Experts with questionable competence, increasing role of the supplier of voting machines in software provision, and limited ability of the CEC to carry out integrity checks of the vote. These three factors increase the possibilities for manipulation of the results of machine voting for the upcoming elections. And while the machines themselves can hardly be “touched”, replacing the results is theoretically possible on another level. Countering such an attack is also possible, but hopefully it is not late.

SANS Report

– “Can you touch the result for party X?” – “Maybe, but not with these CEC experts.”

We do not have objectified evidence for such a conversation, but the actions of the authorities in favor of the supplier of the machines, the company “Ciela”, are quite specific. They are expressed in a report of SANS to the CEC, which claims that for some of the six experts of the commission “there is relevant classified information”.

The report does not specify specific people, nor exactly what information is classified and whether it is related to their work. In the face of this uncertainty, the CEC is forced to abandon the previous experts. Although half of them have had access to classified information for years and have been studied many times.

The letter of DANS entails another effect – CEC is forced to conclude a new contract with “Ciela”, as there is no way to find new experts trained by the manufacturer of the machines “Smartmatic” of the so-called. third level programming to prepare the software. In mid-August, when this happened, CEC tried to attract new specialists, but of the four external ones, none was a professional programmer.

Thus, instead of independent experts hired directly by the CEC, the preparation of the software is undertaken by Ciela itself. But not for free. For a solid fee of BGN 1,500 Every day she brings specialists of “Smartmatic” from abroad.

“Up with Delyan”

An important detail in the picture is that shortly before the SANS report, several media serving traditionally DPS and GERB broadcast a brown salvo at the experts. This is how the technology of denigration and discrediting from the recent past is fully reproduced, when a corpulent MP and former head of DANS was a media owner and had a huge influence in the services.

One of the owners of Ciela is known as close to the corpulent politician in question. In a conversation “from the kitchen” of the judiciary between the judges Vladimira Yaneva and Rumyana Chenalova and the scandalous lawyer Momchil Mondeshki it is heard that he

“Go upstairs. Go upstairs to Delyan.”

This is the same Delyan who has been sanctioned for “significant corruption” by the United States. And Momchil Mondeshki’s brother is now a candidate for MP from the MRF in Lovech.

It is not known, however, that DANS has prepared a report on the people who “go upstairs”, because if there was one, it could have forced the CEC to rethink the role of the company, which for several years now not only supplies the machines, but also deals with almost all the activity of securing voting.

Inconvenient experts

For the forces of Behind-the-scenes who had and are willing to “touch” the machine voting, the previous experts are embarrassing for several reasons:

• introduced a key for the ignition of the machines, which is kept in the CEC, not at the supplier of the machines “Ciela”;
• insisted CEC to receive directly one of the two flash drives with the results, without it going through the “Information Service”;
• managed to software lock all machines in the previous elections so that they would not be replaced with 600 additional machines supplied by Ciela outside the order;
• They made an archive of the flash drives with the results, which is stored in the state cloud;
• prevented the spread of PIN codes to smart cards for the chairmen of the SIC, with which cards are signed the results before they are recorded on the flash drives.

The latter action is particularly important. The PIN codes are generated by “Information Services” and are handed over to the sectional election commissions, although separated from the smart cards in sealed envelopes. But it turns out that if someone has the smart card, the PIN, a smart card reader, and any computer, they can sign another result file to replace the original file spat out of the machine. This is not easy, but the mere fact that it is possible significantly increases the space for attack.

However, the CEC had to hire some experts to monitor the processes and protect the public interest. However, the new four CEC experts are more qualified as network administrators than professional programmers.

CEC chief expert Miroslav Stefanov does not even have IT education and knowledge, but there are political burdens towards the party “Bulgarian rise” of former Prime Minister Stefan Yanev, with whom he has appeared in public several times.

The situation with experts in the Ministry of e-Government, who have to assess the compliance of machines, is also not up to par. Of the six experts, only one is a programmer.

On September 29, three days before the vote, MEU experts produced a remarkable “Report on conformity assessment of the delivered type of technical device for machine voting / TUMG / with the requirements under Art. 213, para. 3 of the Election Code and the requirements of the technical specification under public procurement No 04312-2022-0005 in connection with the holding of early elections for MPs on 02.10.2022.

In it we read, for example, that the inspection found the following:

“TUMG does not have active communication interfaces. TUMG is a closed and isolated information system that does not allow the use of I/O devices and communication interfaces.

This is obviously not true, as the machine has USB ports for flash drives, on which it records information after the election day, and they are active I/O devices from which the machine can even catch fire if you have the key for the UEFI sector, And the network input of the machines is not even mentioned in the report.

It can be concluded that the “expertise” of the available state experts and their colleagues from the CEC is welcome for anyone who has malicious plans and has hired real experts who are on the other side of the barrier.

“Touching the machines” or “Jurkaning the files”

After the end of the election day, the machine prints a paper protocol and generates a text file in cvs (comma separated values) format, which can be read with any version of Excel.

The paper machine protocol goes to the bag with the election papers, and the text file is signed by the machine with a certificate from the smart card of a member of the SIC and is recorded identically on two USB flash drives.

This is the file that is reported by Information Services and validated by checking that it is signed with the certificate of a member of the SIC. The files are then uploaded to the CEC website.

The attack can be carried out either at the level of the software in the machine, so that it generates false results, or subsequently replace the correctly generated files and protocols with other, fake ones.

In vernacular, the first means “touching the machines”, as a party leader puts it, who for two months abruptly stopped raising this topic. The second is the “djurkaning of the files”, in the words of a prominent constitutionalist from the same party.

Scenario 1: manipulation of election results with software change on machines:

For this scenario, which is less likely, three things are needed:

• access to the UEFI keys allowing the machines to be set on fire;
• physical access to machinery;
• modified software to go unnoticed.

The generator of a unique hash code “Hash Extractor” for the official software can be bypassed and embedded undetected malware code, but this attack requires the UEFI key, which is stored in the CEC, as well as physical access to the machines.

Physical access is possible in the warehouse, during transport or at the polling station.

However, the malware is detectable in a simple counting of paper control notes.

Protection against this scenario is available as long as the CEC holds the UEFI keys and does not distribute them uncontrollably. It was introduced by the previous CEC experts, disqualified from SANS.

Scenario 2: manipulation of results after the vote

In order to carry out a successful attack, two conditions are needed:

• have their smart cards and PINs;
• have a person in a SIC or RIK to change the results of USB flash drives and tamper with paper protocols.

It is important to know that the generation of false results can begin long before the election day and after its completion they can be copied directly onto the USB flash drives removed from the machine after the election day.

It is enough to have USB flash drives, a smart card of a member of the SIC, the PIN code for the smart card, a computer with a smart card reader and a simple program for signing with smart cards. Thus, after editing your file and entering the desired results in it, you sign it with the smart card of a member of the SIC from a standard program for electronic signatures.

In the November 2-in-1 election software, all elements for performing this manipulation are available in the SIC, i.e. the attack is feasible at the level of “bribed” SIC or RIK.

Again, it should be emphasized that the key to this attack is the availability of the smart card PIN in SIC/RIC.

The original MPs software used in April 2021 and July 2021 did not provide the PIN codes from the SIC smart cards.

But for the November 2-in-1 elections and Sunday’s upcoming elections, the software has been modified by Ciela, protection has been weakened, and smart card PINs have been made available to the SIC.

Such a modification could not have been carried out accidentally without intent.

This modification, which introduces a functional weakness, has not been written, requested, discussed and described by the CEC and has been certified without being recognized as a risk of the SEGA.

This type of attack can also be carried out directly by “Information Services” (IO). The false results can be generated during the issuance of smart cards. Subsequently, when the original flash drives and protocols reach their processing in RIK after the end of election day, IE can replace the information on the flash drives and protocols.

Defenses against this scenario:

• The CEC has physically divided the path of flash drives. Each machine has two flash drives with identical information, after the end of the election day one goes directly to the CEC without going through “Information Services”. In this way, the vector is blocked to perform this attack directly by IO, but not by SIC or RICK.
• Verification of audit logs and comparison of the results of the encrypted partition of the flash drives with the results of IO. Flash drives have a second encrypted partition in which each individual vote is saved. Thus, the text results can be compared from the encrypted partition. The problem is that Information Services does not copy the encrypted partition. Such verification is possible only in the archives of the CEC, where the flash drives are kept. However, the encrypted file is locked with three keys. One is in the CEC and the other two are in Ciela. Thus, verification without Ciela is not possible, and it must be done within three days after Election Day.
• To scan the paper protocol from the machine. This is an additional difficulty for the attacker, as he must also have a printer to print a fake.
• PIN codes for smart cards should not be given to Ciela. This means that the parameterization software must be installed in a controlled environment in the CEC and the creation of the electronic bulletins by the CEC supervised. Now this is what Ciela itself is dealing with.

Ciela here, Ciela there…

To summarize, the situation for these elections is the following and it is such thanks to the intervention of SANS, understand the caretaker government, understand the President:

• Ciela makes the voting software;
• “Ciela” makes the ballots;
• Ciela holds the keys for verification.

In this configuration, we can rightly ask what the CEC is for and why the elections do not conduct them directly “Ciela”?

Without a doubt, the best protection against any malicious scenario is for the state to order new open source software and attestation features in a dedicated chip. For such an approach, experts have been insisting for years, but CEC and Ciela jointly resisted.

Because if this is realized, Ciela or some other supplier will be able to deliver only machines, not complete choices, after the relevant consultations “up at Delyan”.

***

За да научавате преди всички за нови разследвания, инсталирайте си нашето мобилно приложение:

Щом сте стигнали дотук, вероятно вече си задавате въпроса как се финансира този журналистически проект.

От създаването си BIRD се финансираше от подаяния в нашето журналистическо чекмедже.
Но на чекмеджето му мина времето. Даже прокуратурата затвори онова Чекмедже, знаете кое…
Нашето финансиране влиза в крак с епохата. Фондонабиращата ни кампания вече се казва

#МятайСБЪРД

Дарявай за BIRD и мятай павета в блатото с корумпирани политици и други тарикати.
Те тайно премятат пари от твоя джоб в своя. Те размятат безнаказано лукса си пред очите на всички. Няма кой да ги накаже ако се надяваш на държавата.
Мятай, за да ги накажеш ти. Да дариш за разследващите журналисти е гаранция, че гадостите, с които силните на деня те замерят, ще им се върнат.
Можеш да метнеш веднъж, за да ти олекне!
Но по-добре е да мяташ редовно всеки месец и да се чувстваш трайно удовлетворен.
А най-добре е да доведеш приятели и да мятаме редовно заедно в екип. С мощен залп!
*За кръстник на новата ни фондонабираща кампания избрахме другарката Ваня. Благодарим й за вдъхновението!