May 9, 2017,Posted by: Admin


Only a Source Code Audit Not a Hackathon can prove EVM's infallibility

I was about to write a blog on Home Routers and their vulnerabilites as it has been a while since I wrote a blog.

But today's development about EVMs has interrupted all that, and here I am writing about EVMs again.

While I was waiting for the EC announced Hackathon, today AAP in Delhi assembly demonstrated an EVM hack. Technically it wasnt an EC EVM hack as they used a look alike EVM which didnt belong to EC. Neverthless, it was so powerful a demo that it has brought back the EVM issue in the limelight.

Using a complete look alike EVM having two parts --- a polling station and a controller, AAP's Bhardwaj first did a mock poll with it. Later he showed how it can be tampered. Basically, a voter comes in and enters a code besides casting a vote. From that point onwards, every vote that is cast goes to BJP while showing the right light being lit. That is, if a voter goes and votes for AAP, the light corresponding to AAP lights up while the vote is counted for BJP. No VVPATs are shown.

The demo thus proves many points.

It shows that such machines ( and I am not saying it happens in EC EVMs ) can be tampered after a mock poll of a few votes. Thus, the mock poll doesnt ensure that the machine works properly.

Such machines can be tampered with in the middle of voting.

Now, coming back to EC EVMs, the EC has been denying that their machines can be tampered with and they claim they are perfect. To buttress their statement, they are not even showing any test results. Any security professional will tell you that this is baloney. One needs to have a full fledged documented security test plan, and results documented. EC either has done nothing of it or is completely non transparent about it.

There have been numerous documented cases of EVM malfunction ( see my earlier blog here ), and there has been either no investigation by EC or if done it is again non-transparent. All we have is EC's word, which in an engineering enterprise is meaningless.

The question now arises after today's demo --- is it possible that such hacks like entering secret codes possible in EC's EVMs and if present how does one find them?

EC has announced a hackathon ( details still awaited though they first said it would happen from 1 st May onwards). Will a hackathon reveal such bugs?

The answer to me is a clear no. Nothing less than a thorough inspection of source code by independent security professionals can reveal such hacks such as a secret code that can be entered or some other kinds of hacks if present in the EVMs. Further, it has to be ensured that only the inspected source code is compiled and deployed in the EVM. This can be done by computing what is called an MD5 hash of the binary and checking at the beginning of the booting process that the binary is not altered.

These are very basic things expected of any software product today. Even after this, one may be able to do hardware hacks which is another ball game altogether.

For instance, what if an EC EVM is replaced by a look alike EVM of the kind AAP has used? Here again there ought to be a private key for each EVM that can be used to identify it, and the key has to be secret. Loss of that key would lead to disaster. Furtther, checks for firmware alteration would need to be done many a times, not just once.

All in all, the ball is now in EC's court. They need to make the code public or at least get it audited by a professional independent team of auditors and ensure above precautions. Without that, the doubts about EVMs will not just persist but will become bigger.

Of course, all the cases found above --- now certain courts have ensured sealing of EVMs and forensic testing too ( see here and here )--- should also be investigated by independent experts.


Copyrights © 2017 Teknotrends Software Pvt Ltd All rights reserved | Template by W3layouts