Pages

Tuesday, February 4, 2020

The Iowa Caucus App


A Rant


All blog posts to date
Introduction Acquisition Analysis
Introduction Imaging an Android Device Examining the image
Picking a Toolkit Live imaging an Android device Some hidden artifacts in a physical image
Why not load ClockworkMod or TWRP to image a device? Using Autopsy to examine an Android image
Identifying your Userdata Partition Some artifacts in the /data/system/ directory
Some non-root methods to learn about a device Viewing SQLite Databases
A quick note on imaging newer Android devices Facebook for Android Artifacts
Using Windows to Live Image an Android device Interpreting data from apps
Obtaining all files in the data partition without a physical image Waze for Android forensics
Magnet Forensics App Simulator
App Reversing Other Topics
Reverse Engineering an Android App File The differences between a physical image and a logical extraction
Fun with Apktool Dirty cow
Deep dive into an app Imaging and examining an Android car stereo
Unpacking boot and recovery kernels
MTPwn
Introduction
I am a football nut and follow stats like it is my job. Something I've found in common between my nerdiness with technology, movies, video games and sports, is they require some degree of dedication in following stories, along with a high degree of analysis to predict what is going to happen next.

So it should come as little surprise that I am, at least to a degree, interested in politics. I'm not a political super-nerd, I'm no hyper opinionated thought leader, I don't get into Twitter battles, and I follow no political ideology as if it were a cult. That's not my game. But the stories in the news, the polling data, the strategy of campaigns, and the back-stabbing associated with politics all require the same mindset to follow as sports and pop culture.

Note: this post will be about a political story, but it will not be of political opinion. I don't care to publish to the whole world my political opinions for two reasons. One, I don't want to lose readers, and two, much of my viewership is outside of the United States where other political stories are more relevant.

So here we go. A post on an Android forensics blog about the political world, with potentially world event altering consequences. (I never thought I'd say that one).

What happened last night in Iowa?
As I post this, about 24 hours ago the caucus sites in Iowa closed. It is the beginning of the presidential election cycle, occurring every four years. Come early November, the citizens of the United States will flock to polling places to cast their votes for President of the United States of America. And though November is nine months away, the whole process has started. Because before citizens can vote, there must be a nominee. And last night in Iowa, the first state in the nation to have a say in selecting a nominee, there were caucuses to determine the state's choices for Republican and Democratic nominees for president.

(A caucus, if you are unaware, is different from a primary. A primary vote is like any other vote where you put select your candidate of choice on a ballot. A caucus is more of a community event and involves actual social interaction as part of the process. And each caucus has a party official to manage the event and report the vote tally. I'm not going to get too much into the caucus process because it isn't relevant here, but it is a fun process.)

In general, the caucus results should be known quickly. But not until nearly 24 hours after the caucus sites closed did Iowa finally had some results. And why is that?

A mobile app.

The Democratic Party of Iowa elected to try some new technology to get the caucus results faster. Each caucus leader would download an app to their mobile phones and use the app to report the caucus results. Those results would be gathered to a central server and tabulated. The idea is the whole world could know nearly instantaneously who won the Iowa Democratic caucus. And I'll give some credit where credit is due, that is a novel idea. But the devil is in the implementation.

As you may well have heard, that mobile app was an utter disaster. The app crashed, those results either did not come at all to the central server or came delayed, and the results were declared "inconsistent". Over a day later, we still don't know who won Iowa.

What went wrong?
Not a whole lot is actually known about the app, so I'm just going to report what I know. Please comment and correct me if I get any of this wrong.

The developer of the app is a small firm in Washington, DC. The app was not widely distributed, so I don't have access to it. I've heard it was developed for both iOS and Android, though I can't confirm this.

The Democratic Party's cyber security chief saw problems coming and advised not going forward with the app. That advice was not heeded, and as anyone advising on cyber risk knows, that is a common outcome.

The app is not widely available, has not been made open source, the security (and more specifically cryptography) algorithms used are not known, the general process for authenticating is not known, nobody knows what data the app stores on the phone, and the security community at large has not vetted this app. I'm going to go through some of these main points in detail, and lest we forget the importance of the outcome of this caucus (more on that later). But before that, here is nearly accurate footage of me hearing about this fiasco:





Open source
I am an open source proponent in general. When we are talking about anything security related, open source is important because it invites scrutiny from the security community. The encrypted chat apps Telegram and Signal are open source, and the cryptography for WickR is open source, and I am sure there are many other such open source encrypted call and chat apps.

Now I am not saying the developer should have open sourced the app. They presumably spent a lot of man-hours on the app. However, at least documenting the cryptography used would be good security practice. Even for the closed-source encrypted chat apps, the developers generally have white papers detailing cryptography algorithms used. I know of no such for the Iowa Democratic Caucus app. If this information were made available, the security community could have reviewed the information and raised concerns.

Authentication
I've heard the method for even downloading the app is rather convoluted. So I have no idea what the method is for authenticating a user.

The user should be the Democratic party official reporting on the results from the caucus. How does the user authenticate that they are genuinely the one reporting data? I presume there is a password. Is there a second form of authentication, such as the Google Authenticator app? How are passwords secured? Can the authentication session be hijacked, allowing an attacker to masquerade as the official and feed false results?

We don't know the answer to any of these questions. And that is a problem. Lest we forget about the importance of accurately reporting results (more on this later).

Vetting
I've heard the app was independently vetted, but we've not heard by what security firm and what tests were attempted. We've also heard it was not publicly vetted by the US government.

App vetting is a big deal. The process involves attempting various network attacks, on-device attacks, and attacks tailored to the exact app use case. What was the vetting process? Now I don't expect anyone to publish flaws that were found and fixed as that would not be good security practice, but it would be nice to say who vetted it and what they attempted.

Possible scenarios
As of me writing this post, we still don't have results. So I'm going to go over some best and worst case scenarios that could happen, and I'm also going to put on the hypothetical hat here for some really bizarre and awful scenarios that could happen.

For a best case scenario, the caucus results are counted accurately using a backup method involving physical records, which appears to be the case right now. The result is the winner is officially announced, but late. And that really is a problem because in politics, timing is everything. At this point, all the Democratic candidates have shifted their efforts away from Iowa and are off to New Hampshire for the upcoming primary. Whoever ultimately wins Iowa has been denied their prime-time moment to give a nationally televised, dramatic speech to a massive national audience watching the Iowa results. Instead, there will be a delayed announcement for the winner who will set up an impromptu speech and campaign party in New Hampshire, with a smaller national audience who only associates the Iowa primary with a failed mobile app. All those volunteers from the winning campaign in Iowa have been denied their right for a well-earned party complete with personal gratitude from the winning candidate.

But let's imagine some worst case scenarios here. As a forensics guy, I have developed a knack for thinking worst case.

There's the obvious worst case of inaccurate results. Between unvetted security in transit and unknown authentication methods, there could be inaccurate results fed to the central server. The wrong candidate gives a rousing speech to supporters and a massive national television audience. The actual winner never knew that he or she was cheated out of a win in Iowa and the television spotlight, along with all the campaign momentum. And this should serve as a warning for why physical records in voting are so important.

But there's another worst case scenario. And this is where that forensic mindset is important. Let's say there was no physical records from the caucuses, or those were destroyed. The caucus result data never made it from the app to the central server. All those apps on all those devices stored the only known sources of caucus results. And to make this more complicated, all those mobile phones used by party officials are personally owned. In this worst case scenario, the only way to get caucus data would be to acquire the data from personally owned phones. Would these officials voluntarily hand over their devices to be imaged? Can they be seized? What if the device is stolen, lost, or damaged? Those caucus results could be gone forever. Nobody would ever know who actually won Iowa. Again, a warning for why physical records in voting are so important.

Overall, it does look like we're getting the best case scenario. We'll still figure out who won Iowa. And everybody learned a thing or two about this uncharted territory of reporting vote results via app.

Regardless, there already is a major result. We've all heard about foreign interference in the 2016 election, with the goal being to sow doubt and distrust into the US election process. Well, there's already doubt and distrust in the 2020 election, and it required no Russian influence. Unless you count the vodka we all need after this debacle.

The bigger picture
There's a bigger picture to all of this that needs to be considered, which is really the point of this post. And that is engineering consequences.

Automotive engineers design cars. They may imagine new elegant or comfortable features, or more aerodynamic designs to add an extra tenth of a mile per gallon. But automotive engineers never forget that they are designing vehicles that carry people at speeds exceeding 60 miles per hour. That is a weighty concern. Poor engineering in cars has led to deaths and will continue to, but good engineering, which is exceedingly more prevalent than poor engineering, has led to incredible safety features that have saved far more lives.

Medical engineers design surgery equipment and devices. These keep people alive during surgery. These devices must be sterile. They must function or else a patient can die. In an open heart surgery, there is crucial equipment necessary to maintain circulation through the body. People have died due to poorly engineered products. But exceedingly more have lived longer lives due to well engineered devices.

In software engineering, we so often lose sight of real world consequences. A job of mine before entering the world of forensics involved writing an asset tracking system for a mid-sized manufacturing company. It rarely dawned on me that actual company products were being shipped from site to site and to end customers. That thought rarely occurred to anyone on the team. We were so focused on developing a usable system that on occasion our manager would have us walk through the factory to see the manufacturing process and speak with the factory employees about the need for better asset tracking.

Digital forensics is one of the few disciplines within technology where real life circumstances are intrinsically interwoven. If your realm is incident response, the real life ramification of your work is identifying the theft of perhaps millions of dollars worth of corporate intellectual property and preventing future attacks. If you are a criminal investigator, the real life ramification is the life and liberty of a suspect. There is a story I heard once about a teenage girl who ran away. Her mother called the police who examined the home computer and found evidence of the girl chatting with a "boyfriend", who turned out to be an adult male and a child abductor. The real world ramification of this work was catching the man en route to a meet with the girl, and protecting the girl from exploitation at the hands of a truly sick individual.

In this case of the Iowa caucus app, the real world ramification is the election of the leader of the free world. Whoever wins the Iowa Democratic race gains incredible momentum going into future state races. That winner can very well be the nominee for the party and run against the current President of the United States. The winner of that election will be the commander in chief of the greatest fighting force the world has ever known, at the head of the world's largest economy, will have a greater influence on world affairs than any other person on the planet, and will have the entire world's attention with every action, every inaction, and every word.

Do you really want to leave all of that to a mobile app?

Summary
  • Vet your apps
  • Open source, or at least document as well as you can, your crypto for the security community to review
  • Never forget real life ramifications of digital work

Questions, comments? Leave a comment below, or send me an email. And if there are any politically charged nonsense comments, they'll be deleted.