And now, on to the story....
To test the new voting systems in place in Brazil, Tribunal Superior Eleitoral (TSE) hosted a hacking challenge. The team which most effectively violates the security of the system would win 5,000 R$.
The results are now in and it looks like the system did pretty well overall. Initially it was reported that none of the contestants were able to compromise the systems security. However, it was eventually revealed that one contestant, Sergio Freitas da Silva, was able to compromise the secrecy of votes by monitoring radio waves emitted as the user typed on the keyboard (Van Eck Phreaking)
"As I typed in the ballot box, tracked by radio to see if it detects any interference. I was able to track the interference that caused the wave, recording a WAV file with these sounds," he explains.There was some push back on the validity of this attack since it required the observer to be in close proximity to the system as the user typed on the keyboard. Sergio made the argument that a strong antenna and higher quality monitoring equipment would allow the attacker to observe from much greater distances.
Sergio explained that after recording the sounds the buttons of the electronic ballot box have on the wave you can decode the sounds, which lead to the discovery of the candidates chosen by voters, shattering his confidence. [article]
Let's put things in perspective though. This is not a new attack. The Van Eck Phreaking attack has been documented since at least 1985 and the impacts of electronic emanations have been studied since at least the 1960s (TEMPEST). None-the-less, my hat is off to all of the contestants. Its only through challenges like this and secure code review that we can begin to uncover security flaws present in these critical systems.
-Michael Coates