy in the internal state, the inadequate choice
of algorithms after five years of development looks
surprising. The replacement algorithm was not vetted
by the cryptographic community and does not satisfy
minimal security requirements for such a critical file.
The recommendations in the previous report were not
fully adopted, since the file layout still lacks defense-
in-depth protections by removing unused slots in the
DRV table and the PRNG remains nonstandard [2].
We reinforce the same recommendations, assuming
that the DRV must still be produced to satisfy legal
requirements: (i) remove unused slots corresponding to
absentees to prevent exhaustive search in the seed space;
(ii) adopt stronger standardized PRNG algorithms or
read from /dev/urandom directly, if collected entropy
is of enough quality. In the longer term, we further and
again recommend the DRV file to be eliminated, and the
law to be changed.
11Sapparot-2: http://www.literatecode.com/sapparot2
14
5.3 Security claims
There is no document formalizing the threat model or se-
curity goals considered by the SEC during the develop-
ment of the electronic voting system. This complicates
security analysis, since the adversary becomes a mov-
ing target, conveniently changing depending on the at-
tack under discussion. Fortunately, the SEC published a
Q&A document defending some of the security mecha-
nisms [12], in response to the results obtained by Aranha
et al. [2]. This document is a very useful resource to
understand the rationale behind some of the design de-
cisions. As with any paperless DRE system, all security
properties ultimately depend on integrity of the voting
software and hardware, and their resistance against tam-
pering. Our results in this paper contradict several of
the claims in that document, as we elaborate below. The
original writing is in Portuguese, but we attempt to pro-
vide translations as close as possible.
The second question in page 10 states the security goal
concerning software integrity:
It is not possible to execute unauthorized ap-
plications in the voting machine. Along the
same way, it is also not possible to modify an
application in the machine.
Our attacks were able to include additional files and
modify two shared libraries in the install card, with the
software installation process being completed without
any hassle. The software installed in the machines pre-
served the intended modifications and its execution later
violated the integrity of running software.
Pages 12-14 give details about the adversarial model:
The voting machine is not vulnerable against
external attackers. (...) This is guaranteed by
several security mechanisms, based on digi-
tal signatures and encryption, which create a
chain of trust between hardware and software
and prevent any violation of the voting ma-
chine.
DRE voting machines are notably insecure against ma-
licious insiders with control over the voting software.
Our successful attack also demonstrates how an external
attacker in control of install cards can manipulate voting
software before it is installed in the machines. Because
each card installs software in up to 50 voting machines,
this approach has an amplification effect, reducing the
logistic requirements and cost of the attack.
Page 22 establishes security goals for the LOG file:
The log file is another transparency and audit-
ing mechanism made available by the SEC.
The fact that the shared library handling log events
lacked digital signatures completely removes the possi-
bility of using the LOG as an auditing mechanism, be-
cause the generated events may be under adversarial con-
trol. An attacker would then be able to erase specific
events of manipulate performance metrics, such as the
false positive rate reported for the fingerprint identifi-
cation system. This is naturally true of any electronic
record, and explains why purely electronic voting sys-
tems are inherently insecure and opaque.
The last question clarifies the expected security prop-
erties of the file system encryption, here transcribed in
more detail:
The objective of the file system encryption is
to impose an additional barrier to an external
attacker with little or no knowledge about the
software organization in the voting machine.
This way, a possible attacker would find obsta-
cles to start analyzing the memory card con-
tents.
There is a single secret key used for encrypt-
ing file systems in all memory cards. If this key
were not unique, it would be impossible to re-
place a malfunctioning machine with another
one, and any auditing in the voting machines
would be compromised. However, stating that
possessing the encryption key makes possible
to generate cards “with different content” is
incorrect.
It is important to note that the file system en-
cryption is not the sole mechanism support-
ing software security in the voting machine.
All files which require integrity and authen-
ticity are digitally signed. This is the case,
for example, of the voting machine applica-
tions and election metadata, and the poll tapes,
DRV, among others. Files requiring secrecy
are also encrypted. In all these cases, other
keys are employed. These signature and en-
cryption mechanisms prevent the memory con-
tents from being manipulated.
The file system encryption is thus claimed to be one
of many security barriers against external attackers. It is
designed as a first obstacle to attackers without much in-
formation about the system, having other cryptographic
mechanisms as stronger defenses against more sophisti-
cated attackers. While the former is technically correct,
since the file system encryption is actually just obfus-
cation, we observed that capturing the encryption keys
provided a disproportionate power to the attacker, who
becomes able to choose or reveal more important cryp-
tographic keys. This happened because decryption al-
lowed us to fully inspect the contents of the install card
15
and detect serious vulnerabilities in the integrity check-
ing mechanism, violating the software integrity claims
and the main security properties of the system as direct
consequence.
6 Conclusion and perspectives
We thank the SEC for the opportunity to contribute with
improving the security of the Brazilian voting machines
and give brief suggestions about how to improve effec-
tiveness of the hacking challenges: minimize the bureau-
cracy and staff intervention during the event; improve
agility of internal processes to authorize entry of docu-
ments and software packages in the testing environment;
enlarge the scope by including the fingerprint identifica-
tion system and parts of transmission/tabulation infras-
tructure; increase the duration of the event and reduce the
dependence on secret source code by making it widely
available. In particular, we ask readers to not extrapolate
the time consumed by our team during the challenges
as an estimate of the time required to mount an attack
against real elections, as the number and impact of artifi-
cial restrictions was substantial.
We conclude by stating that the Brazilian voting ma-
chine software still does not satisfy minimal security and
transparency requirements and is very far from the matu-
rity expected from a 20-year mission-critical system. We
recommend the SEC to carefully revise their develop-
ment practices and consider adopting voter-verified pa-
per trails in the system to provide stronger guarantees
of its correct functioning on election day. We hope that
our findings contribute to the ongoing debate in Brazil
concerning the adopting of paper records as a way to im-
prove security and transparency of the voting system.
Availability
The code written during the hacking challenge and ad-
ditional files can be found in the repository available at
https://github.com/epicleet/tps2017
References
[1] AM ATO, F., OR O, I. A. B., CHAPA RRO , E., L ER NER , S. D .,
ORTE GA, A ., RIZZ O, J., RUS S, F., S MALDONE, J., AND
WAISM AN , N . Vot.Ar: una mala elecci´
on. https://ivan.
barreraoro.com.ar/vot-ar- una-mala- eleccion/, 2015.
[2] ARANHA, D. F., KA RAM , M. M., M IR ANDA , A. , AND
SCAREL, F. Software vulnerabilities in the Brazilian voting ma-
chine. IGI Global, 2014, pp. 149–175.
[3] ARANHA, D. F., RIBE IRO , H., A ND PARAENSE, A . L. O.
Crowdsourced integrity verification of election results - An expe-
rience from Brazilian elections. Annales des T ´
el´
ecommunications
71, 7-8 (2016), 287–297.
[4] AUMASSON, J., AND BE RN STE IN, D. J. Siphash: A fast short-
input PRF. In INDOCRYPT (2012), vol. 7668 of Lecture Notes
in Computer Science, Springer, pp. 489–508.
[5] BAR RET O, P. S. L. M ., AND NAEHRIG, M. Pairing-friendly el-
liptic curves of prime order. In Proceedings of the 12th Interna-
tional Conference on Selected Areas in Cryptography (Kingston,
ON, Canada, Aug. 2005), SAC’05, pp. 319–331.
[6] BE RNS TE IN, D . J., D UIF, N., LA NG E, T., SCHWAB E, P., A ND
YANG, B. High-speed high-security signatures. In CHES (2011),
vol. 6917 of Lecture Notes in Computer Science, Springer,
pp. 124–142.
[7] BO NEH , D., AND BOY EN , X. Short Signatures Without Random
Oracles and the SDH Assumption in Bilinear Groups. Journal of
Cryptology 21, 2 (Feb. 2008), 149–177.
[8] BRAZILIAN SOCIAL DE MOC RAC Y PARTY – PSDB. Re-
port on the Special Audit in the 2014 Voting System. Avail-
able at http://www.brunazo.eng.br/voto-e/arquivos/
RelatorioAuditoriaEleicao2014-PSDB.pdf, 2014.
[9] CALANDRINO, J. A., FELDMAN, A. J ., J . A. HALDERMAN,
D. W., A ND H. YU, W. P. Z. Source Code Review of the
Diebold Voting System. Available at https://jhalderm.com/
pub/papers/diebold-ttbr07.pdf, 2007.
[10] COMMITTEE, T. O. Report of the Overseeing Committee
of the Public Security Tests, 2017 edition (In Portuguese).
http://www.tse.jus.br/hotsites/teste-publico-
seguranca-2017/arquivos/tps2017- relatorio-
comissao-avaliadora.pdf, 2017.
[11] CO URT, S. E. Execution of Testing Plan (In Portuguese).
https://web.archive.org/web/20160107163923/http:
//www.tse.gov.br/internet/eleicoes/arquivos/
Teste_Sergio_Freitas.pdf, 2009.
[12] CO URT, S. E. Frequently Asked Questions (FAQ) about
the Brazilian voting system, 2nd edition (In Portuguese).
http://www.justicaeleitoral.jus.br/arquivos/tse-
perguntas-mais- frequentes-sistema- eletronico-de-
votacao, 2014.
[13] CO URT, S. E. Public Security Tests of the Brazil-
ian Voting System: Compendium (In Portuguese.
http://www.tse.jus.br/hotsites/catalogo-publicacoes/pdf/teste-
publico-de-seguranca-2016-compendio.pdf, 2016.
[14] CO URT, S. E. Call for participation in the Public Security Tests.
http://www.tse.jus.br/hotsites/teste-publico-
seguranca-2017/arquivos/TPS- testes-publicos-
seguranca-edital.pdf, 2017.
[15] CO URT, S. E. Draft of resolution concerning the elec-
toral procedures for implementing a paper trail in the
2018. http://www.justicaeleitoral.jus.br/arquivos/
tse-audiencias- publicas-voto- impresso, 2017.
[16] CO URT, S . E. Vulnerabilities and suggestions for improvement
to the voting machine ecosystem observed in the Public Secu-
rity Tests, 2017 edition (In Portuguese). http://www.tse.
jus.br/hotsites/teste-publico- seguranca-2017/
arquivos/tps2017-relatorio- tecnico.pdf, 2017.
[17] DATABAS E, N. V. JBoss Vulnerabilities. Available
at https://nvd.nist.gov/products/cpe/search/
results?keyword=jboss&status=FINAL&orderBy=
CPEURI&namingFormat=2.3, 2018.
[18] GONGGRIJP, R., A ND HEN GE VEL D, W. Studying the
nedap/groenendaal ES3B voting computer: A computer security
perspective. In EVT (2007), USENIX Association.
[19] J. VAN D E GRAA F, R. F. C. Electoral technology and the
voting machine – report of the Brazilian Computer Society (in
16
Portuguese). Available at http://www.sbc.org.br/index.
php?option=com_jdownloads&Itemid=195&task=view.
download&catid=77&cid=107, 2002.
[20] LE VIN , I. O. Sapparot-2: Fast Pseudo-Random Number Genera-
tor. http://www.literatecode.com/get/sapparot2.pdf,
2005.
[21] MA RSAG LI A, G. Xorshift RNGs. Journal of Statistical Software,
Articles 8, 14 (2003), 1–6.
[22] STAL LI NGS , W. Cryptography and Network Security: Principles
and Practice 7th edition. Pearson, 2016.
[23] STEINMETZ, F. USB – an attack surface of emerging im-
portance. Bachelor’s thesis, Technische Universit¨
at Hamburg,
2015. Available at https://tubdok.tub.tuhh.de/handle/
11420/1286.
[24] SUPERIOR EL ECT ORA L COU RT OF BRAZIL. Resolu-
tion number 23,444 (in Portuguese). Available at http:
//www.tse.jus.br/legislacao/codigo-eleitoral/
normas-editadas- pelo-tse/resolucao- no-23- 444-
de-30- de-abril- de-2015- 2013-brasilia- 2013-df,
2015.
[25] TEUWEN, P. python-cryptoplus, AES-XTS python implemen-
tation. Available at https://github.com/doegox/python-
cryptoplus, 2017.
[26] WOL CH OK, S ., WUST ROW, E. , HAL DE RMA N, J. A., P RASAD,
H. K., KA NK IPATI, A., SAKHAMURI, S . K., YAGATI, V., AN D
GONGGRIJP, R. Security analysis of India’s electronic voting
machines. In ACM Conference on Computer and Communica-
tions Security (2010), ACM, pp. 1–14.
17
• Crowdsourced integrity verification of election results: An experience from Brazilian elections
Article
Full-text available
◦ Mar 2016
◦
• Diego F Aranha
• Helder Ribeiro
• André Luis Ogando Paraense
View
Software vulnerabilities in the Brazilian voting machine
Chapter
Full-text available
• Jan 2014
•
• D F Aranha
• M M Karam
• A. De Miranda
• F.B. Scarel
View
• Studying the Nedap/Groenendaal ES3B voting computer: a computer security perspective
Article
• Jan 2007
• Rop Gonggrijp
• Willem-Jan Hengeveld
View
Recommendations
Discover more publications, questions and projects in Voting
Project
Electronic voting
•
• Diego F. Aranha
• A.L.O. Paraense
• Helder Ribeiro
• [...]
• Caio Lüders
Perform security analysis of real voting systems and propose security and transparency improvements.
View project
Project
Privacy-preserving computing
•
• Diego F. Aranha
• Pedro Alves
• Amanda Resende
Design efficient methods, protocols and implementations for computing over encrypted data.
View project
Project
Cryptographic engineering
•
• Diego F. Aranha
• Private Profile
• Jefferson E. Ricardini
• [...]
• Darrel Hankerson
Develop efficient and secure implementations of cryptography.
View project
Project
Physical Unclonable Functions (PUFs)
•
• Diego F. Aranha
• Guido Araujo
• Mario Lucio Côrtes
• [...]
• Rodrigo Surita
Develop PUF candidates and PUF-based cryptographic protocols for solving computer security problems.
View project
Technical Report
NIZKCTF: A Non-Interactive Zero-Knowledge Capture the Flag Platform
August 2017
Capture the Flag (CTF) competitions are educational and professional tools for the cybersecurity community. Unfortunately, CTF platforms suffer from the same security issues as other software components, what may give advantage to competitors who target the actual platform instead of the challenges. While it is arguable that successful attacks against the platform demonstrate relevant skills,... [Show full abstract]
Read more
Article
Crowdsourced integrity verification of election results: An experience from Brazilian elections
March 2016 · annals of telecommunications - annales des télécommunications
In this work, we describe an experiment for evaluating the integrity of election results, and improving transparency and voter participation in electronic elections. The idea was based on two aspects: distributed collection of poll tape pictures, taken by voters using mobile devices; and crowdsourced comparison of these pictures with the partial electronic results published by the electoral... [Show full abstract]
Read more
Data
Software vulnerabilities in the Brazilian voting machine (slides for RWC 2016)
January 2016
Read more
Presentation
(In)security of e-voting in Brazil (ekoparty 13)
September 2017
This talk presents a security analysis of the Brazilian voting machine software based on our participation in official restricted tests organized in 2012 by the national electoral authority. During the event, vulnerabilities in the software were detected and explored, with significant impact on ballot secrecy and integrity. We present scenarios where these vulnerabilities allow electoral fraud... [Show full abstract]
Read more
Discover more
Data provided are for informational purposes only. Although carefully collected, accuracy cannot be guaranteed. Publisher conditions are provided by RoMEO. Differing provisions from the publisher's actual policy or licence agreement may be applicable.
This publication is from a journal that may support self archiving.
Learn more
Last Updated: 11 Mar 18
© 2008-2018 ResearchGate GmbH. All rights reserved.About us · Help Center · Careers · Developers · News · Privacy · Terms · Copyright · Impressum | Advertising · Recruiting
•
or
Discover by subject area
Join for free
Log in
• People who read this publication also read:
• Technical Report: NIZKCTF: A Non-Interactive Zero-Knowledge Capture the Flag Platform
Full-text · Aug 2017
Article: Crowdsourced integrity verification of election results: An experience from Brazilian elections
Full-text · Mar 2016 · annals of telecommunicatio...
Data: Software vulnerabilities in the Brazilian voting machine (slides for RWC 2016)
Full-text · Jan 2016
Presentation: (In)security of e-voting in Brazil (ekoparty 13)
Full-text · Sep 2017
THE END
No comments:
Post a Comment