He made it as clear as he can. If wifi is used to transmit this stuff, then amateur hackers can modify the voting totals, even if encrypted, in transit. MITM is a well established attack now, part of auditing tools and the backtrack/metasploit package any kid uses.
If I was within radio range and I used a spoof AP with stronger signal, I would easily be able to hijack the connection and be able to capture the handshakes, see the packets, apply a function and pass it on to the server. Such software could be already written specifically for voting machines, but it would also be trivial to implement within a few hours of snooping around in the data and understanding the protocol.
If wifi is used to transmit this stuff, then amateur hackers can modify the voting totals, even if encrypted,
Not true. Count they bytes going either way, yes. Disrupt or terminate the connection, yes. Read through the one or two layers of encryption, not necessarily.
Pulitzer just burst into the hearing and used the Hollywood hack phrase "we're in" and everyone is going ballistic over that. What he probably achieved (and seems reasonable with the access his team had and the time spent) was spoof the election board's AP SSID and convince the iPad device to associate with its MAC address, echoed the iPad's credentials and passed through the connection. Now you can watch and count bytes of encrypted gobblegook.
Or even just watched its (encrypted) packets promiscuously zinging through the air. You can approximately count bytes that way.
With modern Wifi that does NOT mean you have plaintext packets or access to the network. That is a separate attack which can take lots of time.
Then (Wifi broken) there might be a VPN layer which is a separate attack. Now at least you can see if the outer IP destinations are private or public. They may be able to resolve the "is it air-gapped from the Internet? question. Just from encrypted Wifi packets you cannot resolve that.
If there is VPN layer, unlikely to succeed without inside information.
Even if a VPN is penetrated (or without one) the device might issue individual TLS/SSL connections which is a separate attack and unlikely to succeed --- UNLESS you manage to exploit and root the device.
So "we're in" seems melodramatic. Subpoenas would be more useful at this point.
I honestly don't know. He's a forensics guy and his paper testimony was spot on but he might not be deeply knowledgeable about wireless networks, or more likely, he considered a partial success to be enough to exaggerate the facts to sway the audience (it worked). For the Wifi claim he is probably relying on the word of his team. I'd have some specific questions for them. Some of the IT people involved in this Kraken thing have rubbed me the wrong way.
Because he probably could. No idea why the person you replied to is acting like this connection is so sure and reliable - it should not exist in the first place.
If those 1-2 levels of encryption and other protocols were sufficient to protect the data from being modified, then there would not be restrictions specifying that “machines cannot connect to WiFi” in the first place.
There's exploits that will MITM ssl and vpn connections with spoof CA.... I agree it would take time. The right set of tools will own anything on wifi.
This was probably the best part of his presentation. Him basically saying, stop with the smoke and mirrors. All that matters is letting us see the physical paper so let us see the god damn paper you morons.
the amount of confidence and "shut the fuck up-ness" that he presented with was outstanding.
He made it as clear as he can. If wifi is used to transmit this stuff, then amateur hackers can modify the voting totals, even if encrypted, in transit. MITM is a well established attack now, part of auditing tools and the backtrack/metasploit package any kid uses.
If I was within radio range and I used a spoof AP with stronger signal, I would easily be able to hijack the connection and be able to capture the handshakes, see the packets, apply a function and pass it on to the server. Such software could be already written specifically for voting machines, but it would also be trivial to implement within a few hours of snooping around in the data and understanding the protocol.
Not true. Count they bytes going either way, yes. Disrupt or terminate the connection, yes. Read through the one or two layers of encryption, not necessarily.
Pulitzer just burst into the hearing and used the Hollywood hack phrase "we're in" and everyone is going ballistic over that. What he probably achieved (and seems reasonable with the access his team had and the time spent) was spoof the election board's AP SSID and convince the iPad device to associate with its MAC address, echoed the iPad's credentials and passed through the connection. Now you can watch and count bytes of encrypted gobblegook.
Or even just watched its (encrypted) packets promiscuously zinging through the air. You can approximately count bytes that way.
With modern Wifi that does NOT mean you have plaintext packets or access to the network. That is a separate attack which can take lots of time.
Then (Wifi broken) there might be a VPN layer which is a separate attack. Now at least you can see if the outer IP destinations are private or public. They may be able to resolve the "is it air-gapped from the Internet? question. Just from encrypted Wifi packets you cannot resolve that.
If there is VPN layer, unlikely to succeed without inside information.
Even if a VPN is penetrated (or without one) the device might issue individual TLS/SSL connections which is a separate attack and unlikely to succeed --- UNLESS you manage to exploit and root the device.
So "we're in" seems melodramatic. Subpoenas would be more useful at this point.
So why did he say he could alter the data if he wanted to?
I honestly don't know. He's a forensics guy and his paper testimony was spot on but he might not be deeply knowledgeable about wireless networks, or more likely, he considered a partial success to be enough to exaggerate the facts to sway the audience (it worked). For the Wifi claim he is probably relying on the word of his team. I'd have some specific questions for them. Some of the IT people involved in this Kraken thing have rubbed me the wrong way.
EDIT: Just spotted this and I concur.
Because he probably could. No idea why the person you replied to is acting like this connection is so sure and reliable - it should not exist in the first place.
If those 1-2 levels of encryption and other protocols were sufficient to protect the data from being modified, then there would not be restrictions specifying that “machines cannot connect to WiFi” in the first place.
There's exploits that will MITM ssl and vpn connections with spoof CA.... I agree it would take time. The right set of tools will own anything on wifi.
This was probably the best part of his presentation. Him basically saying, stop with the smoke and mirrors. All that matters is letting us see the physical paper so let us see the god damn paper you morons.
Link.