S.O.S e - Voice For Justice - e-news weekly
Spreading the light of humanit
Spreading the light of humanit
Editor: Nagaraja.M.R.. Vol.09..Issue.16........19/04/
India's Electronic Voting Machines Proven Insecure
In a collaborative study, a team of Indian and international experts have revealed that the electronic voting machines used in Indian elections are vulnerable to fraud. Even brief access to the machines, known in India as EVMs, could allow criminals to alter election results.
These research findings are at odds with claims made by the Election Commission of India, the country's highest election authority, which has maintained that weaknesses found in other electronic voting systems around the world do not apply to India's EVMs. Less than a year ago, it stated: "Today, the Commission once again completely reaffirms its faith in the infallibility of the EVMs. These are fully tamper-proof, as ever." [1] As recently as two days ago, the Chief Election Commissioner described electronic voting machines as "perfect" and claimed that "till today, no individual could prove that the EVMs used by the EC can be tampered with." [2]
Almost the entire population of India votes on electronic voting machines. There are around 1.4 million of the machines in use, all of the controversial "Direct Recording Electronic" (DRE) variety. Such machines record the votes only to internal memory and provide no paper records for later inspection or recount. With DREs, absolute trust is placed in the hardware and software of the voting machines. Paperless electronic voting systems have been criticized globally and more and more countries and US states are abandoning such systems altogether.
In a video released today, the researchers show two demonstration attacks against a real Indian EVM. One attack involves replacing a small part of the machine with a look-alike component that can be silently instructed to steal a percentage of the votes in favor of a chosen candidate. These instructions can be sent wirelessly from a mobile phone. Another attack uses a pocket-sized device to change the votes stored in the EVM between the election and the public counting session (which in India can be weeks later).
This study was performed by researchers at NetIndia, (P)Ltd., in Hyderabad, the University of Michigan in the United States, and at a non-profit in the Netherlands that specializes in electronic voting related issues.
The researchers were also surprised to find that the vote-counting software in the EVMs is programmed into so-called "mask programmed microcontrollers," which do not allow the software to be read out and verified. Because these chips are made in the US and Japan, this has led to a situation in which nobody in India knows for sure what software is in these machines or whether it counts votes accurately.
Hari Prasad is a computer engineer and managing director of NetIndia, a Hyderabad-based technology firm. Prasad organized the study and says the findings are the culmination of a seven month investigation. "Everywhere I looked there were more security problems. I am glad that with the presentation of this work, the debate over whether India's EVMs are secure is over. We need to look forward now. India deserves a transparent election process, which these machines simply cannot deliver."
Rop Gonggrijp, a security researcher from the Netherlands, also took part in the study. Says Gonggrijp: "Never mind what election officials say, this research once again shows that the longstanding scientific consensus holds true—DRE voting machines are fundamentally vulnerable. Such machines have already been abandoned in Ireland, the Netherlands, Germany, Florida and many other places. India should follow suit."
Gonggrijp continues: "In order to have any transparency in elections, you need to have votes on paper. Computers can be programmed to count votes honestly, but since nobody can watch them, they might just as easily be programmed to count dishonestly. How is the voter supposed to tell the difference?"
Professor J. Alex Halderman of the University of Michigan helped develop the new attacks along with his students. "Almost every component of this system could be attacked to manipulate election results," says Dr. Halderman. "This proves, once again, that the paperless class of voting systems has intrinsic security problems. It is hard to envision systems like this being used responsibly in elections."
The newly released video and technical report can be found at http://IndiaEVM.org.
India's EVMs are Vulnerable to Fraud
Hari K. Prasad, J. Alex Halderman, Rop Gonggrijp
Questions & Answers
Q: Who are you?
A: We are scientists and technologists. Some of us have studied other voting systems in Europe and the US and have discovered serious flaws. In some cases these discoveries have led to the use of such systems being discontinued.
A: We are scientists and technologists. Some of us have studied other voting systems in Europe and the US and have discovered serious flaws. In some cases these discoveries have led to the use of such systems being discontinued.
Q: Why did you study India's EVMs?
A: The Election Commission of India has spoken of India's EVMs as "infallible" and "perfect", yet similar electronic voting machines used around the world have been shown to suffer from serious security problems. India's machines had never been subjected to credible independent research.
A: The Election Commission of India has spoken of India's EVMs as "infallible" and "perfect", yet similar electronic voting machines used around the world have been shown to suffer from serious security problems. India's machines had never been subjected to credible independent research.
Q: How did you get the EVM you studied?
A: It was provided by a source who has asked to remain anonymous.
A: It was provided by a source who has asked to remain anonymous.
Q: What have you found?
A: We found that an attacker with brief access to EVMs can tamper with votes and potentially change election outcomes. We demonstrate two attacks that involve physically tampering with the EVMs’ hardware. First, we show how dishonest election insiders or other criminals could alter election results by replacing parts of the machines with malicious look-alike parts. Such attacks could be accomplished without the involvement of any local poll officials. Second, we show how attackers could use portable hardware devices to change the vote records stored in the machines. This attack could be carried out by local election officials without being detected by the national authorities or the EVM manufacturers. Safeguards against these attacks are either absent or woefully inadequate. For the full details, please read our technical paper.
A: We found that an attacker with brief access to EVMs can tamper with votes and potentially change election outcomes. We demonstrate two attacks that involve physically tampering with the EVMs’ hardware. First, we show how dishonest election insiders or other criminals could alter election results by replacing parts of the machines with malicious look-alike parts. Such attacks could be accomplished without the involvement of any local poll officials. Second, we show how attackers could use portable hardware devices to change the vote records stored in the machines. This attack could be carried out by local election officials without being detected by the national authorities or the EVM manufacturers. Safeguards against these attacks are either absent or woefully inadequate. For the full details, please read our technical paper.
Q. Did you demonstrate attacks on a real EVM?
A: Yes. The EVM we worked with is a real EVM that has been used in recent national elections.
A: Yes. The EVM we worked with is a real EVM that has been used in recent national elections.
Q: How could you manipulate the internal memory to change the vote records? These EVMs are sealed.
A: The seals quite literally consist of stickers, string, and red wax. Tampering with them would not present a challenge to an attacker. Our video has an excerpt from an official training film showing some of the seals being applied. Have a look and see if you feel you could manipulate these seals yourself.
A: The seals quite literally consist of stickers, string, and red wax. Tampering with them would not present a challenge to an attacker. Our video has an excerpt from an official training film showing some of the seals being applied. Have a look and see if you feel you could manipulate these seals yourself.
Q: How could a dishonest EVM know which candidate to favour?
A: Our dishonest display board attack adds a Bluetooth radio, so criminals could wirelessly signal which candidate to favour. Our memory manipulation attacks happen between election and counting, when everything an attacker needs to know is already public. In our paper we explain more complicated attacks that use the total number of candidates in a constituency as a signaling mechanism. These don't need radio signals and could already be hidden in the software of the EVMs today.
A: Our dishonest display board attack adds a Bluetooth radio, so criminals could wirelessly signal which candidate to favour. Our memory manipulation attacks happen between election and counting, when everything an attacker needs to know is already public. In our paper we explain more complicated attacks that use the total number of candidates in a constituency as a signaling mechanism. These don't need radio signals and could already be hidden in the software of the EVMs today.
Q: But I watched the election officials perform a mock poll, and that was fine.
A: It would be easy to program a dishonest EVM or EVM component so that the manipulation is only performed after voting has been going on for a long time, or if the total number of votes is in the hundreds. That way, simple mock polls will show the proper results, but all the final election results will be manipulated.
A: It would be easy to program a dishonest EVM or EVM component so that the manipulation is only performed after voting has been going on for a long time, or if the total number of votes is in the hundreds. That way, simple mock polls will show the proper results, but all the final election results will be manipulated.
Q: Your video shows a mobile phone signaling to the EVM, but mobile phones are not allowed at polls and counting.
A: We are merely proving that we can send the signal wirelessly. Attacks could use many other forms of radio signaling, such as opener that sends the signal. Wireless devices are extremely easy to conceal and could be secretly carried into polling places in countless ways.
A: We are merely proving that we can send the signal wirelessly. Attacks could use many other forms of radio signaling, such as opener that sends the signal. Wireless devices are extremely easy to conceal and could be secretly carried into polling places in countless ways.
Q: How can the EVMs be as insecure as you claim while the Election Commission of India says they are "infallible" and "perfect"?
A: Until now, the EVMs have not been subjected to rigorous, independent, public scrutiny. Claims that the EVMs are "perfect" and "infallible" are not based on verifiable arguments. If the Election Commission disagrees with our claims, we look forward to a proper scientific debate based on credible, published evidence.
A: Until now, the EVMs have not been subjected to rigorous, independent, public scrutiny. Claims that the EVMs are "perfect" and "infallible" are not based on verifiable arguments. If the Election Commission disagrees with our claims, we look forward to a proper scientific debate based on credible, published evidence.
Q: The Election Commission has hired scientists too. How do we know you are right and the Election Commission is wrong?
A: The Election Commission's two expert committee reports were rather minimal and were performed by scientists with no apparent electronic voting security credentials. These studies were conducted without access to the machines' source code and relied on presentations and site visits with the manufacturers. In contrast, we performed our own experiments with a real machine and demonstrate working attacks.
A: The Election Commission's two expert committee reports were rather minimal and were performed by scientists with no apparent electronic voting security credentials. These studies were conducted without access to the machines' source code and relied on presentations and site visits with the manufacturers. In contrast, we performed our own experiments with a real machine and demonstrate working attacks.
Q: Haven't you just made our secure EVMs insecure by publishing this?
A: No. The fact that the election authorities have not allowed public scrutiny of the security of EVMs doesn't make them secure. There are more than 1.4 million EVMs in India, and criminal attackers would likely have less difficulty getting access to a machine than we did. Unlike actual criminals, we are working to inform the public about the security problems we found.
A: No. The fact that the election authorities have not allowed public scrutiny of the security of EVMs doesn't make them secure. There are more than 1.4 million EVMs in India, and criminal attackers would likely have less difficulty getting access to a machine than we did. Unlike actual criminals, we are working to inform the public about the security problems we found.
Q: Can the problems with EVMs be fixed?
A: Not easily. The entire class of voting systems to which these EVMs belong has inherent problems that stem from a lack of transparency. They force voters to trust software and hardware without proper means of verification.
A: Not easily. The entire class of voting systems to which these EVMs belong has inherent problems that stem from a lack of transparency. They force voters to trust software and hardware without proper means of verification.
Q: Surely there must be something we can do to enhance security?
A: The Election Commission likes to speak of "checks and balances", with various procedures believed to make fraud harder. Drastically improving procedures might make some kinds of fraud more difficult, but cannot eliminate the risks we describe. For EVMs to be used, the people of India would need to continue to place trust in an election technology that they cannot observe.
A: The Election Commission likes to speak of "checks and balances", with various procedures believed to make fraud harder. Drastically improving procedures might make some kinds of fraud more difficult, but cannot eliminate the risks we describe. For EVMs to be used, the people of India would need to continue to place trust in an election technology that they cannot observe.
Q: Can you help me investigate suspected fraud in the recent election in xxxx ?
A: Regrettably, probably not. If our research shows something, it is that for the concerned citizen there is very likely to be nothing to observe, study and/or investigate (either before, during or after the election) that would allow anyone to tell the difference between an honest and a dishonest election. That means you are left either trusting or not trusting your election, with no hard facts to guide you. We know that this is not a satisfactory answer, which is exactly why this type of voting machine should be abolished.
A: Regrettably, probably not. If our research shows something, it is that for the concerned citizen there is very likely to be nothing to observe, study and/or investigate (either before, during or after the election) that would allow anyone to tell the difference between an honest and a dishonest election. That means you are left either trusting or not trusting your election, with no hard facts to guide you. We know that this is not a satisfactory answer, which is exactly why this type of voting machine should be abolished.
Q: Why shouldn't India be at the forefront of technology?
A: We are technologists with a deep passion for things technical, but we also see the limitations of technology. These electronic voting machines have replaced decidedly imperfect but observable paper ballots with insecure and completely non-auditable technology.
Germany and the Netherlands are modern democracies. They both used electronic voting machines of the same basic type as used in India. In the Netherlands, almost 100% of voters used these machines, but when it was discovered that these machines had severe security problems and that there was inadequate transparency, the machines were abolished and paper ballots were reintroduced. Technological advance is not just about adopting the latest new inventions. Innovation also lies in the ability to take a second look and examine whether what seemed like a good idea ten years ago is still a good idea today.
A: We are technologists with a deep passion for things technical, but we also see the limitations of technology. These electronic voting machines have replaced decidedly imperfect but observable paper ballots with insecure and completely non-auditable technology.
Germany and the Netherlands are modern democracies. They both used electronic voting machines of the same basic type as used in India. In the Netherlands, almost 100% of voters used these machines, but when it was discovered that these machines had severe security problems and that there was inadequate transparency, the machines were abolished and paper ballots were reintroduced. Technological advance is not just about adopting the latest new inventions. Innovation also lies in the ability to take a second look and examine whether what seemed like a good idea ten years ago is still a good idea today.
Q. Where can I find more information about the EVM debate in India?
A. An Indian citizens' group called VeTA maintains a web site advocating election transparency. Our research is independent from VeTA, but we find their site to be generally informative about the e-voting debate in India. It can be found at IndianEVM.com.
A. An Indian citizens' group called VeTA maintains a web site advocating election transparency. Our research is independent from VeTA, but we find their site to be generally informative about the e-voting debate in India. It can be found at IndianEVM.com.
EVM Security Problems[edit]
An international conference on the Indian EVMs and its tamperability of the said machines was held under the Chairmanship of Dr. Subramanian Swamy, President of the Janata Party and former Union Cabinet Minister for Law, Commerce and Justice at Chennai on 13 February 2010. This conference received good response and the conclusion was that the Election Commission of India was shirking its responsibility on the transparency in the working of the EVMs.[13]
In April 2010, an independent security analysis[1] was released by a research team led by Hari Prasad, Rop Gonggrijp, and J. Alex Halderman. The study included video demonstrations[2] of two attacks that the researchers carried out on a real EVM, as well as descriptions of several other potential vulnerabilities.
- Easily Hackable:" US Lab says that, this EVM is very easy to hack.
- Before voting: One demonstration attack was based on replacing the part inside the control unit that actually displays the candidates' vote totals. The study showed how a substitute, "dishonest" part could output fraudulent election results. This component can be programmed to steal a percentage of the votes in favour of a chosen candidate.
- After voting: The second demonstration attack used a small clip-on device to manipulate the vote storage memory inside the machine. Votes stored in the EVM between the election and the public counting session can be changed by using a specially made pocket-sized device. When you open the machine, you find micro-controllers, under which are electrically enabled programs, with 'read-only' memory. It is used only for storage. However, you can read and write memory from an external interface. The researchers developed a small clip with a chip on the top to read votes inside the memory and manipulate the data by swapping the vote from one candidate to another.[4]
In order to mitigate these threats, the researchers suggest moving to a voting system that provides greater transparency, such as paper ballots, precinct count optical scan, or avoter verified paper audit trail, since, in any of these systems, sceptical voters could, in principle, observe the physical counting process to gain confidence that the outcome is fair.
But Election Commission of India points out that for such tampering of the EVMs, one needs physical access to EVMs, and pretty high tech skills are required. Given that EVMs are stored under strict security which can be monitored by candidates or their agents all the time, its impossible to gain physical access to the machines. Plus, to impact the results of an election, hundreds to thousands of machines will be needed to tamper with, which is almost impossible given the hi-tech and time consuming nature of the tampering process.[15][16]
EVM Court cases[edit]
On 25 July 2011, responding to a PIL (Writ Petition (Civil) No. 312 of 2011), Supreme Court of India asked EC to consider request to modify EVMs and respond within 3 months. The petitioner Rajendra Satyanarayan Gilda had alleged that EC has failed to take any decision despite his repeated representation. The petitioner suggested that the EVMs should be modified to give a slip printed with the symbol of the party in whose favour the voter cast his ballot.[6][17][18][19]
On 17 January 2012, Delhi High Court in its ruling on Dr. Subramanian Swamy's Writ Petition (Writ Petition (Civil) No. 11879 of 2009) challenging the use of EVMs in the present form said that EVMs are not "tamper-proof". Further, it said that it is "difficult" to issue any directions to the EC in this regard. However, the court added that the EC should itself hold wider consultations with the executive, political parties and other stake holders on the matter.[5][5]
Dr Swamy appealed against Delhi High Court's refusal to order a VVPAT system in Supreme Court. On 27 September 2012, Election Commission's advocate Ashok Desai submitted to a Supreme Court bench of Justice P Sathasivam and Justice Ranjan Gogoi that field trial for VVPAT system is in progress and that a status report will be submitted by early January 2013. Desai said that on pressing of each vote, a paper receipt will be printed, which will be visible to the voters inside a glass but cannot be taken out of the machine. To this, Dr Swamy replied that the new system was acceptable to him. The Supreme Court posted the matter for further hearing to 22 January 2013.[20][21]
Another similar writ petition filed by the Asom Gana Parishad is still pending before the Gauhati High Court.[22]
How can someone tamper with an electronic voting machine?
by Julia Layton
The November 2006 elections that decided the make-up of the U.S. Congress and state and local governments faced more uncertainty than any election to date. Instead of "Democrat or Republican," the more pressing question became "accurate count or complete debacle?" More than 60 million Americans cast their votes on electronic voting machines for the first time in 2006. Some feared human and machine error, both of which have occurred in almost all electronic voting since the machines were introduced in limited scope in 2002. Others feared a darker foe, and it's not just conspiracy theorists: For the past three or four years, computer scientists have been tampering with voting machines to prove it can be done. And they say it's actually pretty easy.
With electronic voting, the entire setup is electronic, not just the actual casting of the vote. The general process of electronic voting on the most common touchscreen models goes something like this:
- The voter checks in with election personnel, who enter the voter's name into a computer database to make sure he or she has not already voted.
- The voter is given a "smart card" -- basically a credit-card-type device with a microchip in it -- that activates the electronic voting machine.
- The voter casts his or her vote by touching a name on the screen.
- If the model includes printout capabilities (which is required by more than half of U.S. states), the voter receives a printout that verifies his or her choices before leaving the booth. If the printout is correct, the voter inserts it into voting machine before leaving the booth to complete the voting process. (If it's incorrect, different models have different remedies, but it's safe to say it starts to get messy at that point). In non-print-out models, the voter leaves the booth after cast his or her vote on the touchscreen.
- Once the polling place has closed, an election official inserts a supervisor's smart card into the voting machine and enters a password to access the tally of all votes on that machine. Election officials either transmit the tallies electronically, via a network connection, to a central location for the county, or else carry the memory card by hand to the central location.