Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Squid Purity Test |
| Malcom Gladwell on Spies »
May 3, 2010
Security Analysis of India's Electronic Voting Machines
They're vulnerable to fraud.
Posted on May 3, 2010 at 9:32 AM
• 57 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Once you have physical access to the EVM - you can always do a lot. OTH it is also easy to protect against such attacks and make life hard for the attacker.
The real question comes from risk management: is it better to use this system with some options to hack it by skilled people, vs. using a conventional paper system with a lot of options to hack it, by unskilled criminals.
If you consider the logistics involved in Indian elections then it seems to tip the scale in favor of the EVM.
What I think they do right is their own in house development rather than trusting the political will of private firms making their own products.
Not exposing the EVMs to independent testing is a fail.
Anyone seen a reply from India's government on this? It should be in the form of a open threat to arrest the researchers, joined with a denunciation of security research in general, followed by an explanation that it wasn't a current model assessed ending with assurances that only criminals over the age of 14 could exploit the problem so it really isn't big deal.
@BF Skinner: Your take on the expected reply made me want to laugh, but I just can't because.. its so true.
You know, IMHO, the EVM manufacturers seem to have soooo many problems implementing even the least bit of security and transparency in their products that I'm starting to believe that the struggle is more about finding a way to create fraud under the noses of the tech audits, rather than preventing fraud altogether.
Stories like this make me glad to live in a country that uses good old-fashioned paper ballots.
"electronic voting machines" and "vulnerable to fraud"... isn't that redundant?
Telling quote from the paper:
For example, the Election Commission of India, the country’s highest election authority, asserted in an August 2009 press statement: “Today, the Commission once again completely reaffirms its faith in the infallibility of the EVMs. These are fully tamper-proof, as ever” .
Wow... even the Pope doesn't walk around claiming to be infallible anymore. This is a red flag in itself.
Democracy = paper ballots.
Another issue: The software implementation is probably quite naive if the memory can be written so easily (with the clip shown), and no checksuming is done.
A proper cryptographic checksum on memory contents is standard practice in embedded software that at least tries to be secure.
There are a lot of other quite effective safeguards that can be used and are quite cheap to do, even on a huge scale such as India's.
It seems their real problem was too much pride in their design, and lack of proper review by others.
Agreed. A physical medium is key. NTM it's worked just fine for millennia.
Not always so. many paper-based systems are extremely easy to hack and are vulnerable. They are very simple when viewed from the citizen's point of view but it is just the tip of a big iceberg, that involves countless problems and opportunities to hack.
When you look at the whole food chain - it can be a complex system and the simplicity is only skin deep.
@Salach "many paper-based systems are extremely easy to hack "
As Boss Tweed is reported to have said when they told they had run out of ballots. "Ballots don't count. Ballot counters count. Work on the counters!"
@uk-visa "Democracy = paper ballots"
Paper ballots = auditability
>many paper-based systems are extremely easy to hack and are vulnerable.
'Easy' how? When you're looking at a electronic voting black box, trying to verify it would start with electrical engineers and logic analyzers at every polling station. With paper ballots, it just takes a few concerned citizens and reps of each candidate to sit there and watch.
And a court system that will actually ALLOW the paper ballots to be re-counted.
- But I digress ...
Regardless of how any one method might be hackable, no method can be used to verify itself as well as two separate methods can be used in comparison to each other.
Wherever a system is claimed to be too perfect to need some means of alternate verification, I worry.
And, any claim that alternate means of verification are too expensive will likely come from those who didn't spend enough to prove their reliability claims.
The paper voting system used in the UK while not perfect would at least take the collusion of many people to perpetrate fraud.
The staff in the polling station and at the count would need to be in on the fraud and at least not object if not actively take part.
Unless an electric voting system with the checks and fraud prevention and detection mechanisms can be built then I would stick with the paper ballot.
>many paper-based systems are extremely easy to hack and are vulnerable.
Yes and no. It is relatively easy to "hack" a single urn. But how many people do you have to "convince", and how many votes do you have access to? You quickly get to the point where the effort or the amount of conspirators becomes too large for a reasonable, unidentified attack.
Take an EVM-based system, on the other hand (I talk about real-world EVM, not what you _could_ do). All you have to do is manipulate a handful of people (for example, the inspectors of EVM's), and you have compromised in the worst case a whole city. Doesn't this sound like fun?
OT, but I don't think there have actually been any changes by the RCC in re claims of papal infallibility.
On topic, there needs to be a project by a government, a state, or a municipality to use an open source, transparent, tested, vetted e-voting system in actual elections. Has that been done yet, anywhere? Private companies worried about their IP are clearly never going to do this right, public closed source efforts will run afoul of the same problems, and transparent, open source efforts that aren't backed up by a governmental entity will never get beyond the demo stage.
You hit the nail on the head there. Any idiot can hack a paper system. All you need is a few people, or even one, replacing the paper with others, or otherwise tampering with the ballots.
Now, this EVM system seems particularly bad though.
I could envision a hybrid system, that spews forth paper tapes in a window on the machine that can be verified by the user before they leave the booth. Then your electronic version can be compared later. Then also provide the voter with a paper bar coded version, with their vote encrypted and encoded within the barcode for later verification at an entirely different station on a different day with different staff. If even a dozen people from each station verified their vote, it would confirm the vote wasn't tampered with. Then you have 3 pieces of data to ensure the vote is correct. But, of course, that opens the irrational fear that "the government" knows who you voted for (isn't that the whole fscking point of voting!?). Then just burn the records tying a person to a vote later. With a national crypto ID system, it would be trivial to implement.
Anyhow, this "paper only" attitude annoys me, because its just more FUD. There are far easier ways to tamper with paper ballots then with electronic ones. You need massive levels of collusion to get into a properly built EVM system.
The hardest part of the voting is limiting how much a person can sell their vote. Puchscan tackled this years ago. I though it was awesome and clever, but apparently it wasn't good enough. The same crew has been working on new code ever since.
By their rules, there were two parts to the problem. Ensuring the vote was processed as cast, i.e. they read the paper card right, and ensuring the vote was counted as processed, i.e. every vote counted in the right direction.
By splitting the problem in two parts, they found ways to do such accountability without giving enough information to let you prove to a third party that you voted one way or annother.
@Brian: You seem to be missing an important point. If you have a few people hacking a paper system, you can change a few ballots. If you have a few people hacking an electronic system, you can change large numbers of ballots.
@David: What do we need with an e-voting system? Having an electronic counting system is useful, but we really do want it backed by a system with physical tokens that are awkward to handle in bulk.
And, as others have pointed out on past articles like this, we have long experience in dealing with the ways that paper ballots can be tweaked, and most places have set up methods which make serious vote fraud extremely difficult to pull off.
For example, here in Canada:
- Boxes containing ballots are generally sealed up and treated much like a 'chain of evidence'.
- Each political party can have its own observers at any point along the chain, including during the counting.
So it's difficult to seriously bias the counters when every party has its own hand-picked observers watching the counting. And any major mismatch in ballot boxes from start to finish tends to get red-flagged pretty quickly.
That's not to say there are never problems, of course: I've got friends who volunteer to man poll stations, and have heard of cases where ballot boxes got discovered on the floor of somebody's car after the counting was finished. (It had fallen off the back seat, and all the ones still on the seat got collected and counted.) And there were cases several years ago here in Ontario where poll volunteers got threatening phone calls and didn't show up as a result.
But in general, while it's easy to commit vote fraud on individual levels, it's much more difficult to commit fraud on a serious institutional level. You'd need a decent-sized conspiracy to affect multiple ridings in such a way as to make it unnoticeable by all the observers, at least some of whom are going to be opposed to whichever candidate you're trying to bias things for.
"It seems their real problem was too much pride in their design, and lack of proper review by others."
Being "Prideful" or "Obsequious" whilst not usually considered sins by those in charge, are certainly grievous ones for those who many suffer the consequences.
Both are often found in nations with a strong religious or patriarchal ethos (which is most these days).
As for paper ballots for vote tallying one of the reasons they work is history. People have tried many ways to buy votes or change the results one way or another. Most have been thought of and thus can be spotted by those who are made aware of "the ways of the past". Unfortunately this is not true of more modern systems not just EVM's (see debacle about UK Postal Vote system).
As part of this is "transparency" a paper ballot system is fairly easy to understand and is in general a closed system that lacks the ability to modify it's self. Thus the inputs to it can be fairly easily controlled and monitored at all stages (providing those in charge allow it to be).
The problem with EVM's is there is no transparency that an ordinary individual can readily comprehend and thus check or trust and they are inherently self modifying (as are mechanical counter systems).
The real advantage of EVM's for the voter is that IF (and it's a big IF,) it is properly implemented it ensures full accountability from the voting machine up to the final tally, at a level not readily achievable by other means.
For any vote counting / tallying system to work it must first be simple, second transparent and third accountable from end to end, few if any systems achieve this.
However vote counting is just one small part of the problems in a "voting system". For instance how do you ensure that a person casts only one vote, and that it is not subject to external influence (prior or post casting of the vote).
This is a very hard problem in of it's self and usually involves a lack of transparency which conflicts with the requirements of tallying...
Importantly a voting system appears to require a transition stage where a verified and thus uniquely identified voter assumes the mask of secrecy to conceal the vote they cast, and that the instant it is cast the process is fully accountable again...
Thus there are three stages (voter identification, vote casting, vote tallying) that have to be not just reliable but provably reliable, one of which (casting) must allow full isolation between the other two.
With a paper system the casting process usually involves an element with no memory or traceability. That is it allows a voter to pick a ballot paper from an pile they chose at random, mark the ballot in private, but ensures that the voter only places one ballot paper in the box.
It is perhaps the casting process that is going to be most difficult for people to have confidence in (think back to what happened in Germany with milk).
@Clive: What happened in Germany with milk?
Seriously, one of my most frequent ATMs (yes, by Diebold) goes a long ways to add the security and auditability needed for check deposits. When depositing a check, the check is inserted, a photo of the check is taken. The depositor is asked to verify the check and OCR read check amount. The photo is printed on the receipt along with the deppositor confirmed amount. Presumably the MICR account information is also read.
- Voter votes via the ATM/Voting screen
- Voter confirms votes and has opportunity to change the vote.
- A MICR human readable printout of the vote is printed and carried over to the vote collector.
- Voter shows ID, signs the paperwork, and inserts the vote.
- On Insertion, the vote is re-read and displayed to the voter to accept or cancel. If declined, the vote card is returned to the voter and not counted. Voter gets to re-vote.
- On acceptance, the vote is immediately counted, vote tally updated, photo of the vote is sent to an electronically secure location
- The ballot is received directly into and stored in a secure receptacle until transferred to the central polling facility.
Total Vote Cards Submitted Count (not votes by candidate) is posted electronically in the room for ballot watchers.
Photos of votes are the first line of defense to ensure all recount votes make their way to central storage. Physical votes are the actual recount votes, first electronic rescan and second by visually reading a sample of the votes.
In a different order but every bit of this is done by the ATM today.
Now, let's have some fun with the electronic voting. Post 30 minute delayed vote totals throughout the day to a scoreboard by precinct. Watch Fox and CNN go nuts. On top of it, we get to have party cheerleaders and perhaps even have parties buy out small cable networks for the day. (QVC and the Vote Shopping Network). It will be like the NCAA championship game...
"What happened in Germany with milk?"
During the two elections of 1932 and third election of 1933 it is said that ballot papers in the mainly catholic rural German areas had serial numbers written on them in milk (acts like a secret ink in that when you warm the paper up the area with the milk shows up brown).
This was so that votes cast could be tied back to those who had made them.
While the hack itself is interesting, most of the commentators do not seem to grasp two points.
A. The 'untamperable' machine:
Clearly the Election Commission is a little over the board with claims of the machine being non-tamperable. However there are other process safeguards, that IMHO are a lot better than the corresponding ones for paper based voting systems
- Each voting machine is activated and then verified by reps of the parties who are monitoring the polling station before polling starts. Each rep enters a random number of votes for his candidate and the machine is moved to the voting-end state to display the counts, allowing reps to validate whether the counting is correct
- Once the real voting session is complete, the count from the machine is read out in the presence of the reps, written on a sheet, signed by the reps and the sheet and the voting machine are sealed.
- At the counting station, each machine count is verified against the counts written on the sealed and signed sheets
- Additionally, to understand vote manipulation you need to see videos of blatant voting booth 'captures' in earlier elections. Gangs of the party in power would move from one station to the next, 'capturing' the election observers and deployed police, stamping their candidates' symbols on voting slips en masse and then sealing the ballot boxes. Of course the process above can't stop a repeat of something like this, BUT the EVMs have a defined number of votes in a unit time (five votes in a minute), which allows normal voting to proceed but prevents low-tech attacks based on just repeatedly punching the button against one candidate.
B. The 'inevitability' of voting machines in Indian elections:
- Even with an average turnout around 60%, the number of votes counted in the recent general election was 417,156,494. That's around 80% of the population of the EU and 33% more than the population of the US (all Wikipedia numbers). How much time and money would be required to count them if this was a paper vote? And how many trees?
- There are many situations where a single seat is contested by more than 10 candidates, in some cases the figure is as high as 30. Given that a fair % of the electorate can't write and, in the past, depended on stamping a mark against the appropriate party symbol, how exactly do we handle a paper based vote, on A3 sheets? NB EVMs are chained to handle these situations
- Given the above facts anyone still think paper based voting makes sense in India?
Lastly, there is also an issue of cost wrt EVMs. In the general election in 2004 1,368,430 were used. Should be around 20% higher in the last general election. Apart from the pride factor, the other key factor behind in-house design and manufacture was the cost factor.
Let me make it clear that I'm all in favour of improving the 'untamperability' of the EVMs, but to suggest that we move to a paper based system seems ridiculous to me...
Considering the country, India, EVMs are far more secure than paper ballots.
Breaking EVMs requires technical skill, stuffing ballot boxes requires simple brute force to threaten the guy counting/transporting the ballot boxes.
It's pretty cheap to hire a couple of dozen thugs in India and print a few hundred fake ballots. Have the thugs intercept the guy transporting the ballot box, replace the votes in the box, pay a hefty bribe to the guy collecting the boxes to overlook the tampering and you're done.
Tampering with EVMs takes considerably more effort and for the time being, at least, is not as easy or convenient as tampering with paper ballots.
Argument A) it is farily easy for a manipulated machine to detect a test run and work correct during tests. Heck, even refrigerators do this nowadays.
Voting booth captures are a separate problem. If a boot is captured - manipulating paper and electronic votes is always possible. It is a social (police) problem that can not be adressed by technology.
Argument B) costs: paper is cheaper. period. And it does not cost trees. ballot paper can be made from bamboo or recycled paper. And it does scale - one can count every booth, others can probe the results of different voting areas. EVMs have to be bought or leased and maintained. For verification reasons a paper trail is still necessary (no saving on ballot paper). Usually EVMs come with a service contract attached. Some numbers from a NEDAP-offer (in Germany): 74 used machines for 240.000EUR. plus about 20EUR per election for labelling and service.
A normal paper ballot comes for 2 cent. Its is quite hard to construct a scenario where EVMs are favorable.
regarding oversized ballots: the last one I used was the width of A4 and around 1m long. It can be done obviously. Side note: some voting boothes had no crutains all the way down to the floor only around the table top - if one could see the long end of the ballot dangling around the voters knee one could assume that the voter was not voting for certain parties on the lower half of the ballot :-)
@Dst2: technical skill? we are talking India here, are we? The country where IT is outsourced to? This does not seem a hindrance to me for manipulating votes.
Printing a few hundrets ballots? This requires logistic, because a few hundrets will not suffice for changing an election with half a billion voters. One needs thugs, bribes for printers, counters, transportation and so on. Many possible whisle blowers.
For EVMs it might be between to elections in a central storage or some travelling service personnel with some firmware update might have access prior to elections. Very few people need to know and very hard to detect.
To me it seems more convenient to tamper with electronic votes than paper ballots.
A. I was talking about the safeguard process in general, not just the test run. Also there is no separate 'test mode' that you refer to; the same 'production mode' is used during the mock and actual ballot.
B. The cost of each EVM is around Rs 5,500 in 1990, say 1.5 times that as of today (ignoring economies of scale and reduction in electronic component costs), that would be around EUR 140. But the more important cost is the cost of people and infrastructure needed for counting 417,156,494 votes. And we're not even talking about the number of invalidated/ miscounted paper votes here...
Re your next post you talk about not being able to scale a paper ballot attack, but the same applies to EVMs as well.
The hack requires physical access to the EVM. Lets leave aside the matter that practically any device can be comporomised once physical access is gained, but how do you scale the EVM attack to affect the overall results given the very large number of EVMs and constituencies in play. Surely the 'many possible whistleblowers' bit applies here as well?
Again, let me state that I don't believe the EVMs to be 100% tamper-proof and I'm all in favour of improving the 'untamperability' of the EVMs, but to suggest that we move to a paper based system IS ridiculous
@AC2: I did not think that there would be a test mode. I just assume like in the example with the refridgerator (cf. the link) that the device can detect if it is tested or not (e.g. pattern of pressed buttons, time between button actions, time between boot process and result print and so on).
On costs: clearly I do not know how much the actual EVM in India costs. I only have numbers for Europe. In any case are TCO usually higher than for paper ballots. Counting paper ballots is done by people without extra payment. One can also think about civil servants for this occasion. The time of these people is the cost of democracy one might argue.
On scaling of possible attacs: to change votes in many voting districts in a significant way one has to have real sophisticated logistics (faked paper ballots in sufficient amounts, bribed officials etc.) - using EVMs all it takes is tampered firmware code. Installing this firmware can be done by totally unsuspecting officials during scheduled service cycles.
I do not know the technical details of the EVMs in India but in Europe it was demonstrated that devices by NEDAP were essentially computers - a court proceeding was won: the manufacturer claimed that the EVMs were no multi purpose machines like computers but electronic devices with a fixed task. Some clever people got hold of a NEDAP EVM and could implement a chess engine. Case closed.
It was also demonstrated that all it took was some 30sec with the device (e.g. in the voting booth) to exchange the programming - how about a subtle change that only takes affect if the desired candidate is actually losing? Some slight shifts of some minor % in the 'correct' direction?
Another problem is the possibility of tempest attacs. It was demonstrated that it was possible to read out the screen and/or pushed buttons from the outside thereby compromising the secrecy of the ballot. This might be a major problem just like serial numbers on paper ballots to the freedom of choice (find a 'traitor' ?)
I have attended some lectures and workshops and discussions regarding electronic voting, including David Chaums proposal for encrypted voting and so on. It boiled down to "do I trust a black box?". Paper voting is imho still the only method that is transparent and revisable by ordinary people. Every form of electronic requires expert knowledge and is not revisable. It can be checked only by comparison to a paper trail. And if the paper is produced anyway the only advantage is convenience to have a result shortly after the closing of the boothes. This does imho not satisfy the loss of transparency and secrecy.
As the hackers have demonstrated the only way to change the firmware/ memory/ display and/ or install a wireless access chip is to open up the EVM. Are you really saying that this can be done in 30 secs in the voting booth while the election is in progress without the collusion of the election officer and candidate reps? Sounds like something that would require the presence of Tom Cruise/ Daniel Craig.
Of course corruption of the election officer/ reps before/ during the poll, or transport/ security after the poll is just as possible with paper ballots and the economics of doing this ARE favourable.
The other option you have pointed out is manipulating the firmware upgrade by corrupting a 'scheduled upgrade'. Now unless this scheduled upgrade includes the installation of a wireless chip, the code in the firmware would have to be something REALLY smart if it can a-priori figure out which candidate needs to be favoured, given that the determination of which candidate is No 1, 2 etc is done just before voting commences. The authors of the paper have argued that this order can be predicted, but anyone familiar with Indian politics can assure you that it isn't even possible to predict exactly which parties will contest a given seat, let alone which candidate.
Alternatively the firmware could succeed based on a certain sequence of button pushed at the polling booth to let the machine know which candidate to favour. Or based on the voting pattern, where you stack the first say 10 votes at each booth with the candidate of your choice, which tells the firmware which candidate to favour. Seems a BIT difficult to do across several polling booths and constituencies.
So for a succesful hack, that doesn't involve a chain of colluding officials, you would need
- Physical access to all EVMs in 'swing' polling areas/ constituencies
- Installation of firmware + wireless chip for a definite outcome
- Installation of firmware changes + organising the necessary button pushes at each polling booth for a somewhat variable outcome
- A favourable cost/ benefit/ risk scenario
We have moved away from paper completely in some places, say for financial transactions. These systems have improved over time, no reason why the EVMs can't.
@AC2: ok, i've found some newspaper article on this toppic: http://preview.tinyurl.com/evmvote
(headline: election fraud in 60 seconds)
Betting the security of the vote on the chaotic process of assigning contestants seems a bit meager to me. It might be sufficient if the entropy is big enough but I do not have an idea how to proof that.
One scenario could be a certain pattern of button pushes to 'tell' the EVM how to handle the votes (just like a computer backdoor looking for a specific port knocking pattern). Unlike a raid of the office by a mob or/and bribing officials this can be done in the seclusion of the voting booth by a regular looking voter.
How can someone verify the authenticity of the code running on the EVM? How good is the chain from the certification process to the actual EVM protected? Signatures? Hardware encryption? Algorithms? Implementation bugs? This can not be checked by a normal person. One has to trust a 'black box'. This is a political decision of transparency/trust vs. convenience/costs.
As for the comparison with paperless transactions: society makes choices. it might be an acceptable risk to have no paper trail on financial transactions - but these are mostly with a different requirement profile. Transparancy might not be an issue. It could be only a small nuisance if something goes wrong and it is possible to reimburse.
If the fate of an election is at stake the problem for society is some order of magnitudes bigger, imho. Forging votes that e.g. do not violate Benfords law is quite tricky - having votes forged using the EVMs can minimize the risk of detection. Do not assume that the current state of society is fixed for the next decades. Imagine an aspiring dictator with the ability to legitimize its regime by correct looking votes. USing paper ballots international election observers can watch the counting and take notice of anything fishy. Using EVMs they have to rely on the correctness of the printout in the evening. If I would be a dictator I would make electronic voting obligatory. All it takes is an inside man in the manufacturers office - much cleaner then unwashed mobs or having to bribe sweaty locals :-)
One of the interesting mechanisms in the UK is that while both the polling station and the count are manned by unbiased local government workers, representatives of candidates audit the process.
At the polling station, tellers representating candidates may stand outside, and may ask votes leaving the polling station for thier number on the electoral roll. (Voters are under no obligation to answer). This being a pretty thankless task, the representatives of all the parties typically huddle together. It means that the parties know exactly how many votes to expect from any polling station. Well organized parties, with good records have good idea of the distribution too.
At the count, scrutineers representating the candidates may attend the count. They do not count the votes, but watch the officials opening the boxes, who are sorting and counting the votes. Scrutineers may highlight any errors they see, which are then corrected in view of the other scrutineers. In the event of an ambiguous mark on a ballot paper, the convention is to ask the scrutineers if they agree how to count the vote. If they do not agree, it is not counted (strictly, it is a spoiled ballot).
It is a nice set of checks and balances that means that someone trying to attack an election has hostile opponents (the other parties) in just the wrong places. (Interestingly, most of the recent cases of fraud in UK elections have been around postal voting.)
@Z Losinski: postal voting is a permanent issue. It is possible to verify a voting decision by a third person (think about the husband 'making sure' that his wife votes 'correct') or even to sell a vote. As long as the number of postal votes is small enough not to have any impact on the outcome of an election it is tolerated - but if more and more people should switch to postal voting (e.g. to avoid EVMs) we should reconsider the handling of postal votes.
@Clive Robinson - German milk
Who needs to go to such complicated lengths? When I vote in the UK on Thursday my ballot paper will be numbered and my voter number (which identifies me) will be entered onto a separate counterfoil. Anybody who wants to check on how I voted only has to correlate the two. I also believe (but may be wrong) that the ballot papers and the counterfoils are retained for a period of time.
The easiest way to tamper with an EVM election is to kill the power to the building. Imagine if the blackout in 2003 had occurred on an election day.
What struck me was a total absence of _any_ kind of cryptography.
Haven't read through all the comments, but those who are recommending paper ballots need to google some more about Indian elections before the EVMs. "Fraud" doesn't even begin to describe them.
The only way to make tamper-resistant hardware is to randomly get the hardware from a large number of suppliers and protect it. Then, we turn a simple technical problem (hacking firmware) into a huge logistical problem that requires tons of compromises. So, if you think your processor has a back door, write the app cross platform, find a supplier list of usable chips, and randomly pick one. Part of "usable" entails hardwired keys or security functionality demanding a specialized hardware attack. Additional costs, but the odds of compromise are very slim. The counting or server-side systems should use high assurance dev. methods, use hardware crypto to support security goals, and certified against active TEMPEST attacks.
I'm actually for a paper-backed electronic system. The electronic system should be made for COTS hardware platforms, maybe retail kiosks or something, be open source and meet EAL5/DO-178B software development quality standards. I think solving software-level security will be easier if we stop thinking of evoting as one whole thing: split it up into many interacting components or layers, solve each one, and then integrate them carefully. This is how high assurance happens in large or complex systems. I think we can do the same thing in eVoting, which definitely qualifies as complex. The hardest part, in my mind, is going to be usability: any high assurance, secure voting scheme must be usable by the dumbest, most gullible person in America. That's the hardest problem in IT security. A quote always comes to mind:
"Programming today is a race between software engineers striving to build bigger and better idiot- proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning." (Rich Cook)
@IndiaAnon: do you have link to some reports? I just imagine the 'booth captures' described by AC2 at May 4, 2010 2:02 AM. Sounds quite terrible and obvious to me. Anyway - I still would prefer a system where fraud can only be achieved via obvious means and with high risk of being witnessed and detection over a system where I would have to rely on the integrity of a black box.
If the books I read are somewhat correct even in the early 20th century elections in cities like New York where full of incidents of repeated voting, ballot-boxes floating in the river and so on. Society progressed and so will Indias society. But if blatant manipulating is no longer tolerated or possible it should also be not possible to take a shady back door with tamperd firmware. Something that can not be spotted easily by election observers or voters or even explained in simple terms to uneducated people.
Paper voting is not perfect - but I see no better alternative.
OK, last post here
Saw the video from the link. It can be done in 60 secs when you have 2-3 people, no seals of any kind on the access to the motherboard and a secluded area where no one can see what you're doing. This is NOT POSSIBLE at a polling booth in the manner you describe, without the collusion of the election officer and candidate reps. I too have listed the arranging of a certain sequence of buttons attack, once you have had a chance to update the firmware.
I do agree with the other questions you have posed ("How can someone verify the authenticity of the code running on the EVM?" etc) and this I believe is what we need to solve. In this regard I hope the Election Commission take careful note of this research and address the defencies highlighted, rather that burying the report under assesrtions that everything is fine.
But again we must agree to disagree that the solution (at least for Indian general elections) is a move to paper based voting! The comparison to financial transactions remains valid, as even there, as you have mentioned, there are mechanisms to provide recourse.
Re dictators and international observers, what if, the EVM was made to an open and independently validated security architecture, that included a checker spec. International observers (who ARE experts) would carry their own checkers built to that standard and validate the EVMs?
The EVM runs entirely on batteries as many places in India have no power. And no, removal/ drain of the batteries doesn't cause the EVM to lose state/ counts.
@ Nick P
You are talking about a massive increase in cost in your first suggestion. I think the idea of open system with independent checkers described above would be better.
Of course this is not to say that the problem can be solved entirely by building a better EVM. A large amount of attention is also needs on the checks and balances built into the election process and how the EVM feeds into it. It is not an 'IT Security' problem in my mind...
@AC2: thanks for replying. During the last elections with EVMs in Germany there were actually seals on the devices. Some observers took some pictures - it was plain paper with a scribble. No hologram, no stamp no special paper no nothing. Easy to replace.And this was not in a test setting but in an actual election (due to the deficits of the EVMs in the last election the German federeal constitutional court ruled this year that these devices do not fulfill the requirements for a tranparent election and banned these devices.
Even if the EVMs are as secure as it can get - there is still the problem of possible tempest attacs and identifying individual votes (selling of votes becomes possible, identifying 'traitors' as well). And the problem of the transparency. Even if the source code is open source, the hardware open and documented - it would require a mathematical proof that the compiled firmware is safe. There are possibilities that a compiler can introduce backdoors to a program from a certified source code. Granted, this is more sophisticated than simply overrun voting offices or replacing a chip - but the stakes are high. More important than the correct functioning of an ATM.
And if everything is really safe and checked - who can follow the arguments? Some skilled IT experts? Or the avarage voter? A voter could witness the counting and make personal notes on the numbers and do the adding himself - with an EVM the voter has simply to trust a black box.
All 'if's aside: afaik all manufacturers of EVMs hesitate to fully disclose the architecture and the source code of their devices. Company secret. Maybe some experts are allowed to check a certain build, but they have to sign NDAs and nobody can prove the code that is actual in the delivered EVMs.
Maybe in India EMVs are more convenient than paper and nobody cares enough to challange this, but I am really very glad that in my country voting is done on paper ballots. but YMMV
The cost is easily justified: the cheaper alternative fails to meet the key objective of trustworthiness. And the scheme I mentioned *would* be very expensive. I mentioned it to illustrate just how hard and costly to implement are electronic voting systems with no paper backup. In your posts, you've consistently underestimated the problem. There can be no practical weak links in the security chain, as attackers will hit them with all they have.
You are right that this is not an IT security issue. The digital aspects are, but it's overall a "systems" security issue. The system is the voting process and its components are all the people, procedures, equipment, etc. Any solid security initiative must look at the system as a whole. However, once system analysis determines requirements for the IT aspects, meeting those requirements *is* an IT security problem.
My solution mitigates at ton of risk at great cost. The thing to remember about cost is that one must consider how much monetary value adversaries place on a vulnerability. In this case, a well-funded attack could determine the next person or persons in office. How much is that worth to attackers? How much ROI would they get from planted officials? Would they be willing to spend a million dollars or tens of millions to do this? Whatever attacks the attackers can afford, the election system must counter to be secure. The scheme I proposed assumes well-funded, sophisticated attackers. The Indian scheme assumes incompetent, broke attackers with no technical skill. I just think that's a poor assumption. They need to revise their threat model, then go from there.
"...Electronic Voting Machines: They're vulnerable to fraud."
That's not a security problem. That's a design feature.
Besides, democracy *is* a fraud, as obvious to anybody who spent a few seconds actually thinking about the claim that democratic regimes somehow "represent" all their subjects.
What it argues for is a double or triple redundant system where ballots are casted in 2 or 3 different systems.
That way, there are 2 or 3 means to independently validate votes.
The paper balloting system obviously is the most secure and as seen with the recent UK elections a hung government was the outcome, so if their was any tampering that would not have been an outcome from vote rigging
i want help in anlysis of Electronic Elections system.
plz help me!!!!!!!!!!!!!!!
the design ,mechanisum doing the system and overview about electronic voting system give me more
manufacturing and implementation of electronic voting machines were done for election purposes for people’s casting and counting of votes till date.
it has major advantages over paper ballot method used previously. trial tests done befor used for live casting of votes by people for the evm is essential and crucial for finding any defect in the evm i.e software,hardware,firmware.
question which comes to my mind is can’t we use electronic voting machines not only during election purposes but also effectively as a survey tool ?
1. finding out favorite television channel screened.
2. favorite holiday – tourist spot destination.
3. favorite sportsman
thanks & regards,
prashant s akerkar
(Information Technology Professional, Mumbai,Maharashtra,India)
Another point as mentioned in my previous email, can't we design and manufacture Electronic voting machines in near future which will be integrated to work with different applications
1. voting - elections, polling domain.
2. voting - television media, entertainment domain - finding out favorite television channel, favorite movie in theatres screened.
3.voting - travel, tourism domain - favorite holiday – tourist spot destination.
4. voting - favorite sportsman - sports domain.
The evm manufactured as a integrated unit will work similar to a integrated printer, scanner and fax machine functions into a single device manufactured in market.
the electronic circuitry will work when one of the functions are activated while the other functions are deactivated i.e for example if used during voting - elections, the other functions will be deactivated. the evm will be portable device as before in terms of design. the software will be customised as per the functions i.e evm catering to different domains.
Awaiting your inputs , views and thoughts.
Thanks & Regards,
Prashant S Akerkar
iT would be feasible To manufacTure elecTronic voTing machines seperaTely for differenT domains from securiTy aspecTs poinT of view To be effecTively used as a survey Tool.
for examples :
elecTronic voTing machine - polling doamin - public places
elecTronic voTing machine - reTail domain - reTail markeTs, shops
elecTronic voTing machine - enTerTainmenT domain - TheaTers, audiToriam where movies and plays are screened/displayed.
elecTronic voTing machines - arT, archiTecTure domain - arT gallery, museums.
oTher places could be airporTs- aviaTion domain, hospiTals - healThcare domain eTc.
Thanks & Regards,
Prashant S Akerkar
When intelligence thinks it is now fool-proof, wisdom waits for its failure. Both have the right opinions. What matters is the time.
The same applies to the peoples who select new school and discard old school. In countries like
India, both methods of voting are needed equally. Paper voting for authenticity and human auditing along with distributed evm system for easy counting and fast results. After all voting is
serious matter of selecting the rule makers.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.