InfoSecurity India's First Magazine on Comprehensive IT Security
Menu Bar
InfoSecurity Dec 2009
Tech Focus

EVMs: Examining Security Features

After the results of Indian General Election 2009 were declared, certain political parties along with their supporters have questioned the very credibility of EVMs. For the first time in the history of India, the fate of a country is debated on the usage of trojan horse programs planted in the core control chip of EVMs. Having heard this controversy, let us first understand the security features of an EVM solely from a technical perspective.

A huge hue and cry was raised four months ago when former Delhi chief secretary Omesh Saigal claimed the Electronic Voting Machines (EVMs) were not tamper-proof. Later several prominent politicians from various parties too raised the issue. The Election Commission (EC) of India had then rejected the contention regarding tampering of the EVMs, but later decided to invite all those who had expressed reservations "to come and demonstrate the points made in their allegations".

A nation wide debate is now going on in India on the EVMs and whether they are tamper proof. In this connection let us study the technical features and security mechanisms that are built into the EVMs. As far as rigging of EVMs is concerned, this article does not come to any conclusions or pass judgments. In simple words, we shall not get into the credibility of EVMs or debate on the sides of political parties.

Before getting into the security details of EVMs or the controversy surrounding it, let us understand the EVM and its working process in brief.

Working of EVMs

The EVMs were devised and designed by Election Commission of India in collaboration with two Public Sector undertakings—Bharat Electronics (BE), Bangalore and Electronics Corporation of India Limited (ECIL), Hyderabad. The EVMs are now manufactured by the above two undertakings.

An EVM comprises of two sub-units, namely the Control Unit and the Ballot Unit (presenting the voter with a button). These two units are interconnected by a 9-pin connector cable of five meters, both powered by a power pack placed in the Control Unit. In the polling booth, the Control Unit is kept with the Presiding Officer or a Polling Officer and the Ballot Unit is placed inside the Voting Compartment, to enable the voter to cast his/her vote secretly. Instead of issuing a ballot paper, the Polling Officer in-charge of the Control Unit will press the Ballot Button. This will enable the voter to cast his vote by pressing the blue button on the Balloting Unit against the candidate and symbol of his choice.

The microchip used in EVMs is manufactured in Japan and it is sealed at the time of import. It cannot be opened and any attempt to rewrite the program cannot be done without damaging the chip.

General Security Features

EVMs are designed with various security features and programmed to register a valid vote by a citizen. Let us study the general protection features of EVMs.

Unlike as we think, it is not possible to vote more than once by pressing the voting button again and again. As soon as a particular button on the Balloting Unit is pressed, the vote is recorded for that particular candidate and the machine gets locked. Even if one presses that button further or any other button, no further vote will be recorded. This way the EVMs ensure the principle of "one person, one vote".

The EVMs cannot be pre-programmed to favour a party or a candidate because the order in which the name of a candidate/party appears on the balloting unit depends on the order of filing of nominations and validity of the candidature, this sequence cannot be predicted in advance. Further, the selection of EVMs for polling stations is randomized by computer selection preventing the advance knowledge of assignment of specific EVMs to polling stations.

Listed below are the General Security Features of EVMs:

  • To prevent bogus voting, an EVM is programmed to record only five votes in a minute. This will frustrate the bogus voters. Further, the maximum number of votes that can be cast in a single EVM is 3840.

  • If an EVM goes out-of-order then, the Election Officer, in-charge of the polling booth, can replace the defunct EVM with a spare EVM. The votes recorded until the stage when the EVM went out of order remain safe in the memory of the Control Unit and it is not necessary to start the poll from the beginning.

  • The Control Unit can store the result in its memory for 10 years and even more. The battery is required only to activate the EVMs at the time of polling and counting. As soon as the polling is over, the battery can be switched off and this will be required to be switched on only at the time of counting. The battery can be removed as soon as the result is taken and can be kept separately. Therefore, there is no question of battery leaking or otherwise damaging EVMs. Even when the battery is removed the memory in the microchip remains intact. If the Court orders a recount, the Control Unit can be reactivated by fixing the battery and it will display the result stored in the memory.

  • Invalid votes can be avoided by use of EVMs. When ballot system was used in India, the number of invalid votes was more than the winning margin between the candidates in every general elections. With EVMs, there are no invalid votes.

Operational Protection Features

In addition to the general security features which has a high degree of tamper resistance, EVM has the following operational protection features

  • No voting is possible without interconnecting the preset Balloting Unit.

  • Not possible to change the number of contesting candidates in a given polling process.

  • Polled data cannot be cleared till the result is seen.

  • No voting is possible after the closing of poll.

Technical Security Features

Coming to the technical security features of EVMs, the Ballot Unit of the EVM is integrated with the Control unit through a signal integrity method. The program code stored with Micro-controller device checks for the presence of a specific Ballot Unit (i.e. Bharat Electronics make only) before establishing data communication. Control Unit will not accept data from any other Ballot Unit device other than that of Bharat Electronics make because of the proprietary integrity check method.

Further to this, EVMs have Hardware Protection Mechanism, Firmware Protection Mechanism and Non-Volatile Memory security features. In the following section, we will discuss them in brief.

Hardware Protection Mechanism: The Control unit contains a Micro-controller Integrated Circuit (IC) with the main program codes permanently fused into the device, which is manufactured as a proprietary item for Bharat Electronics and a Non Volatile Memory that stores the polled data. These two devices are most critical in the voting chain and protected against tampering by the following methods:

  • Unique serial numbers are captured on the printed Circuit Board (PCB) and its records are maintained at the factory.

  • Manufacturer’s ID number is provided, for Bharat Electronic's proprietary Microcontroller and the records are maintained at the factory.

  • Micro-controller IC and Non Volatile Memory IC are assembled onto the PCB by a special soldering process at the factory. Any tampering / replacement of these devices, leaves a residue and can be easily identified with a visual look at the solder joint by experts.

Firmware Protection Mechanism—OTP: In the Firmware Protection Mechanism—One Time Programmable Device (OTP), the following are incorporated in the micro controller IC, in order to prevent alteration / modification to the program code and the polled data:

  • Micro-controller has a One Time Programmable Read Only Memory (OTPROM). Program codes are fused in this OTPROM permanently. Program codes once written and fused in this OTPROM cannot be read back or altered by anyone including the manufacturer. Thus, the code is protected from either altering or decoding the contents.

  • The Program code residing in the Micro-controller OTPROM does not accept data from any other external device other than BE made Ballot Unit, which is part of the voting system, and thus an integrity check is built-in.

  • Address and Data lines of the OTP Micro-controller are not accessible from outside.

  • EVM is a stand-alone system and does not have any operating system and connectivity with Internet, and hence chances of hacking are not possible.

Non-Volatile Memory: The memory device used in the EVM does not require a battery backup and can store the polled data adequately. It can be written only through the command signal from the Micro controller under specific conditions controlled by the program code. Hence, the Non-Volatile Memory and Micro Controller are tightly integrated.

Following are the Protection / Tamper resistance features of the Memory:

  • Polled data is encrypted and stored in the memory, which makes it inaccessible.

  • Memory and OTP Micro-Controller have tightly coupled handshake protocol and matched. The code residing inside the Micro Controller verifies the encrypted data pattern stored in the Memory for integrity check and to ensure it is the right type of memory and then only it establishes transfer of data to and from the memory. Any tampering of the memory device or altering the data in the memory will result in machine Error status, and will appear on the display of the Control unit.

Additional Security Protocol

The tamper-proof technological soundness of the EVM has been endorsed by a technical experts subcommittee appointed at the initiative of the Parliamentary Committee on Electoral Reforms from past 20 years. Besides, the Election Commission has in place elaborate administrative measures and procedural checks and balances aimed at total transparency and prevention of any possible misuse or procedural lapses.

These measures include rigorous pre-election checking of each EVM by the technicians, two level randomization with the involvement of political parties, candidates, their agents, for the random allotment of the EVMs to various constituencies and subsequently to various polling stations, preparation of the EVMs for elections in the presence of the candidates/their agents, and the Election Observers, provision for various thread seal and paper seal protection against any unauthorized access to the EVMs after preparation, mock poll in the presence of polling agents and mock poll certification system before the commencement of poll, post poll sealing and strong room protection, randomization of counting staff, micro observers at the counting tables, and so on.

EVM Rigging Controversy

Having read the security features and protection mechanisms built into the EVMs, let us come to the recent controversy on the rigging of EVMs.

In June 2009, Omesh Saigal, a former Delhi Chief Secretary had sent a letter to Election Commissioner Dr. S. Y. Quraishi stating that he had made an oral presentation before Chief Election Commissioner (CEC) Navin B. Chawla who had assured a complete examination by the Election Commission and by the scientific advisory committee headed by Professor Indiresan.

Saigal stated that "Please don’t think that we are the only ones to express the fears of electoral fraud through a dogla software (Trojan-horse). Both the technical committees set up by the EC, one in April 1990 and the other in September 2006, had articulated similar fears. These committees were headed by Professor Indiresan,". Saigal said that he could give a detailed presentation to the EC to show how a ‘dogla’ software can be used to rig an election. Saigal added that experts' committee had examined the possibility of a "trojan horse sub programme" being wilfully activated after knowing the key number allocation to favour a particular candidate by activating the software through some mechanism at the time of poll.

It is said that Saigal had demonstrated with his software that its manipulation ensured that one has to just key in a certain code number and that will ensure every fifth vote cast in a particular polling booth goes in favour of a certain candidate.

In his letter to the CEC, Saigal alleged that the software written onto the EVMs has never been checked by the Election Commission ever since these machines were manufactured than 6-7 years back. Saigal also argued that the EC merely relied on the certificates supplied by the manufacturers, the government-run BEL and ECIL. He alleged that these Government firms had subcontracted private parties who actually provided these certificates.

Saigal declared that "A public software audit of these machines from time to time, especially after and before an election, was a must to retain the credibility of the elections". He affirmed, demanding that for the sake of transparency names and ownerships of these private companies must be disclosed, as also the details of the factories where they were actually manufactured. The records retained in the factories must also be immediately taken over by the EC to prevent any tampering and to facilitate an audit.

Political Controversy

After the result of General Election 2009 to the Lok Sabha was declared, an Independent candidate in Latur in Maharashtra wrote to the Election Commission of Maharashtra demanding counting in his constituency be done four times as 'Trojan Horse' would be activated in the fourth round.

Followed by Saigals' argument that the EVMs could be manipulated, several political parties complained to the EC that the doubts raised about the possibility of rigging through EVMs should be examined carefully.

Based on the complaints from various political parties, the Election Commission had issued a statement stating that it has taken note of all the complaints of political parties on the credibility of the EVMs.

ECs’ Validation

In October 2009, when asked about complaints on EVMs by some political parties, Chief Election Commissioner Navin Chawla told reporters that "We are completely satisfied with the EVMs. If there is a representative or a political party wanting to come and see our demonstration, they are always welcome. Everything this Commission had to explain about EVMs, we have done". Pointing out that EC had already given many clarifications on the functioning of EVMs, Chawla said the Commission had also made two demonstrations and no political party could prove the "tamperability" of the machines. On the Independent candidate from Latur, Chawla added that The EC did the counting four times and "there was no Trojan Horse".

In the backdrop of allegations by certain political parties that the EVMs could be hacked, a very detailed examination of the EVMs was carried out by technical experts concerning the reliability of EVMs, including the possibility of incorporating 'Trojan horse' virus into the EVM chip. The Election Commission has come with a statement that till date no party or individual has successfully demonstrated that they can be tampered with.

A Brief Conclusion

In this article, we have presented the general and technical security features of EVMs and also the allegations on the tampering of EVMs made by individuals and various political parties. As stated in the beginning, this article does not pass a judgement on the credibility of EVMs or support any group or individual. It is upto the Election Commission of India, the Judiciary, Government of India, various technical research institutes and political parties to address this issue and resolve the differences at the earliest.

In view of the current interest, readers as citizens of India are invited to read this article and on the topic and keep updated on the latest happenings.

—By: R. Manoj. The author is an Assistant Editor at Fanatic Media, Bangalore. He is also an Independent Researcher, specializing in Systems Security. He has an active interest in designing security algorithms for securing mission critical systems. He can reached at infosecurity@fanaticmedia.com


Home   |   Current Issue   |   Archives   |   Subscription   |   Advertisement   |   Contacts

© 2006-07 'InfoSecurity' magazine. All rights reserved.
Website designed, developed and maintained by Fanatic Media