The analysis of India's voting machines has been described in this technical paper.
Security Analysis of India’s Electronic Voting Machines
Hari K. Prasad, J. Alex Halderman, Rop Gonggrijp
Scott Wolchok, Eric Wustrow, Arun Kankipati, Sai Krishna Sakhamuri, Vasavya Yagati
Netindia, (P) Ltd., Hyderabad
The University of Michigan
Released April 29, 2010 – Revised July 29, 2010
Abstract
Elections in India are conducted almost exclusively using electronic voting machines developed over the past two decades by a pair of government-owned companies. These devices, known in India as EVMs, have been praised for their simple design, ease of use, and reliability, but recently they have also been criticized following widespread reports of election irregularities. Despite this criticism, many details of the machines’ design have never been publicly disclosed, and they have not been subjected to a rigorous, independent security evaluation. In this paper, we present a security analysis of a real Indian EVM obtained from an anonymous source. We describe the machine’s design and operation in detail, and we evaluate its security in light of relevant election procedures. We conclude that in spite of the machines’ simplicity and minimal software trusted computing base, they are vulnerable to serious attacks that can alter election results and violate the secrecy of the ballot. We demonstrate two attacks, implemented using
custom hardware, which could be carried out by dishonest election insiders or other criminals with only brief physical access to the machines. This case study carries important lessons for Indian elections and for electronic voting security more generally.
http://www.indianevm.com/
iVotronic - PEB - why the extra processor?
| Posted on Tuesday, December 27, 2005 - 8:04 pm: |
Grab a cup of your favorite beverage - this one's going to take a bit of thought.
The ES&S iVotronic apparently started it's life as the Votronic from a company called Election Products Inc.(EPI) Reading between the lines, the systems are so similar that the great State of New Jersey though that the iVotronic didn't need certification, but that's another story.
Off to the US Patent office we now go, to have a look at the drawings for EPI's creation, and we find patent number 05583329 which pretty much spells everything out. Now, in the case of Diebold, we already know that their little memory card contains executable code, and we know that no-one's very pleased with THAT. So let's take a look at what ES&S calls their Personal Electronic Ballot or PEB. It's shown in the EPI Patent document as being figure three. Figure three shows each component uniquely numbered - which is important.
The PEB contains memory, a battery, a signal isolator and whoa, a processor? Yes, a processor! According to the patent document, it's the processor in the PEB that updates the
display as the voter makes their selections.
"Processor 31 updates display 25 accordingly as the voter makes selections. When the selections are finalized and the ballot is cast, the processor updates a running tally of ballots cast stored in memory 22 in a random fashion for assuring voter confidentiality."
It's processor 31 and memory 22 that are IN the PEB.
Now, we've been getting upset lately about the executable code stored IN and executed FROM the Diebold memory cards. Should we be similarly concerned about the executable code stored IN and executed and processed BY the ES&S memory cards(PEBs)?
Has THAT code ever been subject to examinaton or certification?
Is the code firmware that is burned into a one-time-programmable processor, or does it get read from the PEB memory at some time?
Why is the running tally stored in the PEB?
When is THAT running tally read, or is it?
Some questions for y'all!!
[Link for the same is here: http://www.bbvforums.org/forums/messages/73/15687.html]
Court rules against paper trail -
The litigation contains some good framing of the issues, but unfortunately the litigants were seduced away from the more powerful rights-based arguments (public right to see and authenticate the count), allowing themselves to get trapped in the almost unwinnable arguments about what is and is not "secure." The court used that to dodge its responsibility to restore public controls, but then again, a court can only rule on what it is asked.
Rather than going for what's really needed -- public right to see and authenticate the original count, without need for special expertise, which German plaintiffs did (and WON), they asked for a commission, they asked for "VVPAT" (rather meaningless "verified voter paper trail" which spits out like toilet paper from the electronic machine). I'm posting a link to the court decision below. First, a tip of the hat for the more solid argumentation which prefaced the lawsuit, before it got sidetracked into asking for solutions that don't work:
http://www.bbvforums.org/forums/messages/81614/81847.html
QUESTIONABLE LEADERSHIP ON WORLD DEMOCRACY -
Does the US want a back door into other nation's elections?
Someone had to say it. So I will.
The United States has been cheerleading the concept of concealed vote counting round the world in a most unhealthy way, unless it is sham democracy we are really after.
US Secretary of State Hillary Clinton testified before congress in glowing terms regarding India's e-voting system,[1] yet these opaque electronic voting machines conceal key election processes from the public, putting control into the hands of government insiders -- hardly democratic, and in India's corruption-prone environment, downright dangerous.
Despite Clinton's earlier assurances, Indian e-voting machines have recently succumbed to manipulation by a team of researchers. Here's what one of them had to say about India's e-voting system:
quote:
I've studied electronic voting machines for years, but I've never had such a strong sense that actual fraud might be taking place. There have been dozens of reports from around India that politicians have been approached by engineers offering to manipulate the machines to steal votes. My Indian coauthor, Hari Prasad, was himself approached by a prominent party and asked to help them with such manipulations! ... there are probably a million people in India with the necessary electronics skills. -- Alex Halderman, one of a team of researchers who proved the Indian machines can be used to illicitly control election outcomes.[2]
Is it that certain US leaders are woefully uninformed, or might it be that there are some in high positions who discreetly believe that elections must be controllable? ("If necessary.")
At least one US leader believed just that. Former Secretary of State Henry Kissinger was so appalled at the prospect of a democratic Chilean election installing a president of whom he disapproved that he said,
quote:
"I don’t see why we need to stand by and watch a country go communist because of the irresponsibility of its own people."
—Henry Kissinger, June 27, 1970
To paraphrase journalist William Blum, there's one thing the United States hates more than an international leader deemed politically undesirable, and that is a democratically ELECTED politically undesirable leader.
Depite successive US expenditures to control the Chilean election, Salvador Allende was democratically elected in 1970. Kissinger subsequently began lining up support for a military coup.
According to the CIA, the US had no vital national interests within Chile. The world military balance of power would not have been significantly altered by an Allende government. But according to Kissinger, Chile was a virus that would infect the world with its ideological platform.
WHAT DOES THIS HAVE TO DO WITH THE CURRENT US PRO E-VOTING STANCE?
With every e-voting system ever examined succumbing to multiple election-control attacks, and when no reputable computer scientist will claim that a concealed computerized system can be secured against insiders (like government custodians and the vendors they select), enthusiasm by US leaders for such systems is getting hard to explain without a bit of skepticism.
Tidier than involvement in a coup, and less expensive than investing in enough propaganda to thwart a democratic election, e-voting has now proven to provide the opportunity for a "Plan B." If desired. In case it's necessary.
Now, before you tell me that you believe no such ulterior motive need be involved, let me just say: It's not acceptable for national leaders to pretend that a counting process which is concealed from the public should be trusted. They should know better. What I am suggesting is that some of them DO know better.
E-VOTING IN ESTABLISHED AND DEVELOPING WORLD DEMOCRACIES
Germany has banned its e-voting system, deeming it unconstitutional because it conceals essential election processes from the public. E-voting systems have also been banned in Ireland and the Netherlands.
Nigeria, while struggling mightily with basic democratic concepts like freedom of information and the private ballot, decided this week to ban e-voting for 2011 elections in favor of privately voted paper ballots, hand counted in public.
The Philippines are currently experiencing a meltdown in their own Smartmatic e-voting system, with a last-minute recall of 76,000 memory cards. The Philippine election organization, called COMELEC, should perhaps change its name to COMEDIC, except that the impact on democracy in the Philippines is anything but a comedy.
After Philippine memory cards were found to be miscounting votes, unable to get enough more in time, the Philippines then decided to obtain some 40,000 potentially election-controlling memory cards from foreign countries (primarily Taiwan and Hong Kong). Then -- pretending all was well, nothing to worry about -- they had them couriered all over the country in helicopters provided by private businessmen.[3]
According to University of Michigan research Alex Halderman, "... Nepal, Bhutan, Bangladesh, Mauritius, Malaysia, Singapore, Namibia, South Africa and Sri Lanka are using or considering adopting systems like India's."
Rejected e-voting systems from Allen County Indiana were scheduled to be shipped to Africa for deployment.
CITIZENS SPEAKING OUT
The anti e-voting activism movement is rapidly expanding internationally, with concerned citizens from India, buttressed by experienced democracy advocates from Germany and the USA now communicating daily on an excellent listserve called Election Transparency Worldwide. (GoogleGroups).
Yet while citizens easily grasp the idea that you don't have a democracy without public elections -- the key word being PUBLIC -- and that you don't have public elections when government insiders control essential processes in concealment, many national leaders pretend not to understand these fundamental concepts. They continue to claim that the machines are "tamperproof", "safe", and deserving of "confidence."
True democratic systems, of course, are not built on trusting government insiders, but on DISTRUST, with the delineating factor between a true democratic system and a false one being public controls.
As the German high court decision stated, every essential step of public elections must be something the public can see and authenticate, without need for special expertise.
It remains to be seen whether key US leaders wish to export real democracy, or a pseudo-democratic system which can be controlled "if needed."
Some may say they have a point. But WE have a right to trot that out in public for an open debate.
We ordinary mortals can stubbornly alter the conversational terrain to discuss what is a true democratic system and what is psuedo-democracy. We can expose the hidden agenda opportunity if our leaders try to sell us on systems that provide them with a Plan B. "If necessary."
* * * * *
PERMISSION TO EXCERPT OR REPRINT GRANTED, WITH LINK TO http://www.blackboxvoting.org
* * * * *
[1]'It is so highly effective that nobody questions the results of the elections,' Clinton said.
Senator Hillary Clinton (D-N.Y.) suggested in testimony before the Senate Rules Committee July 25 that the election system used in India in 2004 produced the voter confidence in the election process the Congress is seeking to achieve by federal legislation. Clinton was the lead-off witness in the hearing on S. 1487, the Ballot Integrity Act of 2007, and is co-sponsor of S. 804, the Count Every Vote Act, an election reform package requiring a voter-verifiable paper ballot and a paper audit trail.
electionlawblog.org/archives/ear-clinton.doc
For Clinton’s Rules Committee testimony see: http:/rules.senate.gov/hearing. For additional information on the electoral system in India and on its electronic voting machine see the Indian Election Commission website: www.eci.gov.in.
[2] J. Alex Halderman on manipulating votes with the Indian e-voting machines
also: Electronic voting machines in India, the world's largest democracy, are vulnerable to fraud...
Even brief access to the paperless machines could allow criminals to alter election results, the seven-month investigation reveals. Great Lakes Innovations and Technology Report: India's Black Box Voting Vulnerable To Attack
[3] Frantic effort to ensure Philippine vote continues (Reuters) Khaleej Times Online - 5 May 2010 -
http://www.khaleejtimes.com/DisplayArticle09.asp?xfile=data/international/2010/M ay/international_May229.xml§ion=international
http://www.bbvforums.org/forums/messages/70328/80963.html?1274504566
Government-controlled voting machines easily tampered with
I've been in touch with the developing anti-evoting activists in India for several months now, and at their request shot a video for a gathering of concerned citizens in India.
Here's the deal with India's voting machines, and a cautionary note for those in the USA who think that privatization is the core problem. No, the problem is concealed vote counting and the biggest threat is government insiders, not outside hackers. India's voting machines are owned by its government -- and many of the critics in India are particularly horrified by that, because India has significant corruption problems among its public officials.
US Secretary of State Hillary Clinton, by the way, for some reason took it upon herself to interrupt her busy schedule to issue a press release congratulating India on implementing e-voting. When you put this together with statements like those of Henry Kissinger, who said you can't really let the public choose its leaders (referring to Chilean elections) and presidential candidate Chris Dodd, who said we have to be very careful about letting the people choose their leaders (referring to Pakistan), one wonders whether our vigorous exporting of "democracy" on one hand, while cramming concealed electronic vote counting down their throats with the other hand, may be a reflection that some politicians may think it is essential to have a pseudo-democracy, whereby electoral results can be conrolled ("if the need arises").
April 30th, 2010 by jasonkitcat
India’s e-voting machines cracked
Rop Gonggrijp is someone always worth keeping an eye on. He was instrumental in revealing the problems with the Nedap voting machines used in Ireland and the Netherlands.
How he’s part of a team who have publicly demonstrated serious security flaws with India’s electronic voting machines. Time and time again India has been cited as a good example – but the reality was their systems lacked independent scrutiny. Now that expert scrutiny has been brought to bear, problems have been found.
How many more countries have to make the expensive mistake of rolling out e-voting before we all learn that computers and voting are just not well suited for each other.
Hacking India's Voting Machines
This morning’s events (see previous post) came at a very weird time: 15 minutes before the planned coordinated launch of some interesting research I took part in. Not that I cared even the slightest bit his morning, but the timing actually could not have been much more awkward. I had worked through the night to and we had planned a well coordinated action to publish some interesting research simultaneously over three timezones (at 07:30 CET this morning). That plan thus ended with me in an ambulance, not knowing how much damage my son had incurred. But since everything below was already written, here is what I was supposed to post this morning…
It’s great how it really is beginning to dawn on people all over the globe that paperless voting systems have a transparency problem. This last February I was invited to India for 9 days. It was good to get some sunlight, but again I was too busy to see many sights. I first went to Delhi to speak at the launch of a new book that is critical on Electronic Voting Machines (people there all call them EVMs). After that I went to Chennai for another conference. Then I went to Hyderabad and did … absolutely nothing that I was publicly talking about until today.
We spent a number of days hacking and filming an EVM (in various states of undress) that had fallen into precisely the right hands. In what qualifies as some of the crazier days of my life Alex Halderman, Hari Prasad and yours truly were finding ways around armed roadblocks, relocating parts on circuit boards, debugging code with teams in different timezones, testing electronics, meeting with political figures surrounded by guys with machine guns and shooting parts of the video embedded below. All of this against the backdrop of the hurricane of plan-resistant chaos that is India.
Our research proved something which we really never doubted: with some preparation anyone with even momentary access to paperless voting machines can own the country. If it wasn’t fun to do it would be depressing that something that obvious needs proving over and over again. Maybe some day we’ll skip the film and just own the country instead. (Just kidding…) Some parts of India definitely looked worth owning, those rare moments I had time to look.
Anyway: never got to see the Taj Mahal. Then again: when I go to India next time, it will probably still be there. Which is much more than one can say of these EVMs. Have a look for yourself.
The more scientific writeup of all this (and much more) can be found at IndiaEVM.org.
And VeTA, a new organization that unites India’s budding election transparency movement, has set up a new website at IndianEVM.com.
http://www.bbvforums.org/forums/messages/81614/80951.html
http://www.google.com/cse?cx=009552434778964892360%3Azdhgrn6svoy&q=india&sa=Search&siteurl=www.blackboxvoting.org%2F&ref=www.wired.com%2Fpolitics%2Flaw%2Fnews%2F2003%2F10%2F60563%3FcurrentPage%3Dall&ss=743j142997j5#gsc.tab=0&gsc.q=india&gsc.page=1
(National) 11/7/2012 - AMERICA'S CLAIRVOYANT ELECTION SYSTEM
http://www.blackboxvoting.org/
Will "experimental" software patches affect the Ohio vote?
by Bob Fitrakis and Gerry Bello
October 31, 2012
Why did the Ohio Secretary of State Jon Husted's office, in an end run around Ohio election law, have "experimental" software patches installed on vote counting tabulators in up to 39 Ohio counties? Voting rights activists are concerned that these uncertified and untested software patches may alter the election results.
During the 2004 presidential election, the Free Press reported that election officials observed technicians from the ES&S voting machine company and Triad computer maintenance company installing uncertified and untested software patches on voting machines in 44 Ohio counties prior to the election. Software patches are usually installed to "update" or change existing software. These software patch updates were considered suspect by election protection activists, in light of all the voting machine anomalies found during the 2004 election in Ohio.
Last minute software patches may be deemed "experimental" because that designation does not require certification and testing. Uncertified and untested software for electronic voting systems are presumably illegal under Ohio law. All election systems hardware and software must be tested and certified by the state before being put into use, according to Ohio Revised Code 3506.05.
On page 19 of the contract, terms require the various county boards of elections to purchase additional software from ES & S if they are not compatible with this new "experimental" statewide tabulation and reporting system. This unfunded mandate clause illegally bypasses individual counties rights to make their own purchasing determinations.
The controversial software will create simple .csv files like those produced by spreadsheet programs for input into the statewide tabulation system. According to the terms of the contract, data security is the responsibility of each local board of elections: "…each county will be responsible for the implementation of any security protocols" (see page 21 of the contract).
[Link for this is here: http://freepress.org/departments/display/19/2012/4766]
Re: Diebold and the vast Right Wing Conspiracy
I am an activist that opposed evm's in Arkansas for almost a year, and was successful in persuading our Secretary of State to file the waiver under the HAVA Act, delaying the implementation of these machines until 2006. Secretary Blackwell's insistence to purchase Diebold machines despite the fact that he also requested the waiver is highly suspect to say the least.
Regarding Carlo LoParo's statement that the HAVA Act did not provide for a paper ballot audit trail, I would like to advise your publication that the Department of Justice DID conclude that paper ballots on electronic voting machines WERE in fact HAVA compliant and ADA compliant (for disabled persons). Kenneth Blackwell and Carlo LoParo's argument against paper ballots does not hold water. Mr. LoParo's statment is misleading, it leads readers to understand that no paper ballots are allowed, when in fact, the DOJ states the paper ballots are compliant. our sacred right to vote being protected and verified.
[Link for this is here:http://www.freepress.org/departments/display/10/2004/574]
Several Tanker trucks full of political ink have been spilled on Mitt Romney's tenure as a vulture capitalist at Bain Capital. A more important story, however, is the fact that Bain alumni, now raising big money as Romney bundlers are also in the electronic voting machine business. This appears to be a repeat of the the infamous former CEO of Diebold Wally O’Dell, who raised money for Bush while his company supplied voting machines and election management software in the 2004 election.
[Link for this is here:http://www.freepress.org/departments/display/19/2012/4725]
Researchers find (more) severe flaws in Diebold voting machines
A group of Princeton computer scientists has published a study that examines flaws and vulnerabilities in Diebold's AccuVote-TS voting machines. Complete with a video that demonstrates the ease with which the electronic voting machine can be compromised, the study provides chilling insight into the serious risk of election tampering and fraud created by modern voting technology. The vote-stealing demonstration software developed by the computer scientists "can modify all of the records, audit logs, and counters kept by the voting machine, so that even careful forensic examination of these records will find nothing amiss."
The study reveals that "[m]alicious software running on a single voting machine can steal votes with little if any risk of detection," and that the software can be installed on a voting machine in only a minute by anyone that has physical access. The study also discovered that Diebold's AccuVote-TS systems can be targeted by self-propagating viruses "that can spread malicious software automatically and invisibly from machine to machine during normal pre- and post-election activity." The computer scientists conclude that defects are present in the hardware of the AccuVote-TS as well as the software. Although some issues can be mitigated by software updates, the machines themselves will have to be replaced in order to eliminate some of the problems identified by the study.
The AccuVote-TS machines are designed to automatically install code from a removable memory card during the boot process. A virus embedded in a bootloader image file stored on a memory card will automatically infect any machine that is booted while the card is inserted. The virus written by the Princeton experts will automatically install itself on every memory card inserted into the machine during subsequent boot processes. So, when a technician tries to update an infected system, the memory card containing the update will be altered and the virus will be passed on to any other voting machine that the technician tries to update from that memory card.
The paper suggests several ways to mitigate potential voting machine problems. Requiring that all updates be digitally signed could potentially prevent unauthorized software from infecting and manipulating voting machines. Limiting physical access to memory cards and voting machines could also help prevent tampering. The paper cites a study conducted in 2006, in which researchers addressed issues like "lack of inventory control and gaps in the chain of custody," pointing out the need for policies that establish secure handling and management practices for voting machines. The paper also advocates parallel testing, system certification, and paper trails as other potential solutions.
Last month, we reported on election disruptions that occurred in Alaska as a result of Diebold machine defects. Yesterday, Johns Hopkins University computer science professor Avi Rubin wrote a blog entry about a day at the polls with the Diebold AccuVote-TS. Serving as an election judge in the Maryland primary, Rubin witnessed numerous Diebold machine voting failures and deficiencies firsthand. From missing access cards to dysfunctional electronic poll books to ineffective anti-tamper mechanisms, the machines were nothing but trouble. Machines crashed, refused to synchronize, and inaccurately reported whether or not a citizen had already voted. One of the most disturbing revelations of the day related to Diebold's business practices rather than the machines themselves. The Diebold representative assigned to the precinct had been hired the day before, and had only received a brief six hours of training in a massive session with 80 other people. The representative admitted to having virtually no familiarity with the hardware, and claimed that Diebold hired cheap contractors to do the job rather than well-trained technicians in order to save money. The representative, who didn't even know how to set the machines up, gave up and left in frustration halfway through the day.
The state of California banned Diebold voting machines, and sued the company for machine-related fraud after flaws were found in the AccuVote-TSx machines used in a 2004 election. The constant stream of discovered vulnerabilities and problems in real elections may finally compel other states to do the same. Diebold has not yet responded to our requests for a comment, but sources say that the company is attempting to pressure the Princeton group into retracting the study. In the past Diebold typically responds to criticisms of its voting machines by asserting that the systems operate securely when properly configured.
[Link for this is here: http://arstechnica.com/gadgets/2006/09/7735/ , http://arstechnica.com/search/?query=voting+machine ]
Paper backup required by state
New law mandates ballot hard copies
Montgomery County voters won't face any new equipment this year, according to Administrator of Elections Vickie Koelman. The voting machines will be the same as they were in 2006.
After Election Day in November, however, things eventually will change here and across the state. The state Legislature approved a measure this session that requires the use of paper ballots and optical scanners.
All counties must switch to optical scan machines by the November 2010 elections.
Paper ballots may sound like a step back on the technology scale. If a recount is necessary, however, a paper backup adds credibility to the count numbers. Random samplings also can test the accuracy of the voting machines.
In retrospect, Tennessee shouldn't have been so quick to jump on the touch-screen bandwagon, especially when most of the machines didn't have any kind of paper backup. Just two of Tennessee's 95 counties keep a paper trail of voters' ballots.
We're going to have to hope for the best this election cycle and then purchase the new machines as soon as it's feasible after that.
The Battleground States: True Vote Sensitivity Analysis
http://freepress.org/departments/display/19/2012/4795
http://freepress.org/departments/display/19/2012/4766
