nullcon 2011 - Security Analysis of India’s electronic voting machines: Memoirs of a whistleblower
•Als KEY, PDF herunterladen•
1 gefällt mir•2,454 views
Security Analysis of India’s electronic voting machines: Memoirs of a whistleblower by Hari Prasad
Empfohlen
Weitere ähnliche Inhalte
Ähnlich wie nullcon 2011 - Security Analysis of India’s electronic voting machines: Memoirs of a whistleblower
Ähnlich wie nullcon 2011 - Security Analysis of India’s electronic voting machines: Memoirs of a whistleblower (20)
Mehr von n|u - The Open Security Community
Mehr von n|u - The Open Security Community (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
nullcon 2011 - Security Analysis of India’s electronic voting machines: Memoirs of a whistleblower
- 2. Security Analysis of Indian EVM By Hari Prasad
- 3. History Of EVMs Evms are introduced by ECI in the year 1982 EVM design defined by ECI and developed & manufactured by ECIL & BEL respectively. ECIL uses H8 series MCU of Renesas chip & BEL uses Pic MCU of Microchip. Design improvements done after 1989 & 2006 Used Nation wide from 2004
- 4. EVM origin Binary of the source code(binary) given to the Chip Vendor for fusing into chip permanently OTP/Mask chips are delivered to the Manufacturer thru supply chain EVMs manufactured delivered to district electoral offices A functional test before a non-techie certifies the integrity of EVM EVM records are maintained at manufacturer end ECI assumes EVMs delivered are authentic machines
- 6. Design Motivation World’s largest democracy Last election: 400M votes cast on 1.4M machines Unique constraints Cost Power Environmental Conditions Voter Illiteracy
- 8. Ballot Unit
- 9. Battery
- 10. Display unit
- 11. What ECI claimed... EVMS
- 12. What ECI claimed... “Perfect” EVMS
- 13. What ECI claimed... “Perfect” “Tamperproof” EVMS
- 14. What ECI claimed... “Perfect” “Tamperproof” EVMS “Infallible”
- 15. What ECI claimed... “Perfect” “Tamperproof” EVMS “No need to “Infallible” improve”
- 16. Doubts... and a Public Challenge After surprising 2009 election results, major parties raised doubts… ECI issued public challenge: Demonstrate tampering on a real machine at ECI headquarters 9/09: Hari Prasad and team accepts challenge, only to be halted after 10 mins examining the machine Explanation: Intellectual property concerns! New ECI rules: Must show “Normal Tampering” ! ! ! (i.e., without opening the machine)
- 17. Our Analysis Feb 2010: Anonymous source approaches Hari, provides access to a machine Feb.-April: Very little sleep April 29, 2010: Release our findings on web and Indian TV
- 18. Inside the black box
- 19. Inside the black box
- 20. Inside the black box
- 21. Inside the black box
- 22. Inside the black box
- 23. Inside the black box
- 24. Inside the black box
- 25. Classes of vulnerabilities Dishonest look-Alikes Tampering internal state Insider attacks & secret software
- 41. ???
- 42. ? Voters have no other choice but to trust EVMs...
- 43. What Present EVMs lack: Transparency - ECI doesn’t own the source code - ECI never checked the source code - 3-4 junior engineers only know what’s in the Code as per Prof. Indiresan - EVM stocks never made Public Verifiability - Firmware burnt outside India - Deliberately designed to prevent reading out Code - Even ECI cannot verify the authenticity - No scientific process to verify components inside EVM
- 44. Questions Un-Answered Why are we using a generic chip instead of an ASIC ? Did all CEOs respond with EVM stocks to ECI ? Are all Master stock registers of EVMs Intact ? Why was randomization software allowed to be developed locally ?
- 45. Reactions
- 46. Summer 2010.. Buzz in the media & Political circles ECI publicly denies any problems: ! ! Machines still “practically tamperproof” Behind the scenes, ECI not happy…. ! ! Launches police investigation charging that ! EVM used for study is stolen
- 47. !"#$%&'()"'$*
- 48. Result...... ???
- 49. Result...... Detained for 8 days :-)
- 50. What is needed ? Transparency addressed: Open standards to be adopted EVM life cycle to be made public EVM design to be kept always open for ethical hacking Verifiability needs: VVPAT (Voter verifiable paper audit trail) Precinct optical scan voting machines Cryptographic voting Open source Authentication tool to verify the program code at all functional states, be developed under certification of NIC similar to SCOSTA Verification tools to be made available to everyone
- 51. Conclusion ECI should encourage/invite proposals from technical experts across the country to propose a tamper proof designs. Let develop a transparent voting system that meets needs and challenges of India ECI should constitute a new body of experts from all sections to vet the designs proposed ECI should be the sole owner of all technologies involved in Election process
Hinweis der Redaktion
- \n
- \n
- \n
- \n
- \n
- Motivation behind simple design: several unique constraints must function under\nIndia world’s largest, EV nationwide since 2004\nAlmost 1.5M machines, cost must be low ($200USD)\nIn many rural parts of India, power is unreliable. \nThese machines must also operate in extremes of temperature and humidity, and survive hazards such as dust, pollution and apparently fungus. \nLiteracy rate 66%\nFinally, there is the problem of Booth capture, a form of attack on paper ballots, where a group of criminals take over a polling place by force, and manually stuff the ballot box until the police show up.\n\n
- So these design constraints lead to a very simple voting machine. We performed a security analysis of this voting machine. There are two units, joined by a 5m cable. On the left is the ballot unit that voters use to cast their ballot. On the right is the control unit, which totals the votes and displays the results after the election. \n\n
- On the ballot unit, a voter simply presses a button next to their desired candidate to cast a vote. An arrow lights up next to the button, indicating the vote has been counted. As elections typically only have one race, the ballot is a list of candidate names, and associated symbol. The symbol helps illiterate voters choose their candidate. \n\n
- Here we see the Control Unit, which keeps track of the votes and displays the results after an election. A series of elaborate plastic doors guards different buttons, used at various times before, during and after an election. For example, at the end of the election, a worker presses the “Result” button…\n\n
- Which causes the machine to output the election results on the display. The poll worker holds up the machine for everyone to see in a public tallying session, as it iterates through its output. In this case, the control unit shows candidate 1 received 7 votes. The machine will go on to show the votes for candidate 2, and so on\n\n
- The EC maintains that the machines are perfectly secure. Here are some of the things they’ve been saying about them…\n\n
- The EC maintains that the machines are perfectly secure. Here are some of the things they’ve been saying about them…\n\n
- The EC maintains that the machines are perfectly secure. Here are some of the things they’ve been saying about them…\n\n
- The EC maintains that the machines are perfectly secure. Here are some of the things they’ve been saying about them…\n\n
- The EC maintains that the machines are perfectly secure. Here are some of the things they’ve been saying about them…\n\n
- \n
- After being turned away by the election commission, Hari was approached by an anonymous source, in February of this year. The source was also concerned about the security of these machines, and gave Hari access to a machine to study on his own, under the condition of anonymity.\n\n
- \n
- \n
- \n
- \n
- \n
- The smaller board is called the display board. This board outputs the results of the election, on 6 7-segment LED digit displays. It is connected to the main board by a 15-pin ribbon cable, and is itself completely stateless. The main board drives a multiplexed signal to the LEDs to illuminate them directly.\n\n\n
- \n
- The physical security is protected by simple seals. Seen here in images from a voting official training video, the seals are made out of nothing more than wax, and bits of twine. In the lower panel, we see the screw holes are covered by ink-jet printed stickers.\n\n
- \n
- We called the larger board of the two boards, the main board. The processor on the main board is an 8-bit microcontroller manufactured by Renesas, running at 8.8MHz. The microcontroller contains the election firmware in an on-chip masked ROM. Also on the board, is a pair of EEPROM chips. These chips store redundant copies \n
- An attacker could replace any component of the machine with a dishonest, including the entire control unit itself. \n\nWe prototyped a simpler attack device, which replaces the display board inside the control unit. \n\n\n
- An attacker could replace any component of the machine with a dishonest, including the entire control unit itself. \n\nWe prototyped a simpler attack device, which replaces the display board inside the control unit. \n\n\n
- \n
- \n
- \n
- We were able to analyze the data format stored on these EEPROM chips on the main board.\n\n
- We found the data format is very simple—it contains an array of one-byte records, each encoding the candidate number for a single vote. These records are stored in the order in which the votes were cast, giving an attacker a way to violate ballot secrecy.\n\nWe can rewrite the votes by wiring directly to the memory chips, but we decided to try to miniaturize this attack and see whether it could be made into a \n
- We created this miniature attack device, which we nicknamed it “Clippy”. \n\n
- Clippy attaches directly to the memory chips inside the machine, with the power on, and rewrites the votes.\n\n
- It takes only a couple of seconds to change the votes…then the green LED lights up to indicate that it’s “done.”\n\n
- The knob on top allows an attacker to choose which candidate he would like to win. \n\nAlternatively, setting the knob to position 0, allows him to read out the one-byte records of votes, and copy them to a laptop. Later, the attacker can correlate the \nOur attack device clips directly to each EEPROM chip, and reprograms the contents. The microcontroller on the main board is held in reset with a single jumper during the attack. Our device, which is powered completely from the machine, uses a PIC microcontroller to talk I2C to the EEPROM chips. \n\nBecause of the machine’s simplicity, we were able to build Clippy inexpensively—it would cost just a few dollars to make in quantity. It’s also discreet--small enough to fit in a shirt pocket.\n\nClippy could be used by dishonest insiders to steal votes, or by outsider criminals to perform an electronic form of booth capture. The software inside the control unit prevents more than 5 votes per minute from being recorded, but, since Clippy directly rewrite the vote storage memory, it can bypass this software rate limit and cast thousands \n
- \n
- Our previous two attacks focused on modifying state and hardware after the electronic voting machine had been deployed. Our final attack looks at how an insider might tamper with the results of an election by modifying the internal vote-counting _software_.\n\n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n