Researchers Demo Hardware Attacks Against India's E-Voting Machines

An anonymous reader writes "India, the world's largest democracy, votes entirely on government-made electronic voting machines that authorities claim are 'tamperproof,' 'infallible,' and 'perfect,' but last week security researchers proved that they can be manipulated to steal elections. A team led by Hari Prasad, Professor J. Alex Halderman, and Rop Gonggrijp released an awesome video that shows off hardware hacks they built. These machines are much simpler than e-voting designs used in the US, but as the research paper explains, this makes attacking the hardware even easier. Halderman's students at the University of Michigan took only about a week to build a replacement display board that lies about the vote totals, and the team also built a pocket-sized device that clips onto the memory chips, with the machine powered on, and rewrites the votes. Clippy says, 'It looks like you're trying to rig an election ...'"

A real hacker...

[smallfries]

...would register a one-issue party against the use of insecure voting machines. Then win the election. Then fix the problem.

Security

[Thanshin]

Any security professional, IT or otherwise, who ever says "impossible to break" in any of its forms, should be directly fired.

No discussion. No explanations. You blabber idiocies about your supposed area of expertise, you're fired.

Re:Security

I doubt any IT professional would say that. Usually politicians and managers are the ones responsible for this kind of nonsense because they have no clue or just want to sell their product.

Politicians are generally untouchable, no matter what they say or how bad they screw up. And managers make sure the contract contains some fineprint along the lines of "we guarantee nothing" and "not really impossible to break".

So yea, nothing you can do about it.

Re:Security

[hairyfeet]

You know, maybe I'm missing something, but I thought the E-Voting machines I used in the last election was just about as good as you could get. It was fast, simple, and at least from this old greybeard's thinking got rid of the paper ballot problems without adding new ones. Now don't ask me who made them because I never thought to look, but here is how it worked-

You got in line, stepped up and they checked you against the role, and here is what I thought was a nice touch, if anyone showed up that was in the wrong district they did NOT have to go play "hunt the polling place" because an election official would simply pull them aside for a few minutes while he got on a cell phone and have them changed over for this one election. I saw it happen twice and the wait was less than five minutes for the one in the wrong place.

Then you walked up to the machine, which was just a large flat screen with a pair of sides to keep those on either side from looking at your votes, and began to choose. Each choice after you were given a screen asking if this is what your choice was to make sure you didn't hit a button by mistake, was printed on a flat paper ballot that would scroll in this glass partition next to the screen where you could easily see it. After you hit the final confirm the booth would finalize the printout and make a noise so that the election volunteer could collect both the paper and electronic ballot. You were handed the ballot to look it over and give a final confirmation, and then the cartridge with the electronic vote was placed on the table with the officials while the paper ballot was placed in the voting box held by the same.

According to the official I talked to the electronic vote was used for those early election results the media likes, while the computer printed ballot (so no hanging chad crap) was brought to election headquarters by election officials made up of the three major parties (D,R, and Green) and while they watched the ballots would be fed into a machine which counted and showed the results right there on the screen. Any contested votes could be done quickly and easily, and since it had both the human readable vote choices and the computer readable printout checks to see if they matched could be easily done.

Now maybe I'm missing something, but it seemed like a pretty damned close to perfect system to me. The large screen with confirmations made it so even the old and those with sight problems (which BTW they had a separate machine away from the others where a volunteer would read the choices to you if you couldn't see or were disabled and couldn't reach. Nice touch) while having the computer print the ballot in both human readable and machine code got rid of human error without ending up a "black box" with no way for the user to check. Considering we went from the old punch machines with 1 hour plus waits to less than 5 minutes from parking to walking out the door I'd say it was a success. All in all a totally pleasant voting experience that took away the doubts and hassles the old punch machines always gave me.

Re:Amazing findings

the point here is that polling places can rig the machines just fine.

clever in key areas where a specific political party needs more votes to win.

kinda like how with diebold, republicans got overwhelming victories in predominantly democratic voting districts.

Re:Secure e-voting

[MichaelSmith]

Or even poker machines. Every machine runs from a PROM. Authorities keep a table of validated PROM image checksums. Operators of the machines have to let inspectors validate the checksums on demand, and if it doesn't match then your gaming license gets revoked and the place closes down.

Now thats no too hard, is it? Validate a small number of images, then make damn sure they don't get changed. Encourage simple, embedded systems as opposed to big operating systems with 30 million lines of code.

Re:Secure e-voting

[Thanshin]

Operators of the machines have to let inspectors validate the checksums on demand, and if it doesn't match then your gaming license gets revoked and the place closes down.

And how to you suggest to apply that system on an election environment? If the checksum doesn't match, you remove all votes from the voters who used that particular machine? You repeat the elections until no machine was tampered with?

Poll rigging this way is unnecessary in India.

[khoonirobo]

We are more sophisticated. http://en.wikipedia.org/wiki/Booth_capturing
Perfectly illustrated in http://xkcd.com/538/

Re:Ultimate accountability

[thijsh]

You promote the death penalty in a situation where it is even more despicable then usual, especially since anyone can see the clear option to cheat by getting your opponent eliminated. Each election has some irregularities (and I assume most are not sanctioned by the candidates themselves) so it would be far too easy to cheat for the other guy while collecting 'evidence'.

Please understand that I think the undermining of the democratic process is a crime which should carry a special sentence, but more along the lines that you can't run for office for X years (like any felon I believe). But the problem is always the same: the cheater won and is now in charge.

I think the only way to guarantee a cheater free process is by completely making every step of the process transparent. Coincidentally it's the technology currently used to cheat that can be put to use to prevent it. The only problem is there is always one or more black-box-systems between the voter and the results, so there is no way to guarantee it unless we remove every black-box step. Here is my solution to make the process as open as possible:
- Generate a unique key per voter and store on a single offline drive.
- Print voter registration cards with each key used once (we know every voter can vote exactly once).
- Generate a strong encryption certificate that is only valid around election day for HTTPS use.
- Voters can choose to vote at home (but they need a separate online ID) or at a registered voting location (and show their ID), but the process is the same.
- To vote at home you can use the supplied voting live-CD or use your own (it's recommended instead of your default OS), or use the kiosks supplied at voting locations.
- The voting consists of going to the voting website, verifying the origin of the site and after that select a candidate and enter the key to store the vote.
- These votes are stored on the same 'offline' drive that is currently online only with a serial cable connected to the webserver.
- The drive containing the votes as well as the server(s) that serves the website are on public display and the code is all opened to public scrutiny.
- The server should be behind a firewall that specifically looks for any and all attacks (it should be fairly easy if you tightly define only the packets that may get trough), if there is any reason to doubt the results because of a possible breach we will know.
- The results as well as the timeline of the votes is made public from the start, when the voting closes the results are known *immediately*.

Before talking about how insecure the web is please note that this problem is known and well understood, so we have know what to harden the system against attacks... The current voting solutions are much worse in my opinion since there are attack vectors too, but we do not know how many and how bad, and even worse: we have no idea how often these are already exploited. But we do know for a fact that paper elections have been rigged (despite the rules), electronic voting machines have been tampered with and even something as simple as denying people the right to vote (sending people away who stand in line for hours). These non-tech exploits are used regularly and should not be forgotten... I'd say a web-voting is the lesser of two possible evils. Especially since the technical requirements of such a system are known. If fucking soda companies can print unique codes on the inside of the bottles and phone operators use codes for prepaid cards i'd say we should be able to make it work for something important.

I posit that for every argument against such a system slashdot's finest geeks will come up with a solution...

Re:Secure e-voting

[UnHolier+than+ever]

No, if the checksum doesn't match you cancel the election, run it again with paper ballots and charge all the costs of doing so to the company that was responsible for the security of the machines, suing them into bankruptcy.

Scale of Indian elections and EVMs

[mritunjai]

Folks,

It is important to put the size of elections in India in perspective and how they operate to understand any meaningful amount of fraud or corruption possible.

The EVMs in question are extremely simple. They only have a breakout panel with 32 buttons (expandable upto 64 buttons with an addon breakout button panel). The machine only ever knows the number of enabled buttons. The names and party symbols are affixed as paper "stickers" on the buttons.

---------------------
[B] S First Last Name
---------------------
[B] S First Last Name
------...

The order and placement of stickers on the buttons changes from constituency to constituency. The machines are sealed/unsealed in presence of at least 3 officials, though in practice, it's no less than a dozen or more, as it's a public affair and often media is present.

Some numbers (courtesy http://www.indian-elections.com/facts-figures.html):
Number of EVMs used: 1.023 million
Max candidates per EVM: 64
Max candidates in election from one constituency: 35
Total number of candidates: 5398 (India is a multi-party democracy)
Number of parties: 220
Number of registered voters: 675 million

Cost of '09 elections: Approx $2 billion

Any 'fraud' analysis needs to take the process and numbers into account. EVMs in India solve a LOT of problems with regard to elections and drastically cut down on time, effort and cost involved. There are a number of places where several miles of journey on the back of mule is needed to reach the polling booths. It's much easier to conduct an electronic poll there rather than carrying several large ballot boxes that could be snatched.