3. History Of EVMs
Evms are introduced by ECI in the year 1982
EVM design defined by ECI and developed &
manufactured by ECIL & BEL respectively.
ECIL uses H8 series MCU of Renesas chip &
BEL uses Pic MCU of Microchip.
Design improvements done after 1989 & 2006
Used Nation wide from 2004
4. EVM origin
Binary of the source code(binary) given to the Chip
Vendor for fusing into chip permanently
OTP/Mask chips are delivered to the Manufacturer thru
supply chain
EVMs manufactured delivered to district electoral offices
A functional test before a non-techie certifies the
integrity of EVM
EVM records are maintained at manufacturer end
ECI assumes EVMs delivered are authentic machines
15. What ECI claimed...
“Perfect” “Tamperproof”
EVMS
“No need to “Infallible”
improve”
16. Doubts... and a Public Challenge
After surprising 2009 election results, major
parties raised doubts…
ECI issued public challenge: Demonstrate
tampering on a real machine at ECI headquarters
9/09: Hari Prasad and team accepts challenge,
only to be halted after 10 mins examining the
machine
Explanation: Intellectual property concerns!
New ECI rules: Must show “Normal Tampering”
! ! ! (i.e., without opening the machine)
17. Our Analysis
Feb 2010: Anonymous source approaches
Hari, provides access to a machine
Feb.-April: Very little sleep
April 29, 2010: Release our findings on web
and Indian TV
43. What Present EVMs lack:
Transparency
- ECI doesn’t own the source code
- ECI never checked the source code
- 3-4 junior engineers only know what’s in the Code as per
Prof. Indiresan
- EVM stocks never made Public
Verifiability
- Firmware burnt outside India
- Deliberately designed to prevent reading out Code
- Even ECI cannot verify the authenticity
- No scientific process to verify components inside EVM
44. Questions Un-Answered
Why are we using a generic chip instead of
an ASIC ?
Did all CEOs respond with EVM stocks to
ECI ?
Are all Master stock registers of EVMs
Intact ?
Why was randomization software allowed to
be developed locally ?
46. Summer 2010..
Buzz in the media & Political circles
ECI publicly denies any problems:
! ! Machines still “practically tamperproof”
Behind the scenes, ECI not happy….
! ! Launches police investigation charging that
! EVM used for study is stolen
50. What is needed ?
Transparency addressed:
Open standards to be adopted
EVM life cycle to be made public
EVM design to be kept always open for ethical hacking
Verifiability needs:
VVPAT (Voter verifiable paper audit trail)
Precinct optical scan voting machines
Cryptographic voting
Open source Authentication tool to verify the program code
at all functional states, be developed under certification of
NIC similar to SCOSTA
Verification tools to be made available to everyone
51. Conclusion
ECI should encourage/invite proposals from
technical experts across the country to propose a
tamper proof designs.
Let develop a transparent voting system that
meets needs and challenges of India
ECI should constitute a new body of experts from
all sections to vet the designs proposed
ECI should be the sole owner of all technologies
involved in Election process
Hinweis der Redaktion
\n
\n
\n
\n
\n
Motivation behind simple design: several unique constraints must function under\nIndia world’s largest, EV nationwide since 2004\nAlmost 1.5M machines, cost must be low ($200USD)\nIn many rural parts of India, power is unreliable. \nThese machines must also operate in extremes of temperature and humidity, and survive hazards such as dust, pollution and apparently fungus. \nLiteracy rate 66%\nFinally, there is the problem of Booth capture, a form of attack on paper ballots, where a group of criminals take over a polling place by force, and manually stuff the ballot box until the police show up.\n\n
So these design constraints lead to a very simple voting machine. We performed a security analysis of this voting machine. There are two units, joined by a 5m cable. On the left is the ballot unit that voters use to cast their ballot. On the right is the control unit, which totals the votes and displays the results after the election. \n\n
On the ballot unit, a voter simply presses a button next to their desired candidate to cast a vote. An arrow lights up next to the button, indicating the vote has been counted. As elections typically only have one race, the ballot is a list of candidate names, and associated symbol. The symbol helps illiterate voters choose their candidate. \n\n
Here we see the Control Unit, which keeps track of the votes and displays the results after an election. A series of elaborate plastic doors guards different buttons, used at various times before, during and after an election. For example, at the end of the election, a worker presses the “Result” button…\n\n
Which causes the machine to output the election results on the display. The poll worker holds up the machine for everyone to see in a public tallying session, as it iterates through its output. In this case, the control unit shows candidate 1 received 7 votes. The machine will go on to show the votes for candidate 2, and so on\n\n
The EC maintains that the machines are perfectly secure. Here are some of the things they’ve been saying about them…\n\n
The EC maintains that the machines are perfectly secure. Here are some of the things they’ve been saying about them…\n\n
The EC maintains that the machines are perfectly secure. Here are some of the things they’ve been saying about them…\n\n
The EC maintains that the machines are perfectly secure. Here are some of the things they’ve been saying about them…\n\n
The EC maintains that the machines are perfectly secure. Here are some of the things they’ve been saying about them…\n\n
\n
After being turned away by the election commission, Hari was approached by an anonymous source, in February of this year. The source was also concerned about the security of these machines, and gave Hari access to a machine to study on his own, under the condition of anonymity.\n\n
\n
\n
\n
\n
\n
The smaller board is called the display board. This board outputs the results of the election, on 6 7-segment LED digit displays. It is connected to the main board by a 15-pin ribbon cable, and is itself completely stateless. The main board drives a multiplexed signal to the LEDs to illuminate them directly.\n\n\n
\n
The physical security is protected by simple seals. Seen here in images from a voting official training video, the seals are made out of nothing more than wax, and bits of twine. In the lower panel, we see the screw holes are covered by ink-jet printed stickers.\n\n
\n
We called the larger board of the two boards, the main board. The processor on the main board is an 8-bit microcontroller manufactured by Renesas, running at 8.8MHz. The microcontroller contains the election firmware in an on-chip masked ROM. Also on the board, is a pair of EEPROM chips. These chips store redundant copies \n
An attacker could replace any component of the machine with a dishonest, including the entire control unit itself. \n\nWe prototyped a simpler attack device, which replaces the display board inside the control unit. \n\n\n
An attacker could replace any component of the machine with a dishonest, including the entire control unit itself. \n\nWe prototyped a simpler attack device, which replaces the display board inside the control unit. \n\n\n
\n
\n
\n
We were able to analyze the data format stored on these EEPROM chips on the main board.\n\n
We found the data format is very simple—it contains an array of one-byte records, each encoding the candidate number for a single vote. These records are stored in the order in which the votes were cast, giving an attacker a way to violate ballot secrecy.\n\nWe can rewrite the votes by wiring directly to the memory chips, but we decided to try to miniaturize this attack and see whether it could be made into a \n
We created this miniature attack device, which we nicknamed it “Clippy”. \n\n
Clippy attaches directly to the memory chips inside the machine, with the power on, and rewrites the votes.\n\n
It takes only a couple of seconds to change the votes…then the green LED lights up to indicate that it’s “done.”\n\n
The knob on top allows an attacker to choose which candidate he would like to win. \n\nAlternatively, setting the knob to position 0, allows him to read out the one-byte records of votes, and copy them to a laptop. Later, the attacker can correlate the \nOur attack device clips directly to each EEPROM chip, and reprograms the contents. The microcontroller on the main board is held in reset with a single jumper during the attack. Our device, which is powered completely from the machine, uses a PIC microcontroller to talk I2C to the EEPROM chips. \n\nBecause of the machine’s simplicity, we were able to build Clippy inexpensively—it would cost just a few dollars to make in quantity. It’s also discreet--small enough to fit in a shirt pocket.\n\nClippy could be used by dishonest insiders to steal votes, or by outsider criminals to perform an electronic form of booth capture. The software inside the control unit prevents more than 5 votes per minute from being recorded, but, since Clippy directly rewrite the vote storage memory, it can bypass this software rate limit and cast thousands \n
\n
Our previous two attacks focused on modifying state and hardware after the electronic voting machine had been deployed. Our final attack looks at how an insider might tamper with the results of an election by modifying the internal vote-counting _software_.\n\n