Network admin pwn caught on server room cams

University of Michigan researchers have used webcams in a data centre to capture the moment administrators of an internet voting system learned they had been pwned.

The researchers participated in a sanctioned attack on the voting system developed by the Washington DC Board of Elections and Ethics [pdf].

The system was designed to allow military and overseas voters registered in cast electronic ballots in a local election.

However, prior to general use, it was subjected to a "mock election" process where "anyone" was invited to probe its security.

The University researchers found a shell-injection vulnerability on the mock server after several hours examining the application source code.

"We exploited the shell injection vulnerability to carry out several attacks that illustrate the devastating effects attackers could have during a real election if they gained a similar level of access," the researchers said.

Their attack attempts went unnoticed by the intrusion detection system (IDS) device deployed in front of the web server, because it "was not configured to intercept and monitor the contents of the encrypted HTTPS connections that carried" the attacks.

The researchers retrieved the public key used to encrypt ballots on the system. The key was used to change past and future votes lodged in the system.

Although the researchers took steps to cover their tracks, they left a "calling card" in the form of a video that appeared on a modified "Thank You" page.

In addition to attacks on the system, the researchers also severely compromised the physical network infrastructure on which the system operated.

The researchers used a publicly-available network topology diagram for initial clues as to the underlying architecture.

They were able to locate a terminal server, install a JavaScript rootkit to conceal their presence and eventually crack administrator passwords for various network boxes.

Acting as admins

The researchers said they helped repudiate an SSH attack from Iran on behalf of the actual network administrators.

A review of the terminal server logs showed attempts to guess SSH login passwords.

"We realised that one of the default logins to the terminal server (user: admin, password: admin) would likely be guessed by the attacker in a short period of time, and therefore decided to protect the device from further compromise that might interfere with the voting system test," the researchers said.

"We used iptables to block the offending IP addresses and changed the admin password to something much more difficult to guess.

"We later blocked similar attacks from IP addresses in New Jersey, India, and China."

Later, the researchers were able to gain broader access to other switches on the electoral network and change usernames and passwords - "effectively locking the administrators out of their own network".

Webcam access

On the same network, the researchers found a pair of publicly-accessible webcams showing the server room that housed the pilot network.

The cameras were pointed at the entrance to the room and at the rack of server and network hardware.

Malicious users could have watched the footage to determine the types of servers used or to "learn the pattern of security patrols" in the room.

The researchers had a different purpose. "We used them to gauge whether the network administrators had discovered our attacks," the researchers said.

"When they did, their body language became noticeably more agitated."

The University said it took election officials about 36 hours to notice the attacks. The tip-off appeared to come from posts to a mailing list joking about the calling card video.

Researchers said that while election officials deserved praise for opening their system to public tests, the successful attack highlighted the challenges in putting together a robust electronic voting system.