2nd Device Malware Verification Check can be defeated by rerouting the QR code to another malicious site (or other non-legit check websites)

[dsernst]

Reported by Drew Springall (@aaspring) yesterday at DEF CON (~24 hours before submissions close):

2nd Device Malware Verification Check can be defeated by rerouting the QR code to another malicious site (or other non-legit check websites).

See paper https://aaspring.com/ccs2014/ivoting-paper.pdf on similar attack against Estonia, especially Figure 4 on page 4.

[dsernst]

Possible mitigations:

1. Have voter confirm 2nd device loads correct domain (eg siv.org, or .gov) [election admin could potentially provide that reminder in separate channel if available]
2. If civic election, with invites via postal, provide QR code to load second device check UI on paper itself [with 2nd device anti-malware codes embedded in QR code], then that webpage would do another QR photo snap to get the private vote data from the first device.

[arianabuilds]

Entry Summary for HACK SIV @ DEF CON 2024

Thanks again for participating! This submission earned $566.89 from SIV and $284.93 from the Public Vote, for a total of $851.82.

Here's what we noted in our evaluation:

What's interesting about this submission

• Could break verification integrity from initially proposed design for 2nd Device Malware Check
• Very well studied critique (because of previous analysis of similar design from Estonian system)
• Nice diagrams in linked paper

What takes away from it

• Luckily two different ways to mitigate this specific attack and restore its trustworthiness: detailed in linked issue reply
• This is not the only way to verify against malware. (But it is important to fix this one, which is meant as the easiest method to use before votes are unlocked)
• Post-election RLA should still catch this and reveal it

Issue to track getting paid: https://github.com/siv-org/hack.siv.org/issues/7