Electronic Voting Machine Security: The Debate ContinuesSecurity Practitioners on the Risks and Benefits
With the election commissioner of India announcing the polling dates across various states for the upcoming general elections, some security experts are calling attention to the urgency of ensuring the security of electronic voting machines. And they assert that the government has not been transparent about its EVM security efforts.
"It is hard to speak on EVM security given a lot of the technical details are not available in the public domain," says Sandesh Anand, managing consultant at the IT company Synopsys. "Also, many of the security controls in election security are through physical or perimeter security controls, which is out of scope of EVMs itself."
Lalit Chacko, CEO at Cognicx, a Bangalore-based boutique technology firm, notes: "The multiple hands that an EVM goes through for configuration, storage and usage, considering the size and spread of Indian electorate, creates enough opportunities for the willful hacker to manipulate. There have been studies which have pointed out that people with access to the EVMs at different stage of its configuration can tamper with the hardware, thereby destroying the integrity of the device."
Despite security concerns, Anand says, EVMs can play a key role in curbing fake votes.
"While there is a reason to continue to question the ECI on EVM security and work with them to improve it, they are miles ahead of paper ballots," Anand contends. "I am old enough to remember the horrors of ballot stuffing and booth capture. It's a minor miracle that those narratives have vanished from our elections. While there may be better theoretical models for elections, EVMs have served us well and should continue to do."
Dr. Alok Shukla, former deputy election commissioner for India, says tampering with an EVM likely won't impact the results of an election.
"Attackers may tamper with EVMs, but doing so makes the machine non-functional. When I say EVMs are hack-proof, I mean that EVMs are non-functional when there has either been a software or a hardware manipulation," Shukla says. "Of course, I understand any technology can be hacked into, but once hacked, does an EVM function normally? The answer is no," he says.
Shukla explains further: "To manipulate hardware, an attacker needs to have access to EVM parts. The box, which has access to all parts of an EVM, has a circuit which is called a tamper detect circuit. If you try to open the box of the EVM even by a few microns, the tamper detect circuit goes off and it then self-destructs the chip of the EVM."
Over the years, political parties as well as security practitioners have said they're concerned that the chips used in EVMs are manufactured outside of India. They have also alleged that the hardware can be changed at any time, without the knowledge of EC officials, which increases risk.
Various groups have conducted research that they claim demonstrates that EVMs in India can be easily hacked. For instance, a team of Indian and international experts concluded that EVMs used in Indian elections are vulnerable to fraud. They have alleged that even brief access to EVMs could allow criminals to alter election results. A video prepared by the team claims to demonstrate how an EVM can be hacked is available .
The research was performed by researchers from NetIndia, a Hyderabad-based technology company, the University of Michigan in the United States, and a nonprofit organization in the Netherlands that specializes in electronic voting issues.
The ECI over the years has taken several steps to mitigate concerns around the security of EVMs, Shukla says.
For example, an important step has been a change in the way chip codes are sent to manufacturers outside of India. "Earlier, the chip codes written by ECIL and BEL- public sector companies involved in manufacturing EVMs in India - were sent to chip manufacturers in the U.S. and Japan. Doubts were raised that the chip manufacturer could change the software without knowledge of ECIL and BEL," Shukla says. "The chips now are one-time programmable, making it impossible for manufacturers to have access to the software written on it."
Shukla says all EVMs manufactured in India now have PKI, which he says helps ECI to easily authenticate their machines in the field and identify fake EVMs. "They can also determine whether any components in the EVM have been changed," he says.
Shukla also insists Indian EVMs cannot be accessed remotely, so the question of tampering with software remotely does not arise. "Indian EVMs have no network access - GSM, CDMA, Bluetooth or Wi-Fi. Also, EVMs in India do not have Ethernet and are EMC [electromagnetic compatibility] and EMI [electromagnetic interference] compliant, which means if you try to put in a huge magnetic field, the EVM still does not take any signal," Shukla says.
Some security researchers have argued that the chips inside EMVs could be changed by a hacker. Shukla, however, says "it is nearly impossible for any hacker to change chips. EVM chips are using PKI technology. One can check if the chip has the digital signature issued."
For Better EVM Security
K.K. Mookhey, founder at NII Consulting, a Mumbai-based cyber consulting firm, says the government must look beyond technical security controls.
"When assessing the security of electronic voting, we have to look at the control framework holistically, and not just in terms of the technical security of the EVM box itself - which is also important - but we have to look at the overall security framework and its strength," Mookhey says. "I strongly believe ECI should regularly host hackathons and open up to security researchers who report security issues."
Anand also calls for ECI to conduct more hackathons.
"They must be opened to security experts and not just political parties. Except the physical location of the hackathon, no restriction must be put on the participants," Anand says.