Experts demonstrate how to hack email voting

Thanks to a friend for passing on this link to a ‘how to’ demonstration from last summer’s Black Hat 2013:  Gmail, and e-voting ‘pwned’ on stage in crypto-dodge hack – Once you enter, you can never leave logout <read>

Security researchers say they have developed an interesting trick to take over Gmail and email accounts – by shooting down victims’ logout requests even over a supposedly encrypted connection.

And their classic man-in-the-middle attack could be used to compromise electronic ballot boxes to rig elections, we’re told.

Ben Smyth and Alfredo Pironti of the French National Institute for Research in Computer Science and Control (INRIA) announced they found a way to exploit flaws in Google and Microsoft’s web email services using an issue in the TLS (Transport Layer Security) technology, which encrypts and secures website connections.

Full details of the attack are yet to be widely disseminated – but it was outlined for the first time in a demonstration at this year’s Black Hat hacking convention in Las Vegas on Wednesday.

In short, we’re told, it uses a TLS truncation attack on a shared computer to block victims’ account logout requests so that they unknowingly remain logged in: when the request to sign out is sent, the attacker injects an unencrypted TCP FIN message to close the connection. The server-side therefore doesn’t get the request and is unaware of the abnormal termination….

The attack does not rely on installing malware or similar shenanigans: the miscreant pulling off the trick must simply put herself between the victim and the network. That could be achieved, for example, by setting up a naughty wireless hotspot, or plugging a hacker-controlled router or other little box between the PC and the network.

The researchers warned that shared machines – even un-compromised computers – cannot guarantee secure access to systems operated by Helios (an electronic voting system), Microsoft (including Account, Hotmail, and MSN), nor Google (including Gmail, YouTube, and Search).

Maybe you use some other email system. But maybe that is a system that has yet to be hacked, publicly. If you send in a vote, what system does your recipient use?


Leave a Reply

You must be logged in to post a comment.