Bruce Schneier
Schneier on Security
A blog covering security and security technology.
« The FBI is Tracking Whom? | Main | Picking a Single Voice out of a Crowd »
October 14, 2010
Pen-and-Paper SQL Injection Attack Against Swedish Election
Some copycat imitated this xkcd cartoon in Sweden, hand writing an SQL injection attack onto a paper ballot. Even though the ballot was manually entered into the vote database, the attack (and the various other hijinks) failed. This time.
Posted on October 14, 2010 at 6:35 AM • 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Mike B • October 14, 2010 6:51 AM
OMG that is a total Election WIN! Someone needs to get this out to FailBlog pronto.
ewan • October 14, 2010 7:16 AM
It's hilarious, but I'm not seeing the 'fail' here - nothing bad happened, and if you're going to allow write-in votes you can't really have poll workers dropping them on the grounds that they think they're silly.
Dennis Suitters • October 14, 2010 7:26 AM
At least the Data Entry person was smart enough to filter their input, haha.
Hum Ho • October 14, 2010 7:47 AM
@Phillip:
Babel Fish doesn't cover Swedish :(
---
translate.google.com does a quite a good job.
M.V. • October 14, 2010 7:50 AM
@Ewan
It is not up to a single poll worker to decide which votes are valid, even if they are silly!
Tanuki • October 14, 2010 9:16 AM
How long before we see elections where there's a list of reserved words for the candidate- and party-namespaces?
brianary • October 14, 2010 9:33 AM
Were it a successful attack, the most interesting thing to watch would be whether news sites would become secondary victims if they published the attack without properly escaping the article text.
André • October 14, 2010 10:05 AM
I think, the hackers and/or the vote-typist made an essential fault here by which the attack did not work. That does not mean it would never work at all:
Supposing, that the program these data-files are fed into is just a simple csv-file-upload directly converted into some kind of sql-statement, your injection needs to start with the usually trailing " (or whatever sign the database uses to mark the end of a field-value) followed by a ; (or whatever the database uses to mark the end of a command) before you could start injecting your code. At least the " must have got lost somewhere in the process, thereby transforming the sql-statement into a regular field-value.
How the java and links should have worked, i can't see, but then I don't know how the election system over there works ...
Do Not Duck • October 14, 2010 10:13 AM
http://www.translation-guide.com/...
Swedish translator online.
lazlo • October 14, 2010 10:32 AM
@André: I believe the javascript and links were there on the (I believe correct) assumption that vote tallys would be available online. If improperly escaped, they could potentially compromise systems that browsed election results.
What would you even call that? Cross-media scripting?
RH • October 14, 2010 10:57 AM
We've crossed the paper/computer boundary, all we need is the computer/brain boundary and we can have Snowcrash!
Hum Ho • October 14, 2010 11:21 AM
Knowing Swedish people I think next election this will happen even more frequently:-P
Dagens Nyheter, 2014:
"Vinnaren i valet:
(Dagens Nyheter is a swedish daily paper)
ab • October 14, 2010 11:36 AM
...I think THIS xkcd represents what happens on this forum and others quite often...
GregW • October 14, 2010 2:25 PM
Perhaps it's paranoid of me, but just because we can see the attacks that failed doesn't mean we can conclude that all the attacks failed!
(cf why you can't prove security through pen testing...)
gopi • October 14, 2010 3:01 PM
So, can you try to prosecute somebody for this? Can you try to track them down? Votes are anonymous...but trying to commit election fraud is illegal...I can imagine some lawyers arguing for a long time on that.
gopi • October 14, 2010 4:49 PM
Looks like they typed in a "(" instead of a "
Electronic voting systems will solve this problem. You will never have to worry about your vote for "" being mis-recorded as a vote for "(script src=foo)".
gopi • October 14, 2010 4:55 PM
Whoops, forgot to escape my HTML!
Also, the "preview" button here is broken in its handling of HTML escaping:
After a preview, the "comments" input field contains the *parsed*, *sanitized* output, not my original text.
Thus:
1. Anything between a < and > is dumped.
2. I originally typed < > into the field. After a preview, those have been replaced with < >, so if I post, it posts broken text.
Now, my original comment, hopefully escaped right:
Looks like they typed in a "(" instead of a "<".
Electronic voting systems will solve this problem. You will never have to worry about your vote for "<script src=foo>" being mis-recorded as a vote for "(script src=foo)".
ath • October 15, 2010 1:11 AM
@gopi: not necessarily typed. The text was OCRed -- and may thus have been tuned to find 'normal' text, rather than code.
Jonas Ö • October 15, 2010 6:40 AM
I worked as an election official (a the lowest level) in the 1998 election in Sweden (I'm a Swedish citizen) and I've stood for election at the municipal level in all elections since then. All votes in Swedish elections are made by putting a piece of paper, roughly 4x6 inches in size, into a sealed envelope; these envelopes are then opened and counted by hand at each voting location.
Sometimes counting machines (standardized bill counters) are used to verify the manual count.
Most votes are pre-printed with a party name and a number of candidates. These votes are sorted and placed into different stacks according to party name.
Votes that do not have a pre-printed party name on them are inspected by at least two different election officials; if the hand-written party name on the vote is identical to or sufficiently close to the name of a registered party, the vote is transferred to the stack with the corresponding pre-printed votes. Otherwise these "odd" votes are recorded, manually, onto a special piece of paper.
The resulting vote totals are recorded on paper; the count is then signed and counter-signed by election officials on-site. This official count and all votes are then transported to central counting stations for a second round of counts.
This initial round of counting is usually completed some 6-8 hours after closure of the voting station. (In 2010, there were 5668 voting stations; some 6 028 000 votes were recorded in the national level).
In the second round of counting OCR scanners are used, but only for the pre-printed votes - they are used to capture votes for individuals within the registered parties. To my knowledge, hand-written votes are always dealt with manually, and usually they go through several stages of manual interpretation and recording (both pen-and-paper and keyboard-and-screen recording) before they are committed to a database. So an SQL injection attack using this signalling path is a looong shot.
So I strongly doubt that the hand-written party name
pwn DROP TABLE VALJ
(VALJ means "elect" in Swedish) was meant as a serious attempt at disrupting the Swedish elections.
Despite the fact that The Economist reported it as "an attempt to sabotage the Swedish election" or some such nonsense.
The list of all hand-written votes is at
http://www.val.se/val/val2010/handskrivna/...
gopi • October 15, 2010 3:07 PM
@Jonas Ö:
Interesting. Of course, due to the paper trail, if they realize they've been pwned they can add some more input sanitization and re-scan the ballots...
Davi Ottenheimer • October 19, 2010 4:06 PM
Amateurs use SQL injection attacks on ballots.
Professionals change their name to SQL injection attacks and run for office.
Subscribe to comments on this entry
Post a comment
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
|
| Subscribe |
Subscribe via Kindle |
| Blog Menu |
SearchPowered by DuckDuckGoBlog Home Page
Archives by Date2013 J F M A M
Tags  |
| Latest Book |
more books by Bruce Schneier |
Comments