Sometime in late 2009, a lone electronic voting machine (EVM) was stolen from the Election Commission of India. Highly sensitive and strictly confidential, this machine was smuggled by a thief into the hands of Hari Prasad, a security researcher for a technology firm in Hyderabad, so that he and his team could open it up. Their goal: figure out how someone could rig an election by tampering with an EVM.
First, to understand the vulnerability of an EVM, you first must understand how they work. Each EVM has two components: a ballot unit and a control unit. The ballot unit displays each candidate, their party’s symbol and a button for each choice. The control unit is held by the election worker and activates the ballot unit to allow for one vote, preventing an enthusiastic voter from pressing their candidate’s button 10 times. To tabulate the results, the control unit displays how many votes it counted for each of the candidates.
Prasad and his team published the weaknesses they found in a paper and explained their methods in a video posted on their website. Prasad was then arrested in 2010 by the Mumbai police and interrogated regarding the circumstances leading to him obtaining an EVM, though he was later released. Efforts to reach Prasad via Twitter and email were unsuccessful. But based on his findings, though, here are a few ways someone could rig the results of the biggest election on the planet:
1. Dishonest display attack
Forget the inner workings of the EVM, the most straightforward way to alter the votes is simply changing the numbers that the control unit displays at counting. Prasad’s team built a mimicked display in “just a few weeks using parts that cost just a few dollars.” In their fake display, they hid a new computer chip tied to a bluetooth radio, allowing an attacker to remotely decide what numbers should show on the EVM from the convenience of their iPhone. This attack requires physical access to the EVM but can be implemented “any point before votes are publicly counted, perhaps years before the election.”
2. Clip-on memory manipulator attack
Between the time votes are cast and the votes are publicly counted, a memory device could be attached to the inside of the EVM to re-write the votes. This process takes advantage of the simple interface link between the CPU and the memory unit on the EVMs circuit board.
3. Attack the central processing unit of the EVM
“A well-funded adversary could construct a look-alike chip package containing both a radio receiver and a processor,” Prasad’s team writes in its paper. It is also possible to attack the source code and alter it to contain a vulnerability before it is written into the chip.
The ECI denied claims of vulnerability for years, calling the EVMs “tamper-proof.” That is until Prasad and his team, which included a computer science professor from the University of Michigan and a technology activist from Holland, got their hands on an EVM and published their findings in early 2010. As a result of subsequent court filings, the Delhi High Court ruled in early 2012 that the EVMs are indeed not tamper-proof. Within days, the ECI ordered the implementation of a paper-trail system that would allow voters to see a printout of their vote after selecting their candidate on the EVM. The printout would display the voter’s choice for a few seconds and then fall into a secure box, providing a physical duplicate to the EVM’s digital count. Yet, for the 2014 election, only 20,600 EVM units have had this paper trail system implemented—just over 1% of the total electronic machines currently in use.
The other critical defenses touted by the ECI include the physical security surrounding the EVMs through polling until counting, unknown ballot order until a few weeks before polling, and the locked nature of the source code. This last one, though, is actually quite worrisome.
Having the source code masked means that once the simple software that runs an EVM is burned into the microchip, it becomes both unalterable and cannot be read back out, even by the Election Commission. While viewed as a double blind way to ensure security, it is actually a double-edged sword. Today, if an ECI official wished to randomly inspect an EVM at a polling station to verify its source code were correct, he would be unable to do so. One cannot know if any given EVM is running genuine software.
The problem with secrecy as a barrier to fraud is that it requires absolute infallibility—once compromised in any place, the entire system becomes vulnerable. Making a chip unreadable is also not iron-clad; given extreme patience, it can be overcome. Plus, if Prasad—a friend of Indian democracy—was able to steal an EVM, then the system is breachable. According to the ECI, there are 1,720,080 control units and 1,878,306 ballot units being used during this election—quite a large secret to keep.
Prasad’s report aptly quotes Auguste Kerckhoffs, a 19th century linguist, whose famous principle of military cryptography said a good code “must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience.”
Is it paranoid to think that these tactics, even on a small scale, could be used to alter the election? In the 2009 General Election, 54 of the Lok Sabha seats were decided by a margin of less than 10,000 votes. Swinging a vote across that margin would require the manipulation of just a few dozen EVMs per district, depending on how drastically one altered the results. Certainly no voting system is perfect and EVMs are generally agreed to be an improvement on paper ballots. But human designs are inherently flawed—constant iteration is a must.
For his work, Prasad was arrested by Indian authorities. But he also was awarded the 2010 Pioneer Award by the Electronic Frontier Foundation, a San Francisco-based civil liberties group. He is the first Indian to win the award.
Follow Thane on Twitter @ThaneRichard. We welcome your comments at ideas@qz.com.