Press Releases

Security Analysis of India's Electronic Voting Machines

Description
Security Analysis of India's Electronic Voting Machines
Categories
Published
of 25
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Share
Transcript
  To appear in  Proc.17th ACM Conference on Computer and Communications Security  (CCS’10), Oct.2010For more information, updates, and video of demonstration attacks, visit http://  IndiaEVM.org . Security Analysis of India’s Electronic Voting Machines Hari K. Prasad ∗ J. Alex Halderman † Rop GonggrijpScott Wolchok  † Eric Wustrow † Arun Kankipati ∗ Sai Krishna Sakhamuri ∗ Vasavya Yagati ∗ ∗ Netindia, (P)Ltd., Hyderabad  † The University of Michigan Released April 29, 2010 – Revised July 29, 2010 Abstract Elections in India are conducted almost exclusively using electronic voting machines developed overthe past two decades by a pair of government-owned companies. These devices, known in India as EVMs, have been praised for their simple design, ease of use, and reliability, but recently they have also been criticized following widespread reports of election irregularities. Despite this criticism, many details of  the machines’ design have never been publicly disclosed, and they have not been subjected to a rigorous, independent security evaluation. In this paper, we present a security analysis of a real Indian EVM obtained from an anonymous source. We describe the machine’s design and operation in detail, and we evaluate its security in light of relevant election procedures. We conclude that in spite of the machines’simplicity and minimal software trusted computing base, they are vulnerable to serious attacks that can alter election results and violate the secrecy of the ballot. We demonstrate two attacks, implemented using custom hardware, which could be carried out by dishonest election insiders or other criminals with onlybrief physical access to the machines. This case study carries important lessons for Indian elections and for electronic voting security more generally. 1 Introduction India is the world’s largest democracy. In recent national elections, more votes were cast than the combined population of the United States and Canada [57], and the vast majority of voters used paperless direct-recording electronic (DRE) voting machines [25]. Though paperless DREs have been largely discreditedin the academic security literature (e.g., [4,5,9,10,17,29,30,38]), Indian election authorities continue to insist that the electronic voting machines used in India, widely referred to as EVMs, are fully secure. Forexample, the Election Commission of India, the country’s highest election authority, asserted in an August2009 press statement: “Today, the Commission once again completely reaffirms its faith in the infallibilityof the EVMs. These are fully tamper-proof, as ever” [27]. As recently as April 26, 2010, Chief ElectionCommissioner Navin B. Chawla was quoted in the media as saying the machines were “perfect” with noneed for “technological improvement” [48]. To justify these claims, officials frequently cite the design of the EVMs, which is vastly simpler than that of most other DREs used globally, and a number of procedural safeguards. However, the details of the machines’ design have been a closely guarded secret, and, until now, they have never been subjected to a rigorous independent security review. In this paper, we analyze the security of India’s EVMs and related procedural safeguards. We show that while the machines’ simplicity makes them less susceptible to some of the threats faced by DREs studiedin prior work, it also subjects them to a different set of highly dangerous attacks. We demonstrate twoattacks that involve physically tampering with the EVMs’ hardware. First, we show how dishonest election 1  insiders or other criminals could alter election results by replacing parts of the machines with malicious look-alike components. Such attacks are made far simpler and cheaper by the EVMs’ minimalist design, and they could be accomplished without the involvement of any field-level poll officials. Second, we show howattackers could use portable hardware devices to extract and alter the vote records stored in the machines’memory, allowing them to change election outcomes and violate ballot secrecy. This attack is technicallystraightforward because the EVMs do not use even basic cryptography to protect vote data internally. It could be carried out by local election officials without being detected by the national authorities or the EVM manufacturers’ agents. Though EVM manufacturers and election officials have attempted to keep the design of the EVMs secret, this presents only a minor obstacle for would-be attackers. There are nearly 1.4 million EVMs in usethroughout the country [26], and criminals would only need access to one of them to develop working attacks. Dishonest insiders or other criminals would likely face  less  difficulty than we did in obtaining such access. There are many other possibilities for manipulating Indian EVMs, both with and without the involvement of dishonest election insiders. Depending on the local context and security environment, the nature and scale of  potential manipulations may vary, but neither the machines’ simplicity nor their secret design keeps them safe. This study establishes that the EVMs used in India are not tamper-proof and are susceptible to a range of attacks. The use of similar paperless DREs has been discontinued in California [6], Florida [31], Ireland [33], the Netherlands [19], and Germany [8]. Indian election authorities should immediately review the security procedures now in place and should inspect all EVMs for evidence of fraud. Moving forward, India should adopt a different voting system that provides greater security and transparency. Research Contributions 1. We present the first rigorous, independent security analysis of the electronic voting system used in Indiaand find significant security flaws that compromise the integrity of the results and the secrecy of the ballot.Indian voting machines use a vastly different design than most other DRE voting systems studied in the literature, and we describe it in greater detail than was previously available to the public. 2. We explore the role of simplicity in electronic voting security. Previous studies have focused on problemscaused by software complexity and have proposed minimizing the size of the trusted computing base (TCB) as a partial remedy [53]. India’s EVMs use an extremely simple design with a small software TCB, yet we find that this makes physically tampering with the devices relatively easy. These findings underscore that the problems with DREs are due not only to complexity but also to lack of transparency. 3. We perform the first major security study of an electronic voting system used in an emerging nation. Votingsystems in India must satisfy different constraints than systems used in the United States and Europe, which have been the focus of research to date. The Indian EVM manufacturers are exporting machines to othercountries, including Nepal, Bhutan [47], and Bangladesh [40]. Mauritius, Malaysia, Singapore, Namibia, South Africa and Sri Lanka are reportedly considering adopting similar systems [47]. We outline some of the challenges of deploying electronic voting in an emerging nation. This provides a starting point for future research into voting system designs that meet the needs of these countries. Outline  The remainder of this paper is organized as follows. In Section 2, we review how electronic votingwas introduced in India, describe how EVMs are used in elections, survey reports of fraud, and describe the EVM hardware based on our examination and experiments. In Section 3, we explain a number of ways that the EVM system can be attacked in spite of—and sometimes due to—its simple design. In Section 4, we present two demonstration attacks that we developed. Section 5 discusses current procedural countermeasures and why they are ineffective or even harmful. We place our work within the context of previous electronic voting security studies in Section 6. Finally, we draw conclusions and consider the way forward in Section 7. For the latest version of this report and a video of our demonstration attacks, visit http://  IndiaEVM.org .2  Figure 1:  Indian EVMs  consist of a  BALLOT UNIT  used by voters ( left  ) and a  CONTROL UNIT  operated by poll workers ( right  ) joined by a 5-meter cable. Voters simply press the button corresponding to the candidate of their choice. We obtained access to this EVM from an anonymous source. 2 Background 2.1 Electronic Voting in India The Election Commission of India developed the country’s EVMs in partnership with two government-ownedcompanies, the Electronics Corporation of India (ECIL) and Bharat Electronics Limited (BEL) [50, pp.1,9].Though these companies are owned by the Indian government, they are not under the administrative control of the Election Commission. They are profit-seeking vendors that are attempting to market EVMs globally [47]. The first Indian EVMs were developed in the early 1980s by ECIL. They were used in certain partsof the country, but were never adopted nationwide [50, p.1]. They introduced the style of system used tothis day (see Figure 1), including the separate control and ballot units and the layout of both components.These first-generation EVMs were based on Hitachi 6305 microcontrollers and used firmware stored in external UV-erasable PROMs along with 64kb EEPROMs for storing votes. Second-generation models wereintroduced in 2000 by both ECIL and BEL. These machines moved the firmware into the CPU and upgraded other components. They were gradually deployed in greater numbers and used nationwide beginning in 2004 [50, p.1]. In 2006, the manufacturers adopted a third-generation design incorporating additional changes suggested by the Election Commission.3  Figure 2:  Counting Votes —The EVM records votes in its internal memory. At a public counting session,workers remove a seal on the control unit and press the  RESULT I  button ( left  ) to reveal the results. Themachine sequentially outputs the number of votes received by each candidate using a bank of 7-segment LEDs ( right  ). Here, candidate number  01  has received  7  votes. According to Election Commission statistics, there were 1,378,352 EVMs in use in July 2009. Of these, 448,000 were third-generation machines manufactured from 2006 to 2009, with 253,400 from BEL and 194,600 from ECIL. The remaining 930,352 were the second-generation models manufactured from 2000 to2005, with 440,146 from BEL and 490,206 from ECIL [26]. (The first generation machines are deemed toorisky to use in national elections because their 15-year service life has expired [1], though they are apparently still used in certain state and local contests.) In the 2009 parliamentary election, there were 417,156,494 votes cast, for an average of 302 votes per machine [57]. The EVM we tested is from the largest group, a second-generation ECIL model. It is a real machine that was manufactured in 2003, and it has been used in national elections. It was provided by a source who has requested to remain anonymous. Photographs of the machine and its inner workings appear throughout this paper. Other types and generations of machines have certain differences, but their overall operation is very similar. We believe that most of our security analysis is applicable to all EVMs now used in India. 2.2 EVM Operation and Election Procedures India’s EVMs have two main components, shown in Figure 1. There is a  CONTROL UNIT , used by pollworkers, which stores and accumulates votes, and a  BALLOT UNIT , located in the election booth, which is used by voters. These units are connected by a 5 m cable, which has one end permanently fixed to the ballot unit. The system is powered by a battery pack inside the control unit. The EVMs are designed for one- or two-race elections, as are typical in India; we describe single-race operation here. The ballot unit has 16 candidate buttons. If any are unused, they are covered with a plastic masking tab inside the unit. When there are more than 16 candidates, an additional ballot unit can be connected to a port onthe underside of the first ballot unit. Up to four ballot units can be chained together in this way, for a maximumof 64 candidates. A four-position slide switch under the ballot unit door selects the unit’s position in the chain. Election procedures are described in a number of public documents (e.g., [20]). Prior to the election, workers set up the ballot unit by attaching a paper label that shows the names of the candidates and their party symbols (to aid illiterate voters) next to the candidate buttons. After sealing the label under a plastic door,workers configure the number of candidates using a  CAND SET  button on the control unit. On the morningof the election, poll workers perform a small mock election to test the machine. They then publicly set the 4  totals to zero by pressing the  CLEAR  button, after which the control unit display shows that a total of zero votes have been cast. Workers can check this count at any time by pressing the  TOTAL  button. Seals are thenplaced on various parts of the control unit to block access to counting and clearing functions until later in the election process. When a voter arrives, workers verify his or her identity and record the voter’s presence by obtaining asignature or thumb print. To prevent double voting, they mark the voter’s right index finger with indelibleink [39]. Next, a poll worker presses the  BALLOT  button on the control unit to allow one vote. This causesa green  READY  light to glow on the ballot unit. The voter enters the polling booth and presses the buttonfor the candidate of his or her choice. A red light next to the candidate button glows, the ready light turns off, and the control unit emits a loud beep to indicate that the vote has been cast. The red light then turns off  automatically. This process repeats for each voter. At the end of the poll, the presiding officer removes a plastic cap on the control unit and presses the CLOSE  button, which prevents the EVM from accepting further votes. The ballot unit is disconnected and the control unit is placed in storage until the public count, which may occur weeks later. On the counting day, the control units are delivered to a counting center. In public view, an electionofficial breaks a seal on the control unit and presses the  RESULT I  button, shown in Figure 2. The displayon the control unit shows a sequence of outputs: the number of candidates, the total votes, and the numberof votes received by each candidate. Officials manually record the totals from each machine and add them together to determine the election result. The machines are then placed in storage until the next election. 2.3 Challenges for Electronic Voting in India Indian voting machines must be designed to function under more challenging environmental conditions and operational constraints than other electronic voting systems studied in previous security reviews. Theserequirements have influenced the simple design of the current machines and impact our security analysis. Among the challenges are: Cost  With well over a million EVMs in use, the cost of the system is a major concern. The current EVMs are built from inexpensive commodity parts and cost approximately $200 for each set of units [35], far less than many DREs used in the U.S., which cost several thousand dollars. Power  Many polling places are located in areas that lack electricity service or have only intermittent service. Thus, the EVMs operate entirely from battery power, rather than merely using a battery as a backup. Natural Hazards  India’s varied climate has great extremes of temperature, as well as other environmentalhazards such as dust and pollution. EVMs must be operated under these adverse conditions and must be stored for long periods in facilities that lack climate control. An Election Commission report cites further dangers from “attack by vermin, rats, fungus or due to mechanical danger, [that might cause] malfunction” [1]. Illiteracy  Though many Indian voters are well educated, many others are illiterate. The country’s literacy rate in 2007 was 66% [56], and only about 55% among women, so handling illiterate voters must be the rule rather than the exception. Thus, ballots feature graphical party symbols as well as candidate names, and the machines are designed to be used without written instructions. Unfamiliarity with Technology  Some voters in India have very little experience with technology and maybe intimidated by electronic voting. For example, “Fifty-year-old Hasulal Topno [... an] impoverished Oraon tribal, who gathers firewood from the forest outlying the Palamau Tiger Reserve, a Maoist hotbed 35 kmfrom Daltonganj town” told a reporter, “I am scared of the voting machine,” prior to its introduction in his village [13]. Nirmal Ho, “a tribal and a marginal farmhand in the Chatarpur block of Palamau district,” said he was “more scared of the EVMs than the Maoists” on account of his unfamiliarity with technology. To avoid further intimidating voters like these, India’s EVMs require the voter to press only a single button.5
Search
Tags
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x