Monday, May 10, 2010

Oops for Indian Electronic Voting Machines

I was pointed to the video below by an article on slashdot on this topic. The researchers show how to tamper with an EVM so that it shows wrong vote counts after the elections. Let me know what you think, especially about whether this can be done in a real scenario on a meaningful scale.

Update: Link to website, which has abstract, and link to paper.

[Note their use of an Android app to reprogram the display :)]

Personally, I would prefer a EVM-based system where the machine also printed out a paper ballot, which the voter could see and then put in a box. The main counting happens via EVM, but in case of a lawsuit, the paper ballots could be used to verify the results. Total cost will not be much more than the earlier system, while still retaining the security and anonymity.

So, what say?


  1. Nothing is tamper-proof. One can only make it difficult to tamper. The ways shown in the video are really difficult in a real life situation because of the security procedures taken. No one has that much time to change the display board with that bluetooth chip in a real life situation.

    If the government authorities abet in result tampering then that can be done even on the conventional paper and stamp way that we used to have earlier. Moreover there are thousands of such machines during an election. One has to tamper a lot of them to really make a difference. So, I think we are in safe hands as far as election results are concerned. Or atleast EVMs haven't made the situation even worse.

  2. Anonymous3:48 AM

    Trust can never be a base to democracy, Vote verifiability is needed which lacks in these machines. Scandals & Scams happen with insider support and you can't negate insider threat with checks & balances. Don't defend technology with C&B make the machines tamper proof or atleast difficult to manipulate. The video showed things that are practically possible while checking the machines by technicians(not from ECI) before elections. Improve the system rather attacking the critics.

  3. in scenario 1:
    you need to involve poll workers who can change the control unit. now this means having a inside man in each polling station which is quite difficult. and if someone has such resources then no polling way can stop that.
    scenario 2: changing in strong room is even more difficult.
    scenario 3: doesnt exactly give how to change chips but yes its true that having a non "open source" software is always more risky (atleast thats what we are taught by kks sir :P).
    there should be a way to verify the integrity of the machine software.

    even in having a polling EVM with ballots the inside man can change the ballot slips even. but will surely give another deterent. another better way would be that user can have a copy of that vote but in case of india that would be quite harmful for that users health outside the polling booth :)

    and as per recent trends accepted by all political parties tampering has been much less after introduction of EVM's than before.

  4. As SR points out, if this has to be done, you need an "inside man" in every polling station. Something similar to "booth capture" and "stuffing ballots" that was common during the ballot paper era. There are thousands of polling stations and the tamperers would need to bribe/buy a lot of people to pull this off. Too risky and cost intensive - that is why parties have switched to straightforward vote buying nowadays (better returns for the money spent)

  5. I agree with the other commenters. Physical tampering can be done with any device, and preventing it is the task of the election commission, not of security researchers. These people replace the display panel, clip a device to the memory chip, etc: why not just replace the entire device with a fake look-alike? Any machine can be "attacked" in this way, and so can an old-fashioned ballot box.

    The question for security researchers is whether an untampered device can be misused. The answer proved to be "yes" with Diebold, but there is no evidence that Indian EVMs are insecure in that sense.

  6. @All: I agree to your point that this method is hard to scale to large numbers, and indeed, hardware hacks are hard to do.

    @Rahul: Not sure I get your point about Diebold. The exploit I know of used a key from a hotel minibar to open the box and replace the SD card. Does that not count as tampering the device? Links to other types of non-invasive attacks on Diebold will be much appreciated.

  7. Animesh: Here you go. (cut-pasting from my comment on Abi's blog)

    (Quote: " Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts. We identify several problems including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes. We show that voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal software. Furthermore, we show that even the most serious of our outsider attacks could have been discovered and executed without access to the source code. In the face of such attacks, the usual worries about insider threats are not the only concerns; outsiders can do the damage. That said, we demonstrate that the insider threat is also quite considerable...")

  8. @Rahul: Thanks a lot. If this were slashdot, I would vote your comment +1(Informative) :).