Schneier on Security
A blog covering security and security technology.
« The FBI is Tracking Whom? |
| Picking a Single Voice out of a Crowd »
October 14, 2010
Pen-and-Paper SQL Injection Attack Against Swedish Election
Some copycat imitated this xkcd cartoon in Sweden, hand writing an SQL injection attack onto a paper ballot. Even though the ballot was manually entered into the vote database, the attack (and the various other hijinks) failed. This time.
Three news links, in Swedish.
Posted on October 14, 2010 at 6:35 AM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
OMG that is a total Election WIN! Someone needs to get this out to FailBlog pronto.
It's hilarious, but I'm not seeing the 'fail' here - nothing bad happened, and if you're going to allow write-in votes you can't really have poll workers dropping them on the grounds that they think they're silly.
At least the Data Entry person was smart enough to filter their input, haha.
Babel Fish doesn't cover Swedish :(
Babel Fish doesn't cover Swedish :(
translate.google.com does a quite a good job.
It is not up to a single poll worker to decide which votes are valid, even if they are silly!
How long before we see elections where there's a list of reserved words for the candidate- and party-namespaces?
Were it a successful attack, the most interesting thing to watch would be whether news sites would become secondary victims if they published the attack without properly escaping the article text.
@MikeB: FailBlog or ItMadeMyDay.com?
I think, the hackers and/or the vote-typist made an essential fault here by which the attack did not work. That does not mean it would never work at all:
Supposing, that the program these data-files are fed into is just a simple csv-file-upload directly converted into some kind of sql-statement, your injection needs to start with the usually trailing " (or whatever sign the database uses to mark the end of a field-value) followed by a ; (or whatever the database uses to mark the end of a command) before you could start injecting your code. At least the " must have got lost somewhere in the process, thereby transforming the sql-statement into a regular field-value.
How the java and links should have worked, i can't see, but then I don't know how the election system over there works ...
Hack Denna Kalle Anka (Hack This Donald Duck)
What would you even call that? Cross-media scripting?
We've crossed the paper/computer boundary, all we need is the computer/brain boundary and we can have Snowcrash!
Knowing Swedish people I think next election this will happen even more frequently:-P
Dagens Nyheter, 2014:
"Vinnaren i valet:
(Dagens Nyheter is a swedish daily paper)
@lazlo: They are just available in excel and tsv formats.
...I think THIS xkcd represents what happens on this forum and others quite often...
Now *THAT*'s voting Pirate Party!
Perhaps it's paranoid of me, but just because we can see the attacks that failed doesn't mean we can conclude that all the attacks failed!
(cf why you can't prove security through pen testing...)
So, can you try to prosecute somebody for this? Can you try to track them down? Votes are anonymous...but trying to commit election fraud is illegal...I can imagine some lawyers arguing for a long time on that.
Looks like they typed in a "(" instead of a "
Electronic voting systems will solve this problem. You will never have to worry about your vote for "" being mis-recorded as a vote for "(script src=foo)".
Whoops, forgot to escape my HTML!
Also, the "preview" button here is broken in its handling of HTML escaping:
After a preview, the "comments" input field contains the *parsed*, *sanitized* output, not my original text.
1. Anything between a < and > is dumped.
2. I originally typed < > into the field. After a preview, those have been replaced with < >, so if I post, it posts broken text.
Now, my original comment, hopefully escaped right:
Looks like they typed in a "(" instead of a "<".
Electronic voting systems will solve this problem. You will never have to worry about your vote for "<script src=foo>" being mis-recorded as a vote for "(script src=foo)".
@gopi: not necessarily typed. The text was OCRed -- and may thus have been tuned to find 'normal' text, rather than code.
I worked as an election official (a the lowest level) in the 1998 election in Sweden (I'm a Swedish citizen) and I've stood for election at the municipal level in all elections since then. All votes in Swedish elections are made by putting a piece of paper, roughly 4x6 inches in size, into a sealed envelope; these envelopes are then opened and counted by hand at each voting location.
Sometimes counting machines (standardized bill counters) are used to verify the manual count.
Most votes are pre-printed with a party name and a number of candidates. These votes are sorted and placed into different stacks according to party name.
Votes that do not have a pre-printed party name on them are inspected by at least two different election officials; if the hand-written party name on the vote is identical to or sufficiently close to the name of a registered party, the vote is transferred to the stack with the corresponding pre-printed votes. Otherwise these "odd" votes are recorded, manually, onto a special piece of paper.
The resulting vote totals are recorded on paper; the count is then signed and counter-signed by election officials on-site. This official count and all votes are then transported to central counting stations for a second round of counts.
This initial round of counting is usually completed some 6-8 hours after closure of the voting station. (In 2010, there were 5668 voting stations; some 6 028 000 votes were recorded in the national level).
In the second round of counting OCR scanners are used, but only for the pre-printed votes - they are used to capture votes for individuals within the registered parties. To my knowledge, hand-written votes are always dealt with manually, and usually they go through several stages of manual interpretation and recording (both pen-and-paper and keyboard-and-screen recording) before they are committed to a database. So an SQL injection attack using this signalling path is a looong shot.
So I strongly doubt that the hand-written party name
pwn DROP TABLE VALJ
(VALJ means "elect" in Swedish) was meant as a serious attempt at disrupting the Swedish elections.
Despite the fact that The Economist reported it as "an attempt to sabotage the Swedish election" or some such nonsense.
The list of all hand-written votes is at
Interesting. Of course, due to the paper trail, if they realize they've been pwned they can add some more input sanitization and re-scan the ballots...
Amateurs use SQL injection attacks on ballots.
Professionals change their name to SQL injection attacks and run for office.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.