On the 12th of March, Herbert provided his view on the NatWest pilot of authorizing payments by means of fingerprints instead of PIN on BNR (Business News Radio). Many thanks to VUSec Slack chat for the long discussion on this topic 😉
VUSec researcher Pietro Frigo won the Code Blue Young Researcher Award and because he is now rich, he promises to buy us all drinks for the remainder of his Ph.D. The corresponding paper (“Grand Pwning Unit“) shows how to use the GPU to boost microarchitectural attacks (such as cache side channels and Rowhammer). Here is a picture of the lucky winner:
Best paper award for Andrei at RAID 2018.
We analyzed the election software that is used, and has been used for years, in all Dutch elections. Our conclusion: this software is very vulnerable.
On the 13th of March, Herbert Bos appeared on RTL Nieuws to summarize these findings. He is on briefly after 7 seconds, and then again at 3m17s (also with Sebastian, Marco and Sanjay, who did the heavy lifting for the analysis, together with Andrei).
Surprisingly, Minister Ollongren does not think there is a problem, even though we show vulnerabilities as bad as integer overflows that allow attackers to manipulate overall results even from compromised local polling stations.
The news broadcast, our analysis, and the independent analysis by Sijmen Ruwhof, did lead to questions from the parliament, and some members of parliament explicitly echoed Herbert’s analysis. The issue was also reported in most newspapers and on Tweakers.
Herbert was interviewed on BNR Radio (Dutch). The interview is mostly about Rowhammer vulnerabilities.
On March 2nd, Herbert and his dog were interviewed for De Kennis van Nu on Dutch national TV. (Dog enters 13m43s into the show.)
RTL Nieuws (TV, Dutch) reported on the vulnerabilities in computers used in Dutch elections. Asked for a reaction, Herbert agrees this looks bad. A few days later, the government decided to stop using the vulnerable systems. On Feb. 1st, the New York Times also reported on this.