About a decade ago, Election Commission of India(ECI) began mass deployment of the Electronic voting machine(EVM) for elections. The security of EVM lies only in their obscured details, the details about software and hardware are only vaguely available. No third-party audits of its security have ever been done. Time and again, security researchers have asked for access to EVM but they have been denied regularly except in September 2009, where Hari Prasad was asked to demonstrate an attack on EVM in 2 hours and then stopped within 10 minutes showing intellectual property concerns.
Unlike technology-based financial transaction systems which evolved over years to handle phishing attacks, MITM and credit card based fraud, unlike financial transactions, the elections are held relatively infrequently and hence does not provide much opportunity to evolve and learn the adversaries. Unless the results of elections are verified against another source, it is impossible to tell if the machine is without bugs or not. Also unlike finance, there is nothing to hedge against here. As we know embedded systems are inherently prone to bugs. Yes, even those who are deeply scrutinized space rockets and satellites have integer overflow errors, attacked by worms and assume wrong units, without a rigorous audit, it is impossible to say that they will work fine.
Given how Indian govt deals with technology, this is not something new but what is intriguing is the fact that when researchers demonstrated that EVMs are not secure, rather than awarding the whistleblowers, ECI arrested Hari Prasad[the only Indian national in the group], blatantly denied that EVM can be compromised and used all sorts of harassments to pressurize him to reveal the “source” which provided the EVM. Even the highest judiciary body in India, the Supreme Court has already declared that ECI is the sole authority on this topic. Hitherto that, even ECI does not have the source code of the machines (their “technical team” has looked at the source code but the machines’ source code is read protected so even ECI cannot verify that the machines they have received are untampered). Quoting Prasad, now ECI is planning for paper audit trail which can be later used for verification in case of later verification.
Disclaimer: This is my personal blog. The views expressed on these pages are mine alone and not those of my employer.