Brazilian Breaks Secrecy of Brazil's E-Voting Machines With Van Eck Phreaking 157
After the report last week that Brazil's e-voting machines had withstood the scrutiny of a team of invited hackers, reader ateu writes with news that a hacker has shown that the Linux-based voting machines aren't perfectly safe; he was able to eavesdrop on them (translated from Portuguese) by means of Van Eck phreaking.
Physical Security (Score:4, Interesting)
Re:Honestly (Score:5, Interesting)
Several ideas. Of course, use LCDs, as the CRT circuitry is the bad one. Shield the data connections so they don't radiate too much. Make the connections that transmit unencrypted data short. Use low-contrast fonts, so the sharp edges do not cause large voltage (and therefore EMI) spikes. Randomise the low bits of data shown on the screen, so you create obfuscating noise.
Maybe you have to go as far as have a white noise transmitter to mask what you cannot elimiate. Plenty of room to move. Good on them for having such a contest - it flushed out all the 'Ooh, I didn't think of that' problems.
E-paper (Score:4, Interesting)
Besides all the shielding options, perhaps this is a good use for E-paper displays? The persistent nature of the display would minimize the constant refreshing. The slow screen response would be unlikely to be an issue with a ballot.
Re:Whew, that was a close one... (Score:1, Interesting)
Cut the power lines to any polling stations that aren't going in favor of your candidate. Or stage a fight outside, forcing police to intervene (and keeping the polling station closed for an hour or two). The line gets longer and longer, people are getting hot and tired, eventually they'll start going home. No fancy super-duper-20-foot-hacking skills needed.
Cryptonomicon (Score:3, Interesting)
What options do you have to protect your self from Van eck phreaking? Lead casing? Foil voting boxes?
Honest replies welcome.
Put rubbish on the screen and send all your actual output through the caps lock LED with xled.
Not very useful outside in the real world, I know.
It could be big... (Score:2, Interesting)
Re:This happened with the Dutch in 2006 (Score:5, Interesting)
That's only part of the story.
The voting machines were vulnerable to more than just eavesdropping, although eavesdropping was the official story from the government and also what most of the press was about.
However, the voting machines have since been banned. The latest elections were held with paper and pencil. It's good that way.
Now if people would only understand this ...
Re:I'm still not even at this step yet (Score:3, Interesting)
Among the others, enabling a non-FPTP system.
If anyone isn't aware of how FPTP has hosed democracy, they should start here [wikipedia.org].
The primary concern I recognize is that FPTP collapses your system into a two-party system and makes third parties non-viable. Just try voting for Nader or Kucinich.
Re:Whew, that was a close one... (Score:2, Interesting)
As someone who grew up in a country, where "Open Voting" was the norm and using the voting cabin was being frowned upon I tell you: You have no clue.
Re:Van Eck Phreacking will always exist (Score:2, Interesting)
You bribe half city; then check (on the publicly available channels) how many votes you got there... if you got less than expected... someone cheated and you "don't pay".
If your idea is not to bribe a huge amount of persons we don't care.
Bribe is another problem.. and can't really be solved by the voting machine itself.
Re:This happened with the Dutch in 2006 (Score:1, Interesting)
In most countries in the world, paper voting (although not impossible, of course) is troublesome and, consequently, prone to "errors" and rigging during collect and transportation of the votes.
Remember, for instance, that in countries the size of Brazil and India it is much more complicated to count the votes of the population than in a country like The Netherlands or most US states.
For example, India has a population of more then 1.2 billion people. The whole European Union only has little less than 500 million people. Germany, it's biggest country only has about 80 million. In the US, the most populous state (California) only has 36.7 million.
Also, India and Brazil have lots of remote places. In Brazil, its two biggest states (Amazonas and Para) each come close to the size of Alaska (~17% of the US area, which is almost 3 times the size of Texas). Amazonas state (~92% of the area of Alaska) has many places only reachable by boat or helicopter, and it takes days to get there by boat.
Just to illustrate: Alaska has more concentrated population with a lower overall density (about 680k people, density 0.4/km2); while Amazonas has more than 3.5 million people (density 5 times the one of Alaska) with its population more spread through its area. Para is more than twice the size of Texas, and has 7 million people spread on this area.
Another big issue that favours e-voting is language. India alone has 29 languages natively spoken by more than one million people each. Even if only from a logistics point of view, e-voting is fully justified.
Of course these are only two countries, but most of the same rationale applies to Indonesia, or many other nations (specially developing ones).
It's not a practical approach (Score:3, Interesting)
While in principle it is a good method for snooping a single monitor, it would take a ton of disentangling signals to read every monitor consistently at a polling place from any distance. It is not a practical way to screw with an election, considering that any party willing to snoop this aggressively is probably willing to do a lot more than just snoop.
Frankly, it shows just how effective Brazil's security measures are that hackers have to go this deep into the playbook to get even one sort of result.
Re:Van Eck Phreacking will always exist (Score:3, Interesting)
In many of those countries, the secrecy of your vote hardly matters anyway. After all, they've already done most of the voting for you.
You might even get your hands chopped off for just daring to show up to vote.
In places where you can have voter intimidation without the police stepping in (or the police being the culprits), secrecy of your vote is not much of a concern.
And in some countries the voting system is so fast and efficient that everyone knows the results before they vote.
That's the reality.
As for nonintimidation cases - e.g. selling their votes, if someone wants to sell their vote for USD5, so what? Willing buyer, willing seller.
A far bigger problem is gerrymandering. That's what makes buying and selling of votes and other tricks viable - if you can make 1000 votes count more than 100,000 votes, then it's cost effective to buy those 1000 voters. Make 1000 voters happy instead of the other 100,000 voters.
Then there's the postal votes stuff. In many countries it's probably easier to just cheat via the postal votes.
Re:It could be big... (Score:3, Interesting)
You just overlooked one small issue: voter turnout is already a problem in most democracies, as it is somewhat boring to vote for things your are not that interested in. If there were more elections, you would have to vote each week. Nobody is going to keep doing that, as most people do not see it as their job, and it is a process with very little positive feedback. So only the zealots and paid shills will remain, thus making your country run by big money and zealots with a nutty agenda. Not unlike the US is run now, actually.
Re:Whew, that was a close one... (Score:3, Interesting)
What's the most someone could do with this exploit?
A little context is needed in order to further explore this point. Brazil is a huge country, of continental dimensions. Voting is a mandatory civic duty (except for older citizens). In the remote and impoverished areas, intimidating voters or buying votes was a common, widespread practice, constituting what is termed an "electoral corral", that helped maintain veritable "political dynasties" in these areas for decades. One of the selling points of electronic voting was being tamper-proof, reducing the probability of fraud. There are myriad ways to make the political scale tip to the wrong side, the side that represents not what the people want, but what the-powers-that-be command...Remember the "pregnant chads" issue in Florida?
It's easy to imagine setting up electronic gadgets in these very remote, impoverished and forsaken little towns in Brazil, in order to verify that the voter indeed kept his/her word when he "sold" his/her vote or to enhance intimidation or voter harassment, all under the unknowing eyes of the Electoral Justice officer (in Brazil, there's a branch of the Judiciary specifically to take care of electoral issues, such as enforcing legislation, etc.).
Besides, one of the pillars of democracies is having the right to vote and this right must be protected from prying eyes of the State (and by extension, the ruling political party), lest the voting process becomes thwarted and non-representative of the will of the people, as well as to avoid political persecution of those who dared to vote for an opposing party. This is so in any country that has a serious voting process and now, you, noble tech nerd and Slashdot reader, knows why this is so.
Re:As a person in the infosec field (Score:2, Interesting)