India's EVMs are Vulnerable to Fraud

Hari K. Prasad, J. Alex Halderman, Rop Gonggrijp

Questions & Answers

Q: Who are you?
A: We are scientists and technologists. Some of us have studied other voting systems in Europe and the US and have discovered serious flaws. In some cases these discoveries have led to the use of such systems being discontinued.

Q: Why did you study India's EVMs?
A: The Election Commission of India has spoken of India's EVMs as "infallible" and "perfect", yet similar electronic voting machines used around the world have been shown to suffer from serious security problems. India's machines had never been subjected to credible independent research.

Q: How did you get the EVM you studied?
A: It was provided by a source who has asked to remain anonymous.

Q: What have you found?
A: We found that an attacker with brief access to EVMs can tamper with votes and potentially change election outcomes. We demonstrate two attacks that involve physically tampering with the EVMs’ hardware. First, we show how dishonest election insiders or other criminals could alter election results by replacing parts of the machines with malicious look-alike parts. Such attacks could be accomplished without the involvement of any local poll officials. Second, we show how attackers could use portable hardware devices to change the vote records stored in the machines. This attack could be carried out by local election officials without being detected by the national authorities or the EVM manufacturers. Safeguards against these attacks are either absent or woefully inadequate. For the full details, please read our technical paper.

Q. Did you demonstrate attacks on a real EVM?
A: Yes. The EVM we worked with is a real EVM that has been used in recent national elections.

Q: How could you manipulate the internal memory to change the vote records? These EVMs are sealed.
A: The seals quite literally consist of stickers, string, and red wax. Tampering with them would not present a challenge to an attacker. Our video has an excerpt from an official training film showing some of the seals being applied. Have a look and see if you feel you could manipulate these seals yourself.

Q: How could a dishonest EVM know which candidate to favour?
A: Our dishonest display board attack adds a Bluetooth radio, so criminals could wirelessly signal which candidate to favour. Our memory manipulation attacks happen between election and counting, when everything an attacker needs to know is already public. In our paper we explain more complicated attacks that use the total number of candidates in a constituency as a signaling mechanism. These don't need radio signals and could already be hidden in the software of the EVMs today.

Q: But I watched the election officials perform a mock poll, and that was fine.
A: It would be easy to program a dishonest EVM or EVM component so that the manipulation is only performed after voting has been going on for a long time, or if the total number of votes is in the hundreds. That way, simple mock polls will show the proper results, but all the final election results will be manipulated.

Q: Your video shows a mobile phone signaling to the EVM, but mobile phones are not allowed at polls and counting.
A: We are merely proving that we can send the signal wirelessly. Attacks could use many other forms of radio signaling, such as opener that sends the signal. Wireless devices are extremely easy to conceal and could be secretly carried into polling places in countless ways.

Q: How can the EVMs be as insecure as you claim while the Election Commission of India says they are "infallible" and "perfect"?
A: Until now, the EVMs have not been subjected to rigorous, independent, public scrutiny. Claims that the EVMs are "perfect" and "infallible" are not based on verifiable arguments. If the Election Commission disagrees with our claims, we look forward to a proper scientific debate based on credible, published evidence.

Q: The Election Commission has hired scientists too. How do we know you are right and the Election Commission is wrong?
A: The Election Commission's two expert committee reports were rather minimal and were performed by scientists with no apparent electronic voting security credentials. These studies were conducted without access to the machines' source code and relied on presentations and site visits with the manufacturers. In contrast, we performed our own experiments with a real machine and demonstrate working attacks.

Q: Haven't you just made our secure EVMs insecure by publishing this?
A: No. The fact that the election authorities have not allowed public scrutiny of the security of EVMs doesn't make them secure. There are more than 1.4 million EVMs in India, and criminal attackers would likely have less difficulty getting access to a machine than we did. Unlike actual criminals, we are working to inform the public about the security problems we found.

Q: Can the problems with EVMs be fixed?
A: Not easily. The entire class of voting systems to which these EVMs belong has inherent problems that stem from a lack of transparency. They force voters to trust software and hardware without proper means of verification.

Q: Surely there must be something we can do to enhance security?
A: The Election Commission likes to speak of "checks and balances", with various procedures believed to make fraud harder. Drastically improving procedures might make some kinds of fraud more difficult, but cannot eliminate the risks we describe. For EVMs to be used, the people of India would need to continue to place trust in an election technology that they cannot observe.

Q: Can you help me investigate suspected fraud in the recent election in xxxx ?
A: Regrettably, probably not. If our research shows something, it is that for the concerned citizen there is very likely to be nothing to observe, study and/or investigate (either before, during or after the election) that would allow anyone to tell the difference between an honest and a dishonest election. That means you are left either trusting or not trusting your election, with no hard facts to guide you. We know that this is not a satisfactory answer, which is exactly why this type of voting machine should be abolished.

Q: Why shouldn't India be at the forefront of technology?
A: We are technologists with a deep passion for things technical, but we also see the limitations of technology. These electronic voting machines have replaced decidedly imperfect but observable paper ballots with insecure and completely non-auditable technology.
Germany and the Netherlands are modern democracies. They both used electronic voting machines of the same basic type as used in India. In the Netherlands, almost 100% of voters used these machines, but when it was discovered that these machines had severe security problems and that there was inadequate transparency, the machines were abolished and paper ballots were reintroduced. Technological advance is not just about adopting the latest new inventions. Innovation also lies in the ability to take a second look and examine whether what seemed like a good idea ten years ago is still a good idea today.

Q. Where can I find more information about the EVM debate in India?
A. An Indian citizens' group called VeTA maintains a web site advocating election transparency. Our research is independent from VeTA, but we find their site to be generally informative about the e-voting debate in India. It can be found at