Researchers Demo Hardware Attacks Against India's E-Voting Machines

An anonymous reader writes "India, the world's largest democracy, votes entirely on government-made electronic voting machines that authorities claim are 'tamperproof,' 'infallible,' and 'perfect,' but last week security researchers proved that they can be manipulated to steal elections. A team led by Hari Prasad, Professor J. Alex Halderman, and Rop Gonggrijp released an awesome video that shows off hardware hacks they built. These machines are much simpler than e-voting designs used in the US, but as the research paper explains, this makes attacking the hardware even easier. Halderman's students at the University of Michigan took only about a week to build a replacement display board that lies about the vote totals, and the team also built a pocket-sized device that clips onto the memory chips, with the machine powered on, and rewrites the votes. Clippy says, 'It looks like you're trying to rig an election ...'"

Ultimate accountability

[SmallFurryCreature]

Maybe it is time for a new law: You cheat, you die.

Imagine that a party leader becomes responsible for the actions of the members of his party. Some lowly member cheats, the leader gets a bullet in the head.

Open for abuse to be sure but all our leaders claim we should trust the system so surely they trust it?

It would motivate leaders to motivate their followers not to break the rules. Right now the system does exactly the reverse. As long as the leader isn't proven to have given the direct order in writing, he benefits. Everyone knows Bush cheated, yet he ruled unchallenged for 8 years. So cheating works right? Hard to argue this when the evidence is so clear.

We have come to take democracy for granted, but the recent problems in the UK have shown that such a basic thing as voting is not so simple after all. It is a complex process and without it working flawlessly, our entire system looses its validation. If you wanted to vote, went to vote but weren't allowed to, then how can you then be asked to support the government you didn't vote for?

How can you ask a soldier to die for a leader whose election process he didn't take part in? The entire basis of democracy is your loyalty in exchange for a say. Your money and your life for a vote. We are the subjects of an elected government and must follow its rules because we elected them, yes even if you didn't vote for them. That is the deal. Cheating breaks that deal.

It is hard to argue that people shouldn't go for a nasty dictator type, when the democracy isn't letting them have their say either. If you are not being listened to, you might as well have someone competent in charge instead of the monkey that cheated in a popularity contest.

So lets stick with paper and enforce extreme and rigid rules about how those papers and handled and counted and put severe penalties on anyone who messed with it. And before you say that death is far so serious. Treason still carries a death sentence in many nations, and cheating in elections is treason against nation as a whole.

Re:Secure e-voting

[MichaelSmith]

Or even poker machines. Every machine runs from a PROM. Authorities keep a table of validated PROM image checksums. Operators of the machines have to let inspectors validate the checksums on demand, and if it doesn't match then your gaming license gets revoked and the place closes down.

Now thats no too hard, is it? Validate a small number of images, then make damn sure they don't get changed. Encourage simple, embedded systems as opposed to big operating systems with 30 million lines of code.

Re:Secure e-voting

[Thanshin]

And how to you suggest to apply that system on an election environment? If the checksum doesn't match, you remove all votes from the voters who used that particular machine? You repeat the elections until no machine was tampered with?

Yes, sounds about right.

Nice system. So once my party governs I can simply block any further election to ever finish, just by touching a single machine.

Scale

[brunes69]

The size and scale of India's election makes attempts at manipulating the election at the voting machine level very difficult. Any legit attack would have to be done at the back-end altering massive numbers of votes.

Re:Secure e-voting

[UnHolier than ever]

No, if the checksum doesn't match you cancel the election, run it again with paper ballots and charge all the costs of doing so to the company that was responsible for the security of the machines, suing them into bankruptcy.

Re:All voting systems are vulnerable...

[afc_wimbledon]

That's not strictly true I'm afraid. In the UK the "marked register" (the paper audit of who voted) is marked with the ballot paper number against the voters name. So currently there is an audit trail from the individual to an individual ballot paper, and hence to their vote. It's not available to just anyone, but you can, under certain circumstances, find out how an individual voted, or more importantly how they were recorded as voting in case of fraud. Both individual ballot papers and marked register are retained after the election. I'm talking about something similar for electronic systems is all.

The problem with electronic systems is they are often floated as the sole solution to all electoral fraud (they're not) or as intrinsically weaker than paper based systems (and I'm arguing they are not that either).

Re:All voting systems are vulnerable...

[locofungus]

In the UK in particular you *cannot* issue a receipt - anything which can be used to match a vote to a voter is illegal. Even signing your name instead of putting a cross renders your ballot spoiled.

Except, of course, the recording of the ballot paper number next to your name when you vote.

In the past it would have been difficult to automatically match up every vote with a voter but it certainly wouldn't have been difficult to find out who cast a particular vote. "Who voted communist?"

Nowadays I'd expect that the voter lists with the ballot numbers could be scanned and OCRed and the ballot papers run through an automatic feeder. Of course this needs access to the voter lists and ballot papers so not available to everybody.

http://www.electoralcommission.org.uk/__data/assets/electoral_commission_pdf_file/0018/16056/Ballot_paper_design_finalversion_13051-7979__E__N__S__W__.pdf [electoralc...ion.org.uk]

End of page 25:
Serial numbers

4.4 Anecdotal evidence suggests that at every election
Returning Officers - and more often Presiding Officers
in polling stations - receive a number of complaints or
concerns from electors over the use of serial numbers
on ballot papers. Electors are often concerned that the
number allows identification of how they have voted.

In fact, serial numbers are used specifically to allow for
the tracing of papers cast fraudulently and are checked
only where a claim of fraud is being investigated and a
court order obtained to allow the identification of the ballot
paper as being that of a particular person. Nevertheless,
the regularity of such complaints, although not great, is
thought to have increased in recent years with the increased
use of postal voting. This is an issue also considered in
the Commission's separate review of absent voting.

Tim.

Re:Secure e-voting

[nameer]

If the machine was tampered with, then you disregard the electronic count from that machine and do a hand count of the voter-verified paper ballots. You did print a voter verified paper ballot right?

How to build a good voting machine

[jonwil]

For the hardware you need:
Touchscreen with graphics chip and touchscreen controler as an input device

Receipt printer (the kind that has been used in millions of cash registers, ATMs and other devices world wide for a few decades)

Flash memory chip to hold the machine OS and the config file (which candidates are running etc). This should be the kind that when its in the machine, it cannot be written to and has to be removed to write new software or configs. This would have a difficult-to-duplicate-or-remove sticker applied with the voting machines unique serial number to ensure that it hasn't been swapped for another identical chip containing rigged software.

Thumb drive or memory card to hold the counted votes. This would also have a difficult-to-duplicate-or-remove sticker applied with the voting machines unique serial number to ensure it isn't substituted with a fake one containing a different result.

CPU (ARM of some sort would seem to make sense) to control the system with usual support items (power supply, RAM etc)

Tamper-evident case containing the hardware with more difficult-to-duplicate-or-remove stickers with the voting machines serial number covering the screw holes/case edges/etc to ensure you can tell if its been opened.
The receipt printer would be located outside of the tamper-resistant part so the roll can be replaced by poling station officials. Should a machine fail for other reasons (i.e. any reason that would require access to the hardware) that machine would be taken offline and not used for the rest of the election.

Software:
Linux kernel with drivers for the memory card reader, touchscreen, receipt printer etc. (the kernel would be specifically built for the voting machine with everything that is not required for the device such as networking removed)
Basic set of libraries (the bare minimum required to make everything work)
Custom voting machine software.
All software would be 100% open source.

Before the election, the machines are prepared by loading the correct OS and kernel along with the config file for the machine (containing the names and info for the candidates) onto the operating system chips. The operating system chip and vote counting memory card are loaded into the machine. Then the machines are verified and tested. Once they have been verified, they are sealed up and the tamper-evident stickers applied before they get shipped off to the poling booths.

When you go to vote, you pick your candidate on the screen by touching their name. Then you have to press "OK" once you are sure you clicked on the right name.

After your vote is complete, it is recorded in the file on the memory card. Also, a receipt is printed containing a machine readable bar-code corresponding to your vote plus a human readable record. This receipt is then inserted into a ballot box as you depart the polling booth. No part of the machine (receipt included) contains any record of who you are as a voter or any way to associate your vote back to you.

To count the votes, the memory cards are removed from the machines (after checking that the machine was not tampered with and that the memory card is genuine) and sent to the relavent counting office to be read and counted. Should there be a dispute, either the machine readable bar-code or the human readable record can be used as a way to count the ballots.

Maybe some of this is overkill (like labeling the chips with stickers to prevent tampering), I dont know. But when you are talking about something as critical to a free society as an election, its important to get it RIGHT.

My idea would work for any system no matter how many items are on the ballot or how many people are voting (a commonly cited downside of paper systems is that there are too many papers to count and/or too many things being voted on)

My idea wont prevent tampering (of the kind described in TFA) but it will be immediately obvious when someone has tampered with the hardware in the machine (if it works for telling Microsoft or Dell when someone has opened their PC or XBOX and voided the warranty, it should work for a voting machine, especially since getting close enough to one for long enough to fiddle with it is hard when inside a polling station.

Re:Secure e-voting

[Dilaudid]

Why are there so many stories on slashdot about how awful e-Voting is? Is there a large part of the slashdot audience that seeks a return to pencil and paper solutions, instead of this new-fangled transistorisation? I think your idea makes perfect sense, the situation where a PROM is touched is the same situation as where a ballot box has been broken open.

Re:Secure e-voting

[sznupi]

More than security is at stake here. Transparency also matters. With paper voting many citizens are perfectly able to go to the polling station and observe (and grasp!) the whole voting process and counting votes; generally check that everything happens according to the procedure. Have such people in every polling station and you can independently confirm the result of elections.
It builds confidence in the results.

There's no transparency with electronic voting. None. Even you are "IT pro" and go to see what happens...well, on /. it's not necessary to explain that you will see almost nothing of the procedure. Now imagine average folks.
In this case, you have inherent distrust in the results.

Re:Secure e-voting

[TheRaven64]

A lot of us don't see a problem with pencil and paper voting (for me it wouldn't be a return - it's what we do already). A democratic state has to be accountable to the electorate, by definition. That means elections have to be low tech, because if they are not then you reduce the number of the electorate who are capable of auditing the process. How many people are capable of verifying that a voting machine is correct? I only know a couple of people I'd trust to formally verify the software, and no one I'd trust to verify the hardware. On the other hand, I know a lot of people, myself included, who are capable of watching folded voting papers being put into a box and of checking that they are counted correctly. I could do it myself, and any candidate - even the ones that only get a few votes - can easily find a supporter who is able and willing to do so.

Re:Ultimate accountability

[fgouget]

There are plenty of techniques to create a one-time code that isn't linked to you personally and can't be traced back

Except all the proposals I have seen call for the unique key being generated by the government (and generally snail mailed to you). So you have no proof that such techniques have been used by the government.

But you can't honestly tell me you're so paranoid about this that you now vote with gloves on because they might trace the fingerprints on the ballot?

I don't wear gloves because I help count the votes so my fingerprints are on all the ballots!

All jokes aside, they don't know which ballot is yours. So they would have to scan the fingerprints on a substantial percentage of the ballots to find out and they would have a hard time doing that in secret. In contrast installing a small 'security' patch that records either the votes or matches the unique keys with your identity would be pretty easy. Much easier than bugging the phone of Greece's prime minister [ieee.org] along with those of a hundred other high ranking officials for months without getting caught for instance.

Only problem there is the unique key needs to be disposed for you to remain anonymous... but I guess you could instruct people to do so after casting their vote (if they wish to remain anonymous).

Forcing the voters to take action for their vote to remain anonymous is equivalent to making their votes public. If they erased the proof that they voted right, then they will get get their knees broken all the same. Note that this is not just a theoretical issue, it has real world effects on votes as proven by Chile's switch [harvard.edu] to secret ballots in 1958.