Brazilian Breaks Secrecy of Brazil's E-Voting Machines With Van Eck Phreaking

After the report last week that Brazil's e-voting machines had withstood the scrutiny of a team of invited hackers, reader ateu writes with news that a hacker has shown that the Linux-based voting machines aren't perfectly safe; he was able to eavesdrop on them (translated from Portuguese) by means of Van Eck phreaking.

Re:Honestly

It's simple. just throw out the person with the radar dish, oscilliscope, and notepad.

Whew, that was a close one...

[robwgibbons]

"Listening in" and actually breaking the security of the machine are two entirely different things. What's the most someone could do with this exploit? Basically it just allows for a more accurate exit-poll. As far as I see it, the machine's security has still yet to be bested.

Re:Whew, that was a close one...

[Animaether]

What's the most someone could do with this exploit? Basically it just allows for a more accurate exit-poll.

Basically.. all of the reasons you want voting to be done anonymously apply here.

If you can couple the emissions at the location of the machine with the emissions from a particular user - say, their mobile phone's signature - then you can go back to forcing people to vote for X and make sure that they do, roughing them up as an example to the others you told to vote for X if you detected a vote for Y instead, without a need to plant something on them or leaving any trace.

In theory, anyway.

Physical Security

[tetsukaze]

So the cheap devices he used only worked inches away. A more powerful device might work up to 20 meters away. Now, I assume a more powerful antennae is going to mean a bigger one. Isn't this going to stand out? I would hope that there is someone in charge that would notice a foot long antennae being pointed at voting areas. You can secure the machine itself, but if you don't have real people doing their part, it doesn't matter how secure your voting machine is.

Re:Honestly

[robbak]

Several ideas. Of course, use LCDs, as the CRT circuitry is the bad one. Shield the data connections so they don't radiate too much. Make the connections that transmit unencrypted data short. Use low-contrast fonts, so the sharp edges do not cause large voltage (and therefore EMI) spikes. Randomise the low bits of data shown on the screen, so you create obfuscating noise.

Maybe you have to go as far as have a white noise transmitter to mask what you cannot elimiate. Plenty of room to move. Good on them for having such a contest - it flushed out all the 'Ooh, I didn't think of that' problems.

Re:Honestly

[Opportunist]

Easy. Take the machine, hollow them out, put a board in and use their shell as a guard from prying eyes for pen&paper voting. The manufacturers of the machines get the money and we get secure and anonymous voting.

This happened with the Dutch in 2006

[JoshuaZ]

As discussed here in 2006, the Dutch had to modify their voting machines back in 2006 due to exactly this sort of attack. http://politics.slashdot.org/article.pl?sid=06/10/14/1641239

Re:This happened with the Dutch in 2006

[RAMMS+EIN]

That's only part of the story.

The voting machines were vulnerable to more than just eavesdropping, although eavesdropping was the official story from the government and also what most of the press was about.

However, the voting machines have since been banned. The latest elections were held with paper and pencil. It's good that way.

Now if people would only understand this ...

Re:Honestly

[Nimey]

Low-contrast fonts are probably right out, since you don't want to disenfranchise old folks and others with vision problems.

No technology will prevent that

[lwoggardner]

Not to say that secrecy isn't important, but once it requires a certain level of technology to eavesdrop then surely you just pick some random people and rough them up anyway telling the people you are intimidating that you have this "magic" eavesdropping technology.

Re:Van Eck Phreacking will always exist

[Frankie70]

If your country really is free (something that Brazil is good at) there is no problem telling everybody who you voted on..
Vote's anonymity only makes it easier to fake elections.

Don't be silly.
Secret ballot is one of the cornerstones of democracy.

In a secret ballot, you don't get bribed to vote for a particular person because you can
always say you voted for him while voting for him.
Likewise, about getting pressured about voting for someone.

As a person in the infosec field

[seifried]

This is why I love the Canadian method: paper with circles, make an "X" in the circle you want, fold the paper and put it in the ballot box. Good luck hacking that on a large scale (what with scrutineers from multiple parties watching the election and the count and each other, plus the people there as independent scrutineers watching everyone else), and monitoring it (little cardboard voting booth on a table, voila, privacy. The only argument I could imagine is finger prints on the ballots, but you can wear gloves if you want.

Re:Honestly

[icebike]

Exactly so.

The equipment to carry out this snooping is easily spotted, and more easily foiled.

With more than one voting station in the room, said eaves dropper could never distinguish one vote from the other, and could certainly not CHANGE the results.

You would be better able to guess how persons voted by the color of their tie. http://www.tie-necktie-video.com/tie-color.html