07-05-2009, 08:25 AM
<b>Electronic Voting Machines in Indian elections : a security risk</b>
<!--QuoteBegin-->QUOTE<!--QuoteEBegin-->In India, votes are cast on an electronic voting machine (EVM). The EVM seems to have been touted as the ultimate solution to all ills of the Indian voting process.
However, there is more to it than meets the eye. The entire process may be hacked into, knowing that corruption in India is a legendary phenomenon and people can be bribed to circumvent any law.
There were Public Interest Litigations (PIL) filed in Supreme Court of India (SC) for authenticity of voting process using EVM. PIL no W.P©No. 191 OF 2004 was heard on 30 April 2004 and was summarily disposed of.
I carried out this analysis of voting process in 2004. My suggestions are based on my observations and past experience of process design, electronics, security, and corruption studies in India. There are very many improvement possible in the suggestions and with improved connectivity, electronic systems and more informed voter/election personnel, it may be possible to create a largely secure (and easy/simple) voting process.
I think that the entire voting process should be secured and not depend entirely on the security (supposed to be) of the EVM alone. It is the voting process that is important, EVM is a minuscule part of it.
Whenever, one part of the process changes, it has an effect on the other parts. And we need to examine the impact of this change. Election Commission of India (ECI) should have looked at the whole process and not the machines alone. The process is important and all pervading, that is the reason why process design, process mapping, BPR and impact analysis is a big business.
So in the present malformed process of voting, if a state or local election officer replaces the EVM at any point in time, more so after the votes are cast, the process security fails. The signatures, seals, tags and stickers can all be duplicated. Let us not forget that fake stamp papers could be printed by Telgi, with connivance of the Security Press staff, despite all kind sof security and security processes.
About EVM
The EVMs are manufactured by a state owned organisation, Bharat Electronics Limited (BEL). BEL and ECI consider obscurity and obfuscation as security, however this is really not security. If you look at the texts on electronic/data security/authentication, they all advise on security by openness and not by obscurity. Thats the reason why all encryption algorithms are available freely.
The EVM is based on a microcontroller (I guess a variant of Intel's 8051), on which, the program and the memory can be protected from external read, but that is very low level (and low quality) security and chip centric, based on the premise that security attacks will be at the electronic module level only. For a really adamant cracker, this is breakable.
I've been involved in lots of reverse engineering projects (including using 8051, FPGAs and so on), where in, I reverse engineered by blackbox technique (that is, plainly look at the functionality and mimic external interfaces) and have always been successful. Its similarly possible to change the microcontroller inside, with the one programmed by someone else or to manufacture the entire EVM ab-initio. Inksigned paper stickers and loops are a child's paly to duplicate or hack through.
Incidently, there are electronics design problem leading to severe EMI/EMC issues in the EVM. The long ribbon cable to the button box is easily susceptible to EMI from even the mobile phone. I could attack the machine by building a hand held interference generator.
EVMs do not authenticate with an external process/system/device, then
(a) How do we know that they have the right program in the chip? Is the compiled code's signatures (digest) checked at the time of boot up, by the software?
(b)How do you know that its the right EVM and not a duplicate?
Also, why doesn't BEL make the design available openly? Lets look at the EVM as we examine the Open Source Software and Hardware. Let the security be from the process aspect and not from obscurty aspect.
Also, since there are no papers (ballot papers) to authenticate anything, the security flaws (and mis-adventures of the entire system) can not be detected.
My studies and actual experiences convinces me that it shouldn't take much time to reverse engineer an EVM. The specs of EVM do not talk about the security aspect at all.
Also, let me bring out some more simple hacks, from amongst the ones I can think of :
(a) The software checks for specific number of votes and then starts directing the count for a specific candidate.
(b) The polling officer casts votes in connivance with local polling booth operators/observers.
© During vote counting, the software reads out value of casted votes favoring some one, which may be different from the votes casted for the contestant.
In this context of hackable EVM did ECI/BEL :
(i) get the security aspect examined (and if any encryption has been used) by Joint Cypher Bureau (JCB)? or any other independent organisation of repute? I dont know if any encryption has been used, but even for the best encryption algorithms, wrong implementation can be disasterous.
(ii) open the design and source code for examination? BTW, the EC should have reengineered the authentication process also.
(iii) give out the EVM for cracking to test its security? and find flaws?
There is nothing which prevents any one from creating a duplicate EVM and putting it into the EVM repository or at the booth? I seriously doubt that the EVMs have enough security, internally and externally. ECI should have redrawn the entire process, and should have put extra security elements into the process.
With present scenario of availability of GSM/CDMA/Landline telephone connectivity, the process security can be enhanced to a great extent by use of these elements.
My contention is that there are hundreds of ways to hack into the Indian voting system. ECI should at least analyse the security threats and take corrective actions.
By my reconing, the process should have been something like (in very short) :
(a) all election commissioners (ECs), election officers and Chief Election Commissioner (CEC) be given smartcards and their fingerprints captured on the card. All these smartcards should have verifiable MD5 (or any other digest) signatures and unique keys, unique card numbers along with date and time of creation and other security features (take a look at security of financial systems and the key management/authentication sytems employed). These could be issued by the CEC to every one. All being authenticated by smartcards of the CEC.
(b) all polling officers would be similarly issued smartcard+fingerprint based identity cards.
© All EVMs will have an internal serial no and a 16 digit random hardwired code no along with the chip serial nos etc converted into a digest and signed by the CEC's smartcard.
(d) This will be authenticable by any of the smartcards meant for the election process.
(e) Use of smartcard+fingerprint could (in the software) be extended for use of citizen i card of the future, but thats a long unending story.
EVMs :
(a) EVMs to have internal code and memory authentication by using external smartcard and fingerprint of the respective operators (EVM authenticators, EVM certifiers, Polling officers and the counting officers etc, separately for each) so that EVM and its operators could authenticate each other.
(b) EVMs to have GPS module for date, time and location stamping. Also a smartcard reader and a fingerprint reader.
© EVMs to have internal audit trail, which can only be erased by state election officer after authentication as in (a).
(d) EVMs to have 'cover open' and 'core module exposed to light' logging.
(e) Some parts of EVM would always be energised by internal embedded battery to log (d).
(f) The internal circuitary/PCBs etc to be casted in low temp thermoset plastic to ensure that if the plastic is broken, the machine's functionality is destroyed. The prefered manufacturing technique would be COB (chip on board) with non-relaceable parts.
(g) EVMs will have a 'park' or 'pause' button to temporarily halt the process and could be again started by authentication process.
Process :
(a) All EVMs to be checked by state election officers and all data erased using the smartcard and finger print authentication and access mechanism. Process to be date, time and location stamped. Also, State
EC verifies the signature of the software, checks audit trail for misuse/malafied changes.
All EVMs parts inventory with serial nos, will be captured at the time of certification/authorisation into a secure database on a secure PC/server. This will also be captured and logged by the EVM.
(b) EC/election officers would program the EVMs to accept commands from various cards, whose authentication key and serial would be fed in by the EC/election officer. This process would be logged. There may be multiple cards authorised to operate on the same process. This would be the process followed a day prior to sending out polling
officers. All polling officers (their cards and FP) would be authenticated and authorised by the EVMs with the EC/election officer's cards. This would again be logged.
Similarly, counting officers would be authenticated on a specific date.
© All polling officers would be required to setup EVMs, set up the GPS and authenticate the EVM, letting the EVM authenticate the polling officer also. Also, permit the polling officer to do a trial run.
(d) Polling officer will authorise the EVM to start collecting votes by putting his card identifying him/herself with the fingerprint. The EC/state election officers could program the EVM to poll only on a specific date and preset time /time duration.
For authorising each voter, the polling officer's card will need to be in the separate reader, and s/he would press a button to authorise.
(e) the EVMs will keep all information encrypted and with a digest signed by the polling officer.
(f) At the close of the election, the polling officer would stop the process by putting his card and fingerprint, secure summary of data to be transferred to the polling officer's smartcard with date, time and location authentication.
(f) Polling officer would seal the machine and send it to the counting station along with his/her smartcard (to state election officer).
(g) The counting officer would authenticate each EVM and then access data along with the certification code, digest etc.
Additionally, the entire data of the day's polling would also be available in the polling officer's card, which could be used for authentication, tallying and as the voting data if the EVM is not available/does not function/is not readable.
This is a very brief process, catering to some vagaries of changes in polling officers, variation in dates, countermanding and rescheduling elections etc. but lot of other process features can be put in based on the ground realities.
I am sure that given a little time and resources, it is possible to greatly improve the voting process security and simplify security procedures.
<!--QuoteEnd--><!--QuoteEEnd-->
http://atula.newsvine.com/_news/2009/04/18...a-security-risk
<!--QuoteBegin-->QUOTE<!--QuoteEBegin-->In India, votes are cast on an electronic voting machine (EVM). The EVM seems to have been touted as the ultimate solution to all ills of the Indian voting process.
However, there is more to it than meets the eye. The entire process may be hacked into, knowing that corruption in India is a legendary phenomenon and people can be bribed to circumvent any law.
There were Public Interest Litigations (PIL) filed in Supreme Court of India (SC) for authenticity of voting process using EVM. PIL no W.P©No. 191 OF 2004 was heard on 30 April 2004 and was summarily disposed of.
I carried out this analysis of voting process in 2004. My suggestions are based on my observations and past experience of process design, electronics, security, and corruption studies in India. There are very many improvement possible in the suggestions and with improved connectivity, electronic systems and more informed voter/election personnel, it may be possible to create a largely secure (and easy/simple) voting process.
I think that the entire voting process should be secured and not depend entirely on the security (supposed to be) of the EVM alone. It is the voting process that is important, EVM is a minuscule part of it.
Whenever, one part of the process changes, it has an effect on the other parts. And we need to examine the impact of this change. Election Commission of India (ECI) should have looked at the whole process and not the machines alone. The process is important and all pervading, that is the reason why process design, process mapping, BPR and impact analysis is a big business.
So in the present malformed process of voting, if a state or local election officer replaces the EVM at any point in time, more so after the votes are cast, the process security fails. The signatures, seals, tags and stickers can all be duplicated. Let us not forget that fake stamp papers could be printed by Telgi, with connivance of the Security Press staff, despite all kind sof security and security processes.
About EVM
The EVMs are manufactured by a state owned organisation, Bharat Electronics Limited (BEL). BEL and ECI consider obscurity and obfuscation as security, however this is really not security. If you look at the texts on electronic/data security/authentication, they all advise on security by openness and not by obscurity. Thats the reason why all encryption algorithms are available freely.
The EVM is based on a microcontroller (I guess a variant of Intel's 8051), on which, the program and the memory can be protected from external read, but that is very low level (and low quality) security and chip centric, based on the premise that security attacks will be at the electronic module level only. For a really adamant cracker, this is breakable.
I've been involved in lots of reverse engineering projects (including using 8051, FPGAs and so on), where in, I reverse engineered by blackbox technique (that is, plainly look at the functionality and mimic external interfaces) and have always been successful. Its similarly possible to change the microcontroller inside, with the one programmed by someone else or to manufacture the entire EVM ab-initio. Inksigned paper stickers and loops are a child's paly to duplicate or hack through.
Incidently, there are electronics design problem leading to severe EMI/EMC issues in the EVM. The long ribbon cable to the button box is easily susceptible to EMI from even the mobile phone. I could attack the machine by building a hand held interference generator.
EVMs do not authenticate with an external process/system/device, then
(a) How do we know that they have the right program in the chip? Is the compiled code's signatures (digest) checked at the time of boot up, by the software?
(b)How do you know that its the right EVM and not a duplicate?
Also, why doesn't BEL make the design available openly? Lets look at the EVM as we examine the Open Source Software and Hardware. Let the security be from the process aspect and not from obscurty aspect.
Also, since there are no papers (ballot papers) to authenticate anything, the security flaws (and mis-adventures of the entire system) can not be detected.
My studies and actual experiences convinces me that it shouldn't take much time to reverse engineer an EVM. The specs of EVM do not talk about the security aspect at all.
Also, let me bring out some more simple hacks, from amongst the ones I can think of :
(a) The software checks for specific number of votes and then starts directing the count for a specific candidate.
(b) The polling officer casts votes in connivance with local polling booth operators/observers.
© During vote counting, the software reads out value of casted votes favoring some one, which may be different from the votes casted for the contestant.
In this context of hackable EVM did ECI/BEL :
(i) get the security aspect examined (and if any encryption has been used) by Joint Cypher Bureau (JCB)? or any other independent organisation of repute? I dont know if any encryption has been used, but even for the best encryption algorithms, wrong implementation can be disasterous.
(ii) open the design and source code for examination? BTW, the EC should have reengineered the authentication process also.
(iii) give out the EVM for cracking to test its security? and find flaws?
There is nothing which prevents any one from creating a duplicate EVM and putting it into the EVM repository or at the booth? I seriously doubt that the EVMs have enough security, internally and externally. ECI should have redrawn the entire process, and should have put extra security elements into the process.
With present scenario of availability of GSM/CDMA/Landline telephone connectivity, the process security can be enhanced to a great extent by use of these elements.
My contention is that there are hundreds of ways to hack into the Indian voting system. ECI should at least analyse the security threats and take corrective actions.
By my reconing, the process should have been something like (in very short) :
(a) all election commissioners (ECs), election officers and Chief Election Commissioner (CEC) be given smartcards and their fingerprints captured on the card. All these smartcards should have verifiable MD5 (or any other digest) signatures and unique keys, unique card numbers along with date and time of creation and other security features (take a look at security of financial systems and the key management/authentication sytems employed). These could be issued by the CEC to every one. All being authenticated by smartcards of the CEC.
(b) all polling officers would be similarly issued smartcard+fingerprint based identity cards.
© All EVMs will have an internal serial no and a 16 digit random hardwired code no along with the chip serial nos etc converted into a digest and signed by the CEC's smartcard.
(d) This will be authenticable by any of the smartcards meant for the election process.
(e) Use of smartcard+fingerprint could (in the software) be extended for use of citizen i card of the future, but thats a long unending story.
EVMs :
(a) EVMs to have internal code and memory authentication by using external smartcard and fingerprint of the respective operators (EVM authenticators, EVM certifiers, Polling officers and the counting officers etc, separately for each) so that EVM and its operators could authenticate each other.
(b) EVMs to have GPS module for date, time and location stamping. Also a smartcard reader and a fingerprint reader.
© EVMs to have internal audit trail, which can only be erased by state election officer after authentication as in (a).
(d) EVMs to have 'cover open' and 'core module exposed to light' logging.
(e) Some parts of EVM would always be energised by internal embedded battery to log (d).
(f) The internal circuitary/PCBs etc to be casted in low temp thermoset plastic to ensure that if the plastic is broken, the machine's functionality is destroyed. The prefered manufacturing technique would be COB (chip on board) with non-relaceable parts.
(g) EVMs will have a 'park' or 'pause' button to temporarily halt the process and could be again started by authentication process.
Process :
(a) All EVMs to be checked by state election officers and all data erased using the smartcard and finger print authentication and access mechanism. Process to be date, time and location stamped. Also, State
EC verifies the signature of the software, checks audit trail for misuse/malafied changes.
All EVMs parts inventory with serial nos, will be captured at the time of certification/authorisation into a secure database on a secure PC/server. This will also be captured and logged by the EVM.
(b) EC/election officers would program the EVMs to accept commands from various cards, whose authentication key and serial would be fed in by the EC/election officer. This process would be logged. There may be multiple cards authorised to operate on the same process. This would be the process followed a day prior to sending out polling
officers. All polling officers (their cards and FP) would be authenticated and authorised by the EVMs with the EC/election officer's cards. This would again be logged.
Similarly, counting officers would be authenticated on a specific date.
© All polling officers would be required to setup EVMs, set up the GPS and authenticate the EVM, letting the EVM authenticate the polling officer also. Also, permit the polling officer to do a trial run.
(d) Polling officer will authorise the EVM to start collecting votes by putting his card identifying him/herself with the fingerprint. The EC/state election officers could program the EVM to poll only on a specific date and preset time /time duration.
For authorising each voter, the polling officer's card will need to be in the separate reader, and s/he would press a button to authorise.
(e) the EVMs will keep all information encrypted and with a digest signed by the polling officer.
(f) At the close of the election, the polling officer would stop the process by putting his card and fingerprint, secure summary of data to be transferred to the polling officer's smartcard with date, time and location authentication.
(f) Polling officer would seal the machine and send it to the counting station along with his/her smartcard (to state election officer).
(g) The counting officer would authenticate each EVM and then access data along with the certification code, digest etc.
Additionally, the entire data of the day's polling would also be available in the polling officer's card, which could be used for authentication, tallying and as the voting data if the EVM is not available/does not function/is not readable.
This is a very brief process, catering to some vagaries of changes in polling officers, variation in dates, countermanding and rescheduling elections etc. but lot of other process features can be put in based on the ground realities.
I am sure that given a little time and resources, it is possible to greatly improve the voting process security and simplify security procedures.
<!--QuoteEnd--><!--QuoteEEnd-->
http://atula.newsvine.com/_news/2009/04/18...a-security-risk