Slashdot Mirror
Researchers Demo Hardware Attacks Against India's E-Voting Machines
An anonymous reader writes "India, the world's largest democracy, votes entirely on government-made electronic voting machines that authorities claim are 'tamperproof,' 'infallible,' and 'perfect,' but last week security researchers proved that they can be manipulated to steal elections. A team led by Hari Prasad, Professor J. Alex Halderman, and Rop Gonggrijp released an awesome video that shows off hardware hacks they built. These machines are much simpler than e-voting designs used in the US, but as the research paper explains, this makes attacking the hardware even easier. Halderman's students at the University of Michigan took only about a week to build a replacement display board that lies about the vote totals, and the team also built a pocket-sized device that clips onto the memory chips, with the machine powered on, and rewrites the votes. Clippy says, 'It looks like you're trying to rig an election ...'"
...would register a one-issue party against the use of insecure voting machines. Then win the election. Then fix the problem.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
Any security professional, IT or otherwise, who ever says "impossible to break" in any of its forms, should be directly fired.
No discussion. No explanations. You blabber idiocies about your supposed area of expertise, you're fired.
Maybe it is time for a new law: You cheat, you die.
Imagine that a party leader becomes responsible for the actions of the members of his party. Some lowly member cheats, the leader gets a bullet in the head.
Open for abuse to be sure but all our leaders claim we should trust the system so surely they trust it?
It would motivate leaders to motivate their followers not to break the rules. Right now the system does exactly the reverse. As long as the leader isn't proven to have given the direct order in writing, he benefits. Everyone knows Bush cheated, yet he ruled unchallenged for 8 years. So cheating works right? Hard to argue this when the evidence is so clear.
We have come to take democracy for granted, but the recent problems in the UK have shown that such a basic thing as voting is not so simple after all. It is a complex process and without it working flawlessly, our entire system looses its validation. If you wanted to vote, went to vote but weren't allowed to, then how can you then be asked to support the government you didn't vote for?
How can you ask a soldier to die for a leader whose election process he didn't take part in? The entire basis of democracy is your loyalty in exchange for a say. Your money and your life for a vote. We are the subjects of an elected government and must follow its rules because we elected them, yes even if you didn't vote for them. That is the deal. Cheating breaks that deal.
It is hard to argue that people shouldn't go for a nasty dictator type, when the democracy isn't letting them have their say either. If you are not being listened to, you might as well have someone competent in charge instead of the monkey that cheated in a popularity contest.
So lets stick with paper and enforce extreme and rigid rules about how those papers and handled and counted and put severe penalties on anyone who messed with it. And before you say that death is far so serious. Treason still carries a death sentence in many nations, and cheating in elections is treason against nation as a whole.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Amazing work they've done here. They've proven that if you have intrusive access to the hardware, you can screw it up and do deviant shit. How about you post an article when someone can walk into a polling place, hack a machine, and walk out without take a screwdriver or some large, obvious device to a voting machine?
This article, like most of the front page needs "-1, Irrelevant".
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Or even poker machines. Every machine runs from a PROM. Authorities keep a table of validated PROM image checksums. Operators of the machines have to let inspectors validate the checksums on demand, and if it doesn't match then your gaming license gets revoked and the place closes down.
Now thats no too hard, is it? Validate a small number of images, then make damn sure they don't get changed. Encourage simple, embedded systems as opposed to big operating systems with 30 million lines of code.
http://michaelsmith.id.au
Operators of the machines have to let inspectors validate the checksums on demand, and if it doesn't match then your gaming license gets revoked and the place closes down.
And how to you suggest to apply that system on an election environment? If the checksum doesn't match, you remove all votes from the voters who used that particular machine? You repeat the elections until no machine was tampered with?
We are more sophisticated. http://en.wikipedia.org/wiki/Booth_capturing
Perfectly illustrated in http://xkcd.com/538/
Operators of the machines have to let inspectors validate the checksums on demand, and if it doesn't match then your gaming license gets revoked and the place closes down.
And how to you suggest to apply that system on an election environment? If the checksum doesn't match, you remove all votes from the voters who used that particular machine? You repeat the elections until no machine was tampered with?
Yes, sounds about right.
http://michaelsmith.id.au
And how to you suggest to apply that system on an election environment? If the checksum doesn't match, you remove all votes from the voters who used that particular machine? You repeat the elections until no machine was tampered with?
Yes, sounds about right.
Nice system. So once my party governs I can simply block any further election to ever finish, just by touching a single machine.
Much simpler system. Voting machine prints out a ballot paper that goes into the ballot box. Select a random sample of ballot boxes and check the contents to what the computer says.
The size and scale of India's election makes attempts at manipulating the election at the voting machine level very difficult. Any legit attack would have to be done at the back-end altering massive numbers of votes.
The way EVMs reduce rigging is not by any superior technology. It is based on simple accessible technology and elaborate procedures to ensure that poll rigging is minimized to the maximum extent possible. Check this very detailed FAQ by Election Commission of India, specifically Q24 and Q28.
http://www.indian-elections.com/electionfaqs/electronic-voting-machines.html
No, if the checksum doesn't match you cancel the election, run it again with paper ballots and charge all the costs of doing so to the company that was responsible for the security of the machines, suing them into bankruptcy.
Our project team includes three Centaurs, design was managed by the Minotaur and the UI was put together by a herd of Unicorns. Debugging was handled by a 500 year old wise Chinese dragon.
We tried that and it didn't work. The minotaur's design was too convoluted, the UI was pink and invisible, and after receiving hundreds of bug notices we discovered that the dragon had spent months farming gold.
even the most technologically advanced societies (some nordic countries want to vote by cell phone!?), for two reasons:
1. attack vectors
of course paper voting is subject to cheats, ballot stuffing, getting lost in transit, etc. its just that paper voting is a simpler process than mechanical or electronic voting, so therefore the numnber of attack vectors for paper voting is orders of magnitude less than mechanical voting... which in turn has orders of magnitude less attack vectors than electronic voting
one well placed dude can, in a few milliseconds, in a statistically invisible way, randomly increase votes for one candidate over the other. and i don't care how well you design electronic voting technologically, its still overseen by corruptible government bureaucrats, for which there is no technological solution
but with paper voting, the cheats you can pull off are only crude, requiring armies of cooperating conspirators... and no conspiracy of sufficient size is airtight. therefore: discoverable. a cheat by one guy or a handful is also statistically discoverable: a truck driver of vote boxes in one precinct can't lose 10,000 votes or introduce 10,000 fake ones without being noticed in an audit. and for every one of these paper balot cheats, there a simply 1,000 such variations, attack vectors, for the more complex electronic voting, and even some new and exotic methodologies. so to guard paper voting is simply an easier, less creative process. you can't outwit the committed bad guy in a complex system, but you can outman him in a crude system
2. perception
you can have all of the transparent standards for the PROFESSIONALS that you want. but for your average joe blow, the more the voting process is a black box (press keys -> sausage -> president comes out on other end) the more they are susceptible to lose confidence in the process. paper voting simply is a smaller black box. you write on a piece of paper. the papers ate stacked somewhere. some people scan or look at them if there's a problem: its all eminently comprehensible to anyone how the process works. no databases, no tcp/ ip stacks, no authentication, no encryption... no "sausage" parts that the average voter does not understand and therefore does not trust
democracy is only valid as long as it is seen a legitimate representation of the will of the people. put that legitimacy in doubt, and democracy loses all of its strengths. therefore, we should always, forever more, no matter what technological advances we experience, vote simply with paper
the problem here is technophilia: solving a simple problem in an overly complex way simply because you like the technology. electronic voting is a contrived false solution that introduces far more problems than it solves
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
That's not strictly true I'm afraid. In the UK the "marked register" (the paper audit of who voted) is marked with the ballot paper number against the voters name. So currently there is an audit trail from the individual to an individual ballot paper, and hence to their vote. It's not available to just anyone, but you can, under certain circumstances, find out how an individual voted, or more importantly how they were recorded as voting in case of fraud. Both individual ballot papers and marked register are retained after the election. I'm talking about something similar for electronic systems is all.
The problem with electronic systems is they are often floated as the sole solution to all electoral fraud (they're not) or as intrinsically weaker than paper based systems (and I'm arguing they are not that either).
In the UK in particular you *cannot* issue a receipt - anything which can be used to match a vote to a voter is illegal. Even signing your name instead of putting a cross renders your ballot spoiled.
Except, of course, the recording of the ballot paper number next to your name when you vote.
In the past it would have been difficult to automatically match up every vote with a voter but it certainly wouldn't have been difficult to find out who cast a particular vote. "Who voted communist?"
Nowadays I'd expect that the voter lists with the ballot numbers could be scanned and OCRed and the ballot papers run through an automatic feeder. Of course this needs access to the voter lists and ballot papers so not available to everybody.
http://www.electoralcommission.org.uk/__data/assets/electoral_commission_pdf_file/0018/16056/Ballot_paper_design_finalversion_13051-7979__E__N__S__W__.pdf
End of page 25:
Serial numbers
4.4 Anecdotal evidence suggests that at every election
Returning Officers - and more often Presiding Officers
in polling stations - receive a number of complaints or
concerns from electors over the use of serial numbers
on ballot papers. Electors are often concerned that the
number allows identification of how they have voted.
In fact, serial numbers are used specifically to allow for
the tracing of papers cast fraudulently and are checked
only where a claim of fraud is being investigated and a
court order obtained to allow the identification of the ballot
paper as being that of a particular person. Nevertheless,
the regularity of such complaints, although not great, is
thought to have increased in recent years with the increased
use of postal voting. This is an issue also considered in
the Commission's separate review of absent voting.
Tim.
God said, "div D = rho, div B = 0, curl E = -@B/@t, curl H = J + @D/@t," and there was light.
If the machine was tampered with, then you disregard the electronic count from that machine and do a hand count of the voter-verified paper ballots. You did print a voter verified paper ballot right?
"Uh... yeah, Brain, but where are we going to find rubber pants our size?" --Pinky
For the hardware you need:
Touchscreen with graphics chip and touchscreen controler as an input device
Receipt printer (the kind that has been used in millions of cash registers, ATMs and other devices world wide for a few decades)
Flash memory chip to hold the machine OS and the config file (which candidates are running etc). This should be the kind that when its in the machine, it cannot be written to and has to be removed to write new software or configs. This would have a difficult-to-duplicate-or-remove sticker applied with the voting machines unique serial number to ensure that it hasn't been swapped for another identical chip containing rigged software.
Thumb drive or memory card to hold the counted votes. This would also have a difficult-to-duplicate-or-remove sticker applied with the voting machines unique serial number to ensure it isn't substituted with a fake one containing a different result.
CPU (ARM of some sort would seem to make sense) to control the system with usual support items (power supply, RAM etc)
Tamper-evident case containing the hardware with more difficult-to-duplicate-or-remove stickers with the voting machines serial number covering the screw holes/case edges/etc to ensure you can tell if its been opened.
The receipt printer would be located outside of the tamper-resistant part so the roll can be replaced by poling station officials. Should a machine fail for other reasons (i.e. any reason that would require access to the hardware) that machine would be taken offline and not used for the rest of the election.
Software:
Linux kernel with drivers for the memory card reader, touchscreen, receipt printer etc. (the kernel would be specifically built for the voting machine with everything that is not required for the device such as networking removed)
Basic set of libraries (the bare minimum required to make everything work)
Custom voting machine software.
All software would be 100% open source.
Before the election, the machines are prepared by loading the correct OS and kernel along with the config file for the machine (containing the names and info for the candidates) onto the operating system chips. The operating system chip and vote counting memory card are loaded into the machine. Then the machines are verified and tested. Once they have been verified, they are sealed up and the tamper-evident stickers applied before they get shipped off to the poling booths.
When you go to vote, you pick your candidate on the screen by touching their name. Then you have to press "OK" once you are sure you clicked on the right name.
After your vote is complete, it is recorded in the file on the memory card. Also, a receipt is printed containing a machine readable bar-code corresponding to your vote plus a human readable record. This receipt is then inserted into a ballot box as you depart the polling booth. No part of the machine (receipt included) contains any record of who you are as a voter or any way to associate your vote back to you.
To count the votes, the memory cards are removed from the machines (after checking that the machine was not tampered with and that the memory card is genuine) and sent to the relavent counting office to be read and counted. Should there be a dispute, either the machine readable bar-code or the human readable record can be used as a way to count the ballots.
Maybe some of this is overkill (like labeling the chips with stickers to prevent tampering), I dont know. But when you are talking about something as critical to a free society as an election, its important to get it RIGHT.
My idea would work for any system no matter how many items are on the ballot or how many people are voting (a commonly cited downside of paper systems is that there are too many papers to count and/or too many things being voted on)
My idea wont prevent tampering (of the kind described in TFA) but it will be immediately obvious when someone has tampered with the hardware in the machine (if it works for telling Microsoft or Dell when someone has opened their PC or XBOX and voided the warranty, it should work for a voting machine, especially since getting close enough to one for long enough to fiddle with it is hard when inside a polling station.
There's a much simpler reason.
The people ordering ATMs, care a great deal more about their correct and secure operation, than the people ordering voting-machines.
Why are there so many stories on slashdot about how awful e-Voting is? Is there a large part of the slashdot audience that seeks a return to pencil and paper solutions, instead of this new-fangled transistorisation? I think your idea makes perfect sense, the situation where a PROM is touched is the same situation as where a ballot box has been broken open.
More than security is at stake here. Transparency also matters. With paper voting many citizens are perfectly able to go to the polling station and observe (and grasp!) the whole voting process and counting votes; generally check that everything happens according to the procedure. Have such people in every polling station and you can independently confirm the result of elections.
It builds confidence in the results.
There's no transparency with electronic voting. None. Even you are "IT pro" and go to see what happens...well, on /. it's not necessary to explain that you will see almost nothing of the procedure. Now imagine average folks.
In this case, you have inherent distrust in the results.
One that hath name thou can not otter
Why are there so many stories on slashdot about how awful e-Voting is? Is there a large part of the slashdot audience that seeks a return to pencil and paper solutions, instead of this new-fangled transistorisation? I think your idea makes perfect sense, the situation where a PROM is touched is the same situation as where a ballot box has been broken open.
I don't really get if you are complaining or agreeing...
Thing is, there are many differences between a ballot box and a e-voting system.
In the case of the ballot box, you need to tamper with it after the election, when it is best garded. Each ballot box only contain a limited number of votes, and you need to prepare a large amount of false ballots before hand.
In the case of the e-voting system, you can tamper with it before the election and make 'invisible' tampering (ROM flashing, replacing the display with hidden chips, etc). Once you got access to the machine once, you are good to change many elections. Also, the machine can contain more votes than a ballot box.
In my opinion, this is not a question of how hard it is to tamper with something, but the scale of the changes you can produce. Paper ballots only allow for small changes, while evoting allows for large scale changes
EULA : By reading the above message, you agree that I now own your soul.
Folks,
It is important to put the size of elections in India in perspective and how they operate to understand any meaningful amount of fraud or corruption possible.
The EVMs in question are extremely simple. They only have a breakout panel with 32 buttons (expandable upto 64 buttons with an addon breakout button panel). The machine only ever knows the number of enabled buttons. The names and party symbols are affixed as paper "stickers" on the buttons.
---------------------
[B] S First Last Name
---------------------
[B] S First Last Name
------...
The order and placement of stickers on the buttons changes from constituency to constituency. The machines are sealed/unsealed in presence of at least 3 officials, though in practice, it's no less than a dozen or more, as it's a public affair and often media is present.
Some numbers (courtesy http://www.indian-elections.com/facts-figures.html):
Number of EVMs used: 1.023 million
Max candidates per EVM: 64
Max candidates in election from one constituency: 35
Total number of candidates: 5398 (India is a multi-party democracy)
Number of parties: 220
Number of registered voters: 675 million
Cost of '09 elections: Approx $2 billion
Any 'fraud' analysis needs to take the process and numbers into account. EVMs in India solve a LOT of problems with regard to elections and drastically cut down on time, effort and cost involved. There are a number of places where several miles of journey on the back of mule is needed to reach the polling booths. It's much easier to conduct an electronic poll there rather than carrying several large ballot boxes that could be snatched.
- mritunjai
Yeah. That too. They care, AND they notice.
The ATM is supposed to withdraw money from your account, and dispense cash, and ideally do the same amount of both.
If it withdraws -more- from the account than it dispenses, odds are plenty of account-holders will notice in quick order (not everyone checks, but ENOUGH people do), whereas if it does the oposite, odds are the bank will notice real quickly. (plenty of those who get too much cash from the ATM will talk about it too)
I'm not convinced politicians universally care about voting, other than perhaps if they think they're likely to be cheated AGAINST. But neither do they typically notice, and that makes it worse, sure.
You also have to figure that e-machines, being used only a couple times a year on average, have to be competitive with paper based systems as far as cost goes, while a ATM Machine has to be competitive with a teller(or three)'s salary spread over most of a decade.
Oh, and for whatever reason, Diebold didn't use the same people in the effort.
I don't read AC A human right
A lot of us don't see a problem with pencil and paper voting (for me it wouldn't be a return - it's what we do already). A democratic state has to be accountable to the electorate, by definition. That means elections have to be low tech, because if they are not then you reduce the number of the electorate who are capable of auditing the process. How many people are capable of verifying that a voting machine is correct? I only know a couple of people I'd trust to formally verify the software, and no one I'd trust to verify the hardware. On the other hand, I know a lot of people, myself included, who are capable of watching folded voting papers being put into a box and of checking that they are counted correctly. I could do it myself, and any candidate - even the ones that only get a few votes - can easily find a supporter who is able and willing to do so.
I am TheRaven on Soylent News