Hacking the AES


    [The author, Al S. Vitangcol 3rd, is a lawyer, a registered engineer, and the Philippines’ first EC-Council certified Computer Hacking Forensic Investigator (CHFI). He holds a masteral degree in Computer Science and was designated head of the Joint Forensic Team that investigated the 60 PCOS machines that were found in a house in Antipolo City during the 2010 national and local elections.]

    Last of three parts
    The Comelec spokesperson, Mr. James Jimenez, in one of his public interviews once said, “I am not saying that the system can not be hacked. No system is 100 percent hack proof, I am just saying that the system will not be hacked.”

    Indeed he is correct that the AES can be hacked. All electronic devices, including the VCM, can be compromised. No software is perfectly written – any software would tend to have bugs. The AES is no exception from this universally accepted computing principle.

    The Comelec should have considered the major IT security consequences before adopting any technology to be used in an AES. They should further note that would-be attackers/hackers may not adhere to their published threat model. Besides, hackers are rising in power and sophistication.

    Lets revisit the recent hack done at the Comelec website. On March 27, 2016, a group of hackers, purporting to be members of Anonymous Philippines, defaced the website of the Comelec. They claimed that their hacking exposed the vulnerability of the entire electoral process, specifically the AES. The hackers downloaded several databases containing private data of millions of registered voters. The Comelec belittled this event and downplayed its importance.On April 21, 2016, agents of the National Bureau of Investigation (NBI) arrested 23-year old Paul Biteng, who allegedly easily owned up to the crime. He was charged with violating Sec. 4A-1 of the Cybercrime Prevention Act. Biteng claimed that he simply wanted the Comelec to implement the security features of the VCM during the election.

    Even with the security features of the VCM in place, as supposed by the Comelec, hacking is still a possibility.

    Hacking the memory card
    One of the simplest way to hack the AES is through the counting machine’s memory card. A procedure, called the Hursti Hack, involves storing negative votes for one candidate and positive votes on other candidates. The total of all the negative votes and the positive votes should be equal to zero at the opening of polls. This is to ensure that the total number of votes would not exceed the actual number of votes cast. During actual polling, the votes cast are counted and credited to the candidates truthfully but the result will be strikingly different.

    Remember that on or about the first week of May 2010, Smartmatic-TIM/Comelec recalled all the CF cards due to the fact that the PCOS machines were not counting the votes correctly? Did they actually fail or were they used for fraudulent purposes?

    There is also what is called a 1-minute voting hack. In here, a pre-programmed virus or malware is stored in the SD card. The “loaded” SD card is then inserted in an unsupervised VCM unit, which is now compromised. The same SD card, when transferred from one device to another, say a laptop, now infects the other devices. The virus will temporarily remain dormant but lurks in the background. If the SD card is taken to the central CCS, it can upload itself to the main server and wreck havoc on the results of the elections.
    Hacking the Counting Machine.

    One of the major findings of the Joint IT Forensic Team in its investigation of the “Antipolo” PCOS machines is the discovery of a console port at the back of the counting machine. Smartmatic-TIM claimed that its only a one-way port used for diagnostics purposes exclusively. However, to the surprise of everyone, the forensic team was able to connect an ordinary laptop computer to the console port via a serial cable.

    The serially connected laptop computer was able to access the operating system of the PCOS machine. Furthermore, the connection was done in an unsecure manner – meaning no username and password was required by the PCOS machine. The operating system of the PCOS machine was exposed to full access and control by the externally connected laptop computer. The same access can tap the PCOS machine’s on-board Random Access Memory (RAM) as a disk for data swapping and temporary data storage.

    The discovery of a direct access through the console port is a major vulnerability – which could be exploited to manipulate the actual operations of the counting machine – and which should be an utmost concern for election critics and watchdogs.

    The present VCM no longer has a console port. However, a Universal Serial Bus (USB) port took its place instead. The USB port, as announced by Comelec, is for connecting the modem or the BGAN (Broadband Global Area Network) satellite to it. The USB port was originally designed in the mid-1990s as an industry standard for short-distance digital data communications and for transferring digital data between devices over USB cables.

    IT practitioners know that a broad range of electronic devices can be connected to the USB port to communicate with the host machine – anything from keyboards and mice, to electronic media players and flash drives. A flash drive, also known as a USB drive or drive stick or thumb drive, is a lightweight, small, plug-and-play storage device that can be used to store digital data, application programs, and even malware and viruses. In fact, for three hundred pesos, one can buy a PC remote controller with USB wireless receiver.

    It is not far-fetched that the USB port in the VCM can be used for other nefarious purposes.

    Hacking the Transmission.

    When polls close on election day, the VCM transmits the Election Returns (ER) to the Central Server, the Transparency Server and another server at the Joint Congressional Canvassing. It also transmits to the National Canvassing Center, the Provincial Canvassing Center, and the City/Municipal Canvassing Center. Bulk of the transmission is done through public telecommunications network, with transmission through BGAN satellites as a secondary media. Take note that this satellite, Broadband Global Area Network (BGAN), is used to connect a portable device to broadband Internet in remote locations.

    Typically, these wireless transmissions are done on a highly secured protocol. However, hackers are likely to attack every point in the protocol in order to see where it breaks – at the weakest link of the network. It then exploits that weakness and performs the hack.
    Wireless transmissions are susceptible to sniffing, man-in-the-middle (MITM), and denial-of-service (DoS) attacks. Sniffing involves intercepting data packets (package transmission) as they are transmitted over the network. An MITM attack involves capturing sensitive information, sometimes altering them, and even sending false transmissions. The main intent of a DoS attack is to deny legitimate users access to the transmission facilities.

    In 2010 there were rumors that “rogue” PCOS machines were used to rig the election results. These “rogue” machines allegedly sent transmissions to the CCS server, ahead of the transmissions of the real PCOS machines. The CCS server, after receiving the transmission from the “rogue” machine for a particular precinct then rejects the transmission from the real machine of the same precinct. The CCS server was designed to accept only one transmission from a particular precinct on election day. So in the end it was just a transmission race between the “rogue” and the actual voting machines.

    The objective of a hacker can be any of these three – 1.) change the election results to favor a candidate, 2.) manipulate the results without favoring anyone, and 3.) just create chaos and disrupt the electoral process.

    The procedures involved in these hacks are too technical to be discussed here. Anyway, if disruption is the objective, just employ jammers. Jammers come in various sizes and shapes, sometimes as mobile phones look alike. This will create a DoS hack attack. With jammers in place no VCM can transmit successfully. When and if no successful transmission can be made then the BEI is mandated to physically transport the SD cards to the canvassing center. The physical transport of the SD cards opens up a window of opportunity for illicit activities – SD card interception, SD card tampering, and SD card switching.

    Credibility issues
    Election results are stored in the Central Server and Transparency Server, among others. The same election results are supposed to be displayed in the Comelec’s “secure” website.
    Here is a scenario. For example Presidential candidate A is leading in the polls.

    Presidential candidate B follows and Presidential candidate X is last among the six candidates. The actual and true votes are stored in the Comelec servers. These data are simultaneously displayed in the Comelec’s secure website, which is not so secure after all.

    Following the hacking that happened last month in the Comelec’s website, it is quite probable that it could happen again. Let us assume that a hacker gained control of the said website on election day. He could then display strikingly different results on the attacked website. Again, for example, he showed on the hacked website that Presidential candidate X is consistently leading, followed by Presidential candidate B, with Presidential candidate A at the tail end. Even if the true winner, Presidential candidate A, is proclaimed by Comelec, still there will be doubts on the integrity of the results. The credibility of the whole electoral process will then be jeopardized.

    Hackers may not really want to alter election results. Some hackers do it for peer recognition, to hurdle an intellectual challenge, or to get that feeling of power. They do the hack just to make a name for themselves, to expose a wrongdoing (or inaction), or simply for entertainment.

    Hackers are motivated by challenges, especially when an event of a transcendental proportion takes place, and when the organization responsible for that even raises a challenge. It is the adventure that primes up these hackers to develop a system that can paralyze, if not totally break down another system. The reality is that the government does not have an established and effective security mechanism to protect its computer systems and communications networks, including the AES, from determined hackers.


    Please follow our commenting guidelines.


    1. Drexx Laggui on

      Hello Atty. Al,

      To avoid the high risk of misinforming the public, you should know better that the “Hursti Hack” wasn’t applicable to the Smartmatic PCOS machines of 2010. I just want to be clear about that part because I wrote the technical forensic report, incorporating the research done by fellows from the Senate MIS and Congress IT people.

      Back then in 2010, it was established beyond reasonable doubt, that the Philippine PCOS machines weren’t vulnerable to the Hursti Hack because of three reasons:

      1. The Hursti Hack used Visual Basic to execute commands
      2. The Smartmatic PCOS machines ran uClinux, totally incompatible to Microsoft-based attacks
      3. The configuration files were encrypted and saved in *.DVD files. I asked for permission to try and reverse-engineer it, but I wasn’t allowed. Those files cannot be opened with regular tools, nor even ASCII strings decoded from them.

      • Drexx Laggui on

        Also, the notion of using mobile-frequency jammers to deny transmission of PCOS machines is infeasible on a significant scale. It’s simply physics:

        1. To saturate a given area, you’ll need one powerful transmitter for EACH of these frequencies: 50MHz (UMTS, HSPA, HSPA+), 900MHz (UMTS, GPRS, EDGE), 1800MHz (GPRS, EDGE, UMTS, HSPA, HSPA+, FDD-LTE), and 2100MHz (UMTS, HSPA, HSPA+, LTW WiMAX, TDD-LTE).

        2. Then multiply the required jammer hardware by three, for every frequency listed above, because of the three mobile phone carriers we have (i.e. Globe, Smart, and Sun Cellular). Disregard count for ABS-CBN because they’re just an MVNO riding on Globe Telecom.

        3. The polling precincts are open for the entire day… jamming will cause alarms with the telcos and they will ask law enforcers to respond on-site. It’s not very hard to spot mobile jammers because of their power requirements, and that the public in the vicinity will be mad due to being disconnected through their personal phones.

      • You made it sound that Visual Basic is the only language that can be used to create a similar Hursti script. If you know the algorithm and the general architecture of your target, any general-purpose scripting languages can be used in place of Visual Basic. Linux have many scripting languages available like python, BASH, Tcl, awk, perl, etc.

        And of course, why will you use such attacks designed for MS Windows, if the target is Linux based? The shell console is enough to tamper the system

        And no amount of encryption will secure the system if there’s someone who knows the keys, like the Smartmatic guy.

    2. There will be few hackers working for MONEY and they can do it professionally, if the price is right. Crooked candidates will be more confident to spend their money on hackers than buying votes on the streets. If hackers can get a hold of the programs, such as Election Event Designer (EED) and Election Programming Station (EPS), they can easily load the source code and configuration files into CF cards. The digital image of all scanned ballots are saved on CF cards, as well. If anybody can access the CF cards, like the author of this article, he could perform a lot of miracle things.

      AES will always be susceptible to hackers because COMELEC does not have its own network and no IT security personnel assigned to monitor hacking activities. There will be some Foreign Observers on election day, and with the help PNP, the Armed Forces, and other Law Enforcement Agencies, people only hope that this election will go smoothly and peacefully. Let the Filipino people’s voice be heard by electing the candidate of their choice.