Tuesday, May 11, 2010

Electronic voting insecure

After the shambles last week of many people being turned away from the polls we have the inevitable call for electronic and internet voting.  We know however that the electronic voting systems currently deployed are seriously insecure. Hari K. Prasad, J. Alex Halderman, Rop Gonggrijp have reinforced this with a study of India's evoting machines which they demonstrate are vulnerable to fraud.

From the team's press release:

"Says Gonggrijp: "Never mind what election officials say, this research once again shows that the longstanding scientific consensus holds true—DRE voting machines are fundamentally vulnerable. Such machines have already been abandoned in Ireland, the Netherlands, Germany, Florida and many other places. India should follow suit."
Gonggrijp continues: "In order to have any transparency in elections, you need to have votes on paper. Computers can be programmed to count votes honestly, but since nobody can watch them, they might just as easily be programmed to count dishonestly. How is the voter supposed to tell the difference?""
Alex Haldemann comments:
"I've studied electronic voting machines for years, but I've never had such a strong sense that actual fraud might be taking place. There have been dozens of reports from around India that politicians have been approached by engineers offering to manipulate the machines to steal votes. My Indian coauthor, Hari Prasad, was himself approached by a prominent party and asked to help them with such manipulations! It's just too easy, thanks to the simple design of the machines and the lack of adequate safeguards, and there are probably a million people in India with the necessary electronics skills.
Many people believe that using a simple design makes these machines safer than the complex machines used in the U.S. (which sometimes contain almost a million lines of code), but simple machines are much easier to attack via hardware, and simplifying too much means giving up standard security techniques like strong cryptography. Essentially, you're left with a system that depends entirely on the physical security of the machines, just like paper ballots depend on the security of the ballot box, but with much less transparency than paper voting. What India and other democracies need is a system that's both secure *and* transparent, so that voters can have well-founded confidence their votes count."

Ed Felten says:
"The independent Electoral Commission of India, which is generally well respected, has dealt poorly with previous questions about EVM security. The chair of the Electoral Commission has called the machines "infallible" and "perfect" and has rejected any suggestion that security improvements are even possible. I hope the new study will cause the EC to take a more realistic approach to EVM security.
The researchers got their hands on a real Indian EVM which they were able to examine and analyze. They were unable to extract the software running in the machine (because that would have required rendering the machine unusable for elections, which they had agreed not to do) so their analysis focused on the hardware. They were able to identify several attacks that manipulated the hardware, either by replacing components or by clamping something on to a chip on the motherboard to modify votes. They implemented demonstration attacks, actually building proof-of-concept substitute hardware and vote-manipulation devices.
Perhaps the most interesting aspect of India's EVMs is how simple they are. Simplicity is a virtue in security as in engineering generally, and researchers (including me) who have studied US voting machines have advocated simplifying their design. India's EVMs show that while simplicity is good, it's not enough. Unless there is some way to audit or verify the votes, even a simple system is subject to manipulation."
Update: Check out also ORG's briefing on why evoting systems are difficult to secure.

No comments: