Security Analysis of India’s Electronic Voting Machines
Hari K. Prasad J. Alex Haldermany Rop Gonggrijp
Scott Wolchoky Eric Wustrowy Arun Kankipati Sai Krishna Sakhamuri Vasavya Yagati
NetIndia, (P) Ltd., Hyderabad The University of Michigan
April 29, 2010
Abstract:
Elections in India are conducted almost exclusively using electronic voting machines developed over the past two decades by a pair of government-owned companies. These devices, known in India as EVMs,have been praised for their simple design, ease of use, and reliability, but recently they have also been criticized because of widespread reports of election irregularities. Despite this criticism, many details of the machines’ design have never been publicly disclosed, and they have not been subjected to a rigorous, independent security evaluation. In this paper, we present a security analysis of a real Indian EVM obtained from an anonymous source. We describe the machine’s design and operation in detail, and we evaluate its security, in light of relevant election procedures. We conclude that in spite of the machine’s simplicity and minimal software trusted computing base, it is vulnerable to serious attacks that can alter election results and violate the secrecy of the ballot. We demonstrate two attacks, implemented using custom hardware, which could be carried out by dishonest election insiders or other criminals with only
brief physical access to the machines. This case study contains important lessons for Indian elections and for electronic voting security more generally.
1 Introduction
India is the world’s largest democracy. In recent national elections, more votes were cast than the combined population of the United States and Canada [55], and the vast majority of voters used paperless directrecording electronic (DRE) voting machines [30]. Though paperless DREs have been largely discredited in the academic security literature (e.g., [7, 8, 12, 13, 20, 31, 32, 39]), Indian election authorities continue to insist that the electronic voting machines used in India, widely referred to as EVMs, are fully secure. For example, the Election Commission of India, the country’s highest election authority, asserted in an August 2009 press statement: “Today, the Commission once again completely reaffirms its faith in the infallibility of the EVMs. These are fully tamper-proof, as ever” [27]. As recently as April 26, 2010, Chief Election Commissioner Navin B. Chawla was quoted in the media as saying the machines were “perfect” with no need for “technological improvement” [3]. To justify these claims, officials frequently cite the design of the EVMs, which is vastly simpler than that of most other DREs used globally, and a series of procedural safeguards. However, the details of the machines’ design have been a closely guarded secret, and, until now, they have never been subjected to a rigorous independent security review.
In this paper, we analyze the security of India’s EVMs and related procedural safeguards. We show that while the machines’ simplicity makes them less susceptible to some of the threats faced by DREs studied in prior work, it also subjects them to a different set of highly dangerous attacks. We demonstrate two attacks that involve physically tampering with the EVMs’ hardware. First, we show how dishonest election insiders or other criminals could alter election results by replacing parts of the machines with malicious
look-alike components. Such attacks are made far simpler and cheaper by the EVMs’ minimalist design, and they could be accomplished without the involvement of any field-level poll officials. Second, we show how attackers could use portable hardware devices to extract and alter the vote records stored in the machines’ memory, allowing them to change election outcomes and violate ballot secrecy. This attack is technically straightforward because the EVMs do not use even basic cryptography to protect vote data internally. It could be carried out by local election officials without being detected by the national authorities or the EVM manufacturers’ agents.
Though EVM manufacturers and election officials have attempted to keep the design of the EVMs secret, this presents only a minor obstacle for would-be attackers. There are nearly 1.4 million EVMs in use throughout the country [29], and criminals would only need access to one of them to develop working attacks. Dishonest insiders or other criminals would likely face less difficulty than we did in obtaining such access. There are many other possibilities for manipulating Indian EVMs, both with and without the involvement of dishonest election insiders. Depending on the local context and security environment, the nature and scale of potential manipulations may vary, but neither the machines’ simplicity nor their secret design keeps them
safe. This study establishes that the EVMs used in India are not tamper-proof and are susceptible to a range of attacks. The use of similar paperless DREs has been discontinued in California [9], Florida [33], Ireland [1], the Netherlands [22], and Germany [11]. Indian election authorities should immediately review the security procedures now in place and should inspect all EVMs for evidence of fraud. Moving forward, India should consider adopting a voting system that provides greater security and transparency, such as paper ballots. Research Contributions
1. We present the first rigorous, independent security analysis of the electronic voting system used in India and find significant security flaws that compromise the integrity of results and the secrecy of the ballot. These machines use a vastly different design than most other DRE voting systems studied in the literature, and we describe it in greater detail than was previously available to the public.
2. We explore the role of simplicity in electronic voting security. Previous studies have focused on problems caused by software complexity and have proposed minimizing the size of the trusted computing base (TCB) as a partial remedy [51]. India’s EVMs use an extremely simple design with a small software TCB, yet we find that this makes physically tampering with the devices relatively easy. These findings underscore that the problems with DREs are due not only to complexity but also to lack of transparency.
3. We perform the first major security study of an electronic voting system used in an emerging nation. Voting systems in India must satisfy different constraints than systems used in the United States and Europe, which have been the focus of research to date. The Indian EVM manufacturers are exporting machines to other countries, including Nepal, Bhutan [2], and Bangladesh [41]. Mauritius, Malaysia, Singapore, Namibia, South Africa and Sri Lanka are reportedly considering adopting similar systems [2]. We outline some of the challenges of deploying electronic voting in an emerging nation. This provides a starting point for future
research into designing voting systems that meet the needs of these countries. Outline The remainder of this paper is organized as follows. In Section 2, we review how electronic voting
was introduced in India, describe how EVMs are used in elections, survey reports of fraud, and describe the EVM hardware based on our examination and experiments. In Section 3, we present two demonstration attacks that we developed. In Section 4, we survey a number of ways that the EVM system can be attacked in spite of—and sometimes due to—its simple design. Section 5 discusses current procedural countermeasures and why they are ineffective or even harmful. We place our work within the context of previous electronic voting security studies in Section 6. Finally, we draw conclusions and consider the way forward in Section 7.
2 Background
2.1 Electronic Voting in India The Election Commission developed India’s EVMs in partnership with two government-owned companies, the Electronics Corporation of India (ECIL) and Bharat Electronics Limited (BEL) [49, pp.1,9]. Though these companies are owned by the government, they are not under the administrative control of the Election Commission. They are profit-seeking vendors that are attempting to market EVMs globally [2]. The first Indian EVMs were developed in the early 1980s by ECIL. They were used in certain parts of the country, but were never adopted nationwide [49, p.1]. They introduced the style of system used to this day, including the separate control and ballot units and the layout of both components. These first-generation EVMs were based on Hitachi 6305 microcontrollers and used firmware stored in external UV-erasable PROMs along with 64kb EEPROMs for storing votes. Second-generation models were introduced in 2000 by both ECIL and BEL. These machines moved the firmware into the CPU and upgraded other components. They were gradually deployed in greater numbers and used nationwide beginning in 2004 [49, p.1]. In 2006, the manufacturers adopted a third-generation design incorporating additional changes suggested by the Election Commission.
for more report visit http://indiaevm.org/evm_tr2010.pdf
source:www.indianevm.org
this work is done by J. Alex Halderman, Hari K. Prasad, Rop Gonggrijp
This is the reason for TRS and common people of TELANGANA to rethink about the use of EVM's in the upcoming bye elections..as this paper show that the EVM's are that transparent to the public as they should be.....if a voter casts a vote then how can be confident that he voted to a particular candiadate that he wants to vote......? and this article shows that we can tamper the EVM's easily within seconds by interchanging chips and LED's....and also we can decide whose going to win with help of bluetooth software or by using a pin on IC memory device......so Election commission of INDIA should have a look on this and make sure that this doubts should be cleared before using EVM's in an election.....
you can watch the tampering videos in youtube.......
so election commission of india should clear this doubts and then use EVM's in TELANGANA bye election ...we the people of TELANGANA demand it as the vote is the most important tool for a citizen in a democracy....
JAI TELANGANA
JAI JAI TELANGANA
JAI JAI TELANGANA
No comments:
Post a Comment