A team led by Hari Prasad, Alex Halderman, and Rop Gonggrijp released today a technical paper detailing serious security problems with the electronic voting machines (EVMs) used in India.
The independent Electoral Commission of India, which is generally well respected, has dealt poorly with previous questions about EVM security. The chair of the Electoral Commission has called the machines “infallible” and “perfect” and has rejected any suggestion that security improvements are even possible. I hope the new study will cause the EC to take a more realistic approach to EVM security.
The researchers got their hands on a real Indian EVM which they were able to examine and analyze. They were unable to extract the software running in the machine (because that would have required rendering the machine unusable for elections, which they had agreed not to do) so their analysis focused on the hardware. They were able to identify several attacks that manipulated the hardware, either by replacing components or by clamping something on to a chip on the motherboard to modify votes. They implemented demonstration attacks, actually building proof-of-concept substitute hardware and vote-manipulation devices.
Perhaps the most interesting aspect of India’s EVMs is how simple they are. Simplicity is a virtue in security as in engineering generally, and researchers (including me) who have studied US voting machines have advocated simplifying their design. India’s EVMs show that while simplicity is good, it’s not enough. Unless there is some way to audit or verify the votes, even a simple system is subject to manipulation.
If you’re interested in the details, please read the team’s paper.
The ball is now in the Election Commission’s court. Let’s hope that they take steps to address the EVM problems, to give the citizens of the world’s largest democracy the transparent and accurate elections they deserve.
I saw this and it’s right up your guys alley, I looked hard for a Contact form but you don’t seem to have one, so I’m posting a comment:
http://digg.com/tech_news/FCC_hands_Hollywood_the_keys_to_your_Computer_TV_and_more
Thanks Josh. We’ve been watching this one, and have been discussing how to do an informative post on it. We should probably add a contact form.
Something has gone wrong. For months, there has been a mean of 3.25 new posts here each Saturday when I check, with a small standard deviation. That is, there’ve been either three or four new posts, usually three, exceedingly rarely two, and never just one or as many as five.
Zero is a twelve-sigma outlier.
Something has changed, and clearly the change is for the worse.
What happened?
If someone has unsupervised access to the inside of a (paper) ballot box during an election or before the votes are counted, that person can arbitrarily and undetectably alter the results of the election. Most of the attacks against the electronic system would require a similar level of access. I don’t know exactly what sort of feedback the Indian system provides to the user–if it doesn’t do something like turn on a light when a candidate is selected, I’d readily admit that’s a problem, but one that should be easily fixed in a design.
If someone has unsupervised access to the inside of a (paper) ballot box during an election or before the votes are counted, that person can arbitrarily and undetectably alter the results of the election. Most of the attacks against the electronic system would require a similar level of access. I don’t know exactly what sort of feedback the Indian system provides to the user–if it doesn’t do something like turn on a light when a candidate is selected, I’d readily admit that’s a problem, but one that should be easily fixed in a design.
A key aspect of any voting system is that it should be possible to fully examine the mechanism and state before and after an election. Electronic systems allow their state to be examined more quickly than paper ballots; if all interested parties reach a consensus regarding the exact state of a machine immediately after an election, that will reduce the time available for anyone to alter it, compared with paper ballots that may have to be transported to be counted.
If the code can be read out of the processor, it’s possible to pretty well examine the ‘mechanism’ of a machine (measuring the analog properties of various points on a board will allow detection of many types of part substitution). If the processor can’t be read, that provides a means of tampering that could elude any practical means of examination.
Your comparison to paper ballot boxes is faulty. With paper ballot boxes, we must guard the custody of the paper ballot box during election day, from the time when polls are opened to the time when polls are closed and the paper ballots are delivered to election central. We have detailed procedures design to detect fraud that occurs before or after election day. For example, when the polls are first opened, poll workers invite the first voter (and anyone else present at the polling place who is interested) to look inside the ballot box and witness that it is empty. After the polls are closed, we use tamper-evident seals and other measures to detect tampering that might occur subsequently. It’s feasible to exert two-person control over the ballot box throughout election day, because there are multiple poll workers there standing watch over it.
In comparison, the Indian electronic voting system is much harder to guard. We must prevent any kind of tampering at any time. The attacker’s window of success is much broader: if the attacker can ever gain unsupervised access to the Indian EVM (whether before the election, or after it), the attacker can steal votes. It’s simply not feasible to exert two-person control over the EVM permanently — you can do that during election day, but you can’t keep watch over it for every instant over the weeks before and after the election.
There’s just no comparison. The Indian EVM system appears to be significantly less secure than a well-run paper ballot election.
My biggest complaint with the system as described is that the processor does not allow the code to be read out. That is a major problem, since it makes it difficult or impossible to confirm that the any particular machine will in fact be running legitimate code. The display hack is cute, but could be detected by a careful hand inspection of the machine assisted by such common tools as scales. Most of the other hacks require the ability to get access to the machine’s innards during an election. If physical security is weak, the election could be compromised, but the situation is no worse than with paper ballots.
That’s your biggest complaint? That technicians can’t read the code out of the microprocessor? How about the fact that voters can’t verify whether their vote will be counted, or that the system is fundamentally insecure? Either of those seem like more serious problems. The situation is far worse than with paper ballots: with paper ballots, there are reasonable procedures one can use to secure the election, detect fraud, give voters a way to verify their vote, and ensure transparency; with these machines, there are no reasonably feasible procedures one can use to secure the election, detect fraud, enable voters to verify their vote, and ensure transparency. To me, the difference between India’s EVMs and paper ballots seems significant.