Tuesday, December 19, 2017

Security of Indian EVMs

The Indian EVM has two parts to it - a control unit and a ballot unit. The current generation of EVM use a EEPROM and a Renaesas/Microchip processor in the control unit to maintain a count of the votes cast and operate the ballot unit. [ref 1]

Here are the knowable sources of vulnerability

1) The die used to make the microprocessor and the fab lines used to actually make the chips are not under ECIL or BEL control. Absent this control, there is no way to ensure that when the chips are made additional circuitry is not fabricated on to them that permits interference. This kind of hardware hacking is rare but it is entirely possible in the context of something as prized as an Indian electoral verdict.

2) The firmware and the EEPROM data are loaded on to the control unit at the factory. It is not known if there are ways of ensuring that the code as written by ECIL/BEL is actually on the EEPROM or functions without vulnerabilities with the firmware. It is unclear how firmware changes are rolled out by the chip manufacturers and to what extent ECIL/BEL has visibility to those changes. Given that the small volume of chips produced (only a few million as opposes to tens/hundreds of millions) it would be difficult to imagine that EC of India has leverage with the chip manufacturer on both transparency and volume pricing issues. Malicious firmware attacks are becoming increasingly common, I expect the situation will get worse as The Shadow Brokers release NSA/TAO toolkits to all manner of criminals across the world. Neither the EEPROM data nor the firmware are verified after the EVM is handed over into EC custody as there is no means of doing so.

3) The ballot unit has a "None Of The Above" (NOTA) option at the end of every ballot. This is a specific entry that is labelled identically in every ballot definition file. The ballot definition files (BDF) which correlate the buttons on the ballot unit to specific parties are usually created at the state level election commission. Given where the NOTA entry is on the BDF, I can write a script which transfers one vote out of every 10 or so from certain positions in the BDF to the NOTA entry. As long as I have control of the local EC, I can ensure that my political party of choice is not on those "certain positions" and I can ensure that votes for my adversary party would be added to the NOTA list. In this fashion even if my adversary had enough votes I would be able to reduce their total relative to mine and I would see the total number of votes conserved.

Given that NOTA votes could have changed the outcome in 24 constituencies in the recent Gujarat elections, it is important to review the EVMs used in these constituencies and if there are any gen 3 devices with VVPAT - EC should go over those VVPATs to see if they match the votes recorded. If the EC does not do this - it will further impair the growing lack of trust between the EC and the people of India. This loss of trust is corrosive to the idea of India.

I feel the ECIL/BEL scientists have done a great job designing a cheap and reasonably secure device for use in the Indian context, but like all technology it comes with vulnerabilities and flaws and it is contingent upon all Indian citizens to be a part of reducing the effects of those flaws.

It is time other Indians rose to challenge at hand, and picked up where ECIL/BEL have left off.


Post a Comment

<< Home