 Good afternoon, everybody. My name is Nimit. I'm one of the co-founders at votes And I'm here to talk about some of the security data We've collected during the course of our mobile voting pilots over the last couple of years So before we dive into the data just a quick overview about votes So many of you may know votes is the youngest elections company in the US We got started almost by accident After winning a hackathon at South by Southwest in Austin, Texas. We're back in 2014 The team of the hackathon was happy to the future What's the one thing you would do in the future and how you do do it? And so my brother and I we were there and we ended up prototyping this New election system which used smartphones biometrics Real-time identity verification and then also logged the ballots on a locked in based infrastructure Who are at a surprise? We ended up winning the first prize and that led to a whole series of events and eventually the company started in 2015 so since then we've done 67 elections so far and 11 of these have been public government election pilots We've also done non-governmental elections primarily with the state political parties in various states And so some of the data we're going to share today covers a wide array of our elections from a security perspective And then we'll also dive in into a couple of really interesting elections We did recently where for the first time we were able to collect a lot of interesting data So I'll begin with a quick introduction about about a system. It's a smartphone app based mobile boarding platform And the key components here are essentially the voters smartphone devices So an iPhone or a compatible android Then you have the cloud infrastructure Where the back end servers are running and also distributed blockchain infrastructure And then you have the election administration specific interfaces to the election jurisdiction And then from there their traditional infrastructure is pilot printers and the tabulation equipment And the way the entire process works Is essentially right now the system is being piloted only for absentee voters and within absentee voters A very small subset of people essentially military voters who are deployed Their families and any u.s. citizen who's living overseas They're commonly referred to as your color voters And so if you're in that eligible group in your jurisdiction is participating in a pilot Then you sign up normally as an absentee voter and then submit a form to your election clerk Typically your county clerk And then they do a little bit of wedding and then if you're eligible They will pre provision you on the vote system And then you get an invitation to download the application on your smartphone iPhone or compatible android device So you begin with the the email number and an email id and a mobile number And then once you've done the initial onboarding You are asked to do a identity check So you'll have to take a picture of a government issued photo id Right now you can use a private license state id or a passport You can use some other forms of id as well If you don't don't have those three but those are the most commonly used ones And then once you've done the scan in the application front and back Then you're asked to take a live with your selfie And then once you've completed that it does a matching to make sure the picture you took of yourself matches the picture on the id liveness Check is done as well to weed out deepfakes or any other kind of Fertile and activity and once everything matches data on your id is compared to the voter registration file which is provided to us by the jurisdiction for the pilot All that matches your identity is digitized stored in the secure Space on the on the handset in all the documents you've provided are deleted at that point because we we don't need them We don't want to increase the threat surface after that as well So at this point you're ready to receive your ballot so as you can see from the floor diagram essentially a 10-step process And once you've received the ballot it's essentially your mobile representation of your actual paper ballot Which you would receive if you went to work in person at your precinct Or if you opted into board by mail Essentially the same ballot you'd get here And so you map the ballot on the phone And then you may be asked to sign an affidavit Sign with a finger on the screen And then once you're ready to submit you confirm your choices Do your biometric verification on the device again and to that point your ballot gets Submitted to the network anonymized And you get a receipt so you can verify your selections And then also participate in the in the audit process as well And in the background the jurisdiction gets anonymized an anonymous copy of your receipt And then close the election day a paper ballot is printed And then there's a pre tabulation audit On election day printed paper ballots are tabulated just like other paper ballots And there's no hand reproduction required And then once the election's over in the canvas phase there's a full audit where the seats are compared so end to end That's how the the process works Now that we've looked at kind of how the the system functions Let's look at the threat model. So as you can see it's It's a pretty interesting threat model here Obviously because it's an internet connected device It is different from traditional methods of voting So let's kind of run through the the flow and each step we can Can look at the some of the threats This is the first phase as you saw you opted in The county clerk proves you and then you've started to download the app So obviously if you're not careful you could download an incorrect app by mistake or The app may already be compromised ahead of time by a bad actor Or they may be malware on your device which you know prevents normal functioning of the application So it's kind of the first stage Next look at now you're at the voting stage So the threats here are I mean the biometric capability on your phone Isn't working as as it's supposed to And obviously at this stage with this malware You know apps can be reverse engineered and they can be attempts made to change change how you're voting So that's right Vector and we'll see how there are ways to mitigate that a little bit later Then obviously in the transmission phase their transmission Is not secured the transmission channel that data never reached the destination or may Corrupted on the way. So we look at ways as to how that can potentially be mitigated as well And then the water gets a receipt. So the receipt There's a chance somebody else may get hold of your receipt if you're not careful Obviously, that's an active area of research on how to create self-destructing receipts, but It's a potential threat vector And so and then finally once the ballots reach the jurisdiction as they are printing the paper ballot for tabulation and They do a pre tabulation audit So there is a potential threat vector Which would likely get caught by the pre tabulation audit Nevertheless important to keep in mind Actually, thank all the times for making this nice picture available to us very nicely done makes it simple to understand And so now that you've looked at the kind of the high level threat model Let's look at what kind of threats we've kind of seen in the wild over the last couple of years So we we like to group them into a few different categories So there's obviously threats at the device level There's threats at the network level and so those are kind of user-centric scenarios and then Overall is the cloud infrastructure Our corporate network. So obviously those are areas of interest as well So in terms of what we've seen passive scanning, obviously, which happens to pretty much Everybody these days who has public facing web asset We've also seen active analysis of our web assets So people actually trying to reverse engineer all that stuff Then phishing of our staff clients emails poofing attempts as well social engineering slavery well aware of what happened recently We've had attempts at phone calls people pretending to be who they're not We've seen DNS tampering attempts as well Sim swap sim takeover attempts And then reverse engineering of the mobile applications Sometimes partial and then through the analysis mobile API level attacks So people actually be trying to figure out how the API is working and trying to attack it We've also seen on the android side attempts to compromise the TEE whether some of the keys are stored and then malware we do come across malware several devices and We'll see later on in one of our lectures Interesting interesting case that came to light So before we dive into some of the data It's hard to be useful to look at the mitre attack framework So recently mitre updated the mapping for not just the enterprise side which covers the cloud aspects in our case But also the mobile side So he mapped that data to what we've seen as you can see On ios some interesting Things to note and the device level And then similarly network based Rectors, so we already spoke about the sim swap sim swap And then you'll see some of the other ones in the in the data head such as You know rogue rogue wi-fi and things like that Similarly on the android side similar to ios a couple of kind of different things But we find the mapping Useful just as we plan out our work and i'm sure a lot of you are looking at this as well Similarly on the on the network side for for android Let's look at a few case studies here 2018 was when we we had first opportunity to do public elections in the us And so since then we've had some Interesting opportunities to collect data So let's start with something from from 2018 One of the really interesting things we saw early on back then was the Attempts to use multiple devices at the same same adversary And using different Mobile numbers and emails and trying to do the same thing So in that scenario the mitigation deployed by the system was to treat this as a malicious activity And block this access We did see people use phone numbers in some telco blacklist As well as people using well-known tools like burpsuit to probe the platform probe the api and points And in one of these cases We were able to record the traffic through a honeypot So some of that is available as part of the open data package And is also available. We'll share some public links at the end of the presentation. So you can get it from there as well The other interesting thing from a case study perspective was People trying to reverse engineer the application The system has an initial handshake process And we saw some attempts manual attempts to Engineer that handshake process and so in that scenario as well One of the medications was to block the IP address ranges or block the device IDs Depending on the on the nature of the attack But that's an area where we have some feedback on Better approaches to mitigate those kinds of attempts Email spoofing so We did see we continue to see a lot of Email spoofing attempts and obviously with the mark that that helps to mitigate that But nevertheless we do keep track of it another interesting case study was involved Essentially network based attempts to scan the passively and then use that information to actively Look at infrastructure particularly the API endpoints. That's where we see a lot of a lot of interest And then more recently We've had an opportunity to do somewhat larger elections in terms of participation Some of the early pilots had a very small number of voters So the opportunity to collect meaningful data was a little limited from a security on device security network security perspective But with one of the elections this year or a few of the elections this year We've been able to collect some very interesting Data to analyze and so we'd love to have to share that One focuses around we call as the mobile mobile threat detection We partner with third parties for that capability as well as some you know stuff we have And the way that's structured is a we call it a multi-channel component architecture The device is communicating with obviously our back end So communicating with the third party system. Similarly, our back end is communicating with the third party system A good example was somebody tries to reverse engineer the app And you know hooks the specific locations where some of that code is getting triggered try and bypass it You could potentially disrupt two of these channels But we had to disrupt the third channel So that in this case access a saving grace and also as a extra detection mechanism And so some of this capability is actively deployed Next probably the most interesting part of the presentation. So this is data from one of our recent elections Where a few thousand people participated And this was kind of the device split predominantly More iOS than android And then in terms of the threats we detected On the network side was pretty even 50 50 But on the device side, we saw so if a lot sided share of threats being detected on android And that could be function of the devices that were being used Or maybe the unique factors to this to selection as well But something interesting to give in mind Sort of diving one level deeper So on the iOS side, let's kind of look at some of the network security threats In this this data by the way is available in the open data set I believe it's the part one. So You can kind of dive in at your convenience as well But at the iOS level we saw 18 devices Who were connected? So this is amongst the few thousand and the 64 percent who were using iOS They were 18 devices detected which The wi-fi was deemed to be unsafe And so obviously that creates a potential for a man in the middle type of attack So the user experience was they were not able to complete the process on the device or Ask to contact to support team In that case They were requested to either switch to the cellular network or switch to a different wi-fi network On this case Once they did that they were able to proceed similarly on Android similar number about 17 On android. We also saw an interesting case For potential ARP poisoning ARP is a no address resolution protocols So many of you know in this case It was a little hard for our support team to detect because we didn't have visibility into what The voters home network looked like And so required a little bit of trouble shooting when eventually turned out to be a media device which was Causing this poisoning And so team requested the voter to turn off the media device And then the threat went away and they were they were able to proceed So an area we'd love to do a little more more research But it was interesting that we came across this one in case Next let's look at some device level threats On the ios side we did detect a few devices where the pin was not set in that case Mitigation and resolution was to force the users to send in Or activate the biometrics on the device otherwise they couldn't really proceed And we saw a few cases of side loaded apps And in each of those cases when a little bit of due diligence was done They were deemed to be legitimate apps. And so the voters were able to proceed Where it was is good to see them being detected in case, you know, they could pose a threat And so definitely something we'd like to research more on On the android side much larger number of devices without pins Which we weren't sure why But it was interesting 89 devices didn't have pinsets So all those voters were forced to set a pin or activate the biometric capability on the devices Similarly on the side loaded side of things a lot more side loaded apps Which kind of made sense given the ecosystem on android So did take quite a bit of time to go through these Make sure everything was okay. Luckily we had the election went for three days So our support team had enough time to troubleshoot In this investigation we did find two instances where the device did have malware And he was a fairly well known malware. I'm sure many of you probably heard about it But he was interesting that we were able to detect this And found the voter they were able to delete the offending apps reset the devices and then proceed And then once the the new checks were confirmed they were actually able to vote successfully and complete the audit as well Couple of other interesting android specific things we did detect some instances of usb debugging being enabled Nothing malicious in that front But during the after voting the phone was not connected to a computer. So that was fine. And then We did have another 21 devices where developer options were enabled. So once no no direct impact, but something we'd like to keep track of And so as I mentioned earlier this data is available as part of a package we've released We'd love love more feedback And suggestions on how to collect How to analyze this in a in a better way? Especially, you know areas around malware and other really interesting Things we were able to learn from here And you'll notice that the data is for the most part anonymized That's true of the collection process as well The voter is the one who's asked to initiate And not knowing what exactly has happened. So the data does not contain any personally identifying information to best of our knowledge And lastly love love any suggestions and feedback from the community very young company or the youngest company in this space trying to do Something which is unusual say the least and so we love suggestions and feedback to improve and What things we could do better? And We shared the participation of the community. Thank you for the fcon voting village team for giving us this opportunity to share this data And we'd be sharing more of this data as as we do more election pilots And we'd love to continue to get feedback from everybody More information is available on our website, especially under white papers and under the security section So please feel free to explore and give us feedback and look at the data as it's posted in the future as well Once again, thank you and I hope you all have a great deaf con experience this year Especially at the voting village Thank you. Take care