Can EVM’s Be Hacked?- The Simple Answer Is Yes

Electronic Voting Machines (EVMs) have become a critical component of electoral processes worldwide. They are designed to ensure accuracy, efficiency, and security in voting. However, the increasing sophistication of cyber threats raises concerns about their vulnerability. This article delves into the security of EVMs, comparing them to other high-security systems, and investigates whether these machines can indeed be hacked.

High-Security Systems and Their Vulnerabilities

1. Bank Websites:
   • Security Measures: Banks implement multi-layered security protocols, including encryption, two-factor authentication, and continuous monitoring.
   • Hack Instances: Despite these measures, banks have been hacked. For instance, the Bangladesh Bank heist in 2016 saw hackers steal $81 million through the SWIFT payment system.
2. Mobile Devices by Google and Apple:
   • Security Measures: These devices use advanced encryption, secure boot processes, and regular security updates.
   • Hack Instances: High-profile cases like the 2016 San Bernardino incident, where the FBI sought Apple’s help to unlock an iPhone, demonstrate vulnerabilities. Tools like Pegasus have also shown the ability to hack these devices.
3. Government Websites:
   • Security Measures: Government websites employ robust security protocols and continuous monitoring.
   • Hack Instances: The 2015 data breach of the U.S. Office of Personnel Management exposed personal data of 21.5 million individuals.
4. CIA Website:
   • Security Measures: As one of the world’s most secure organizations, the CIA uses top-tier security measures.
   • Hack Instances: In 2012, the hacker group Anonymous claimed to have taken down the CIA website, illustrating that even the most secure systems are vulnerable.
5. Electronic Voting Machines (EVMs):
   • Security Measures: EVMs designed by the Technical Experts Committee (TEC) of the Election Commission in India, in collaboration with Bharat Electronics Ltd. and Electronic Corporation of India Ltd., employ stringent security measures including physical seals, secure software, and encryption.
   • Hack Instances: A 2010 report by the BBC detailed how U.S. scientists hacked India’s EVMs, demonstrating vulnerabilities.
6. Car Security Systems:
   • Security Measures: Modern cars use sophisticated security systems, including immobilizers and keyless entry systems.
   • Hack Instances: The 2015 Jeep Cherokee hack by security researchers Charlie Miller and Chris Valasek exposed vulnerabilities in car security systems, allowing them to control the vehicle remotely.
7. CCTV Cameras:
   • Security Measures: CCTV systems use encryption and secure network connections.
   • Hack Instances: Numerous instances of CCTV camera hacks, such as the 2016 Mirai botnet attack, have exposed vulnerabilities.

Comparative Analysis of EVM Security

• Design and Construction: EVMs are standalone devices, not connected to the internet, reducing the risk of remote hacking. However, physical access and tampering remain concerns.
• Global Perspective: Some advanced countries like England, Italy, and Germany have banned EVMs due to security concerns, opting for paper ballots to ensure transparency and trust in the electoral process.

Case Studies of EVM Security Breaches

• India’s EVM Hacking Incident: The 2010 BBC report highlighted how a team of scientists managed to hack an Indian EVM, raising serious questions about their security.
• Global Instances: In the U.S., concerns over the security of voting machines have led to rigorous testing and calls for paper audit trails to ensure election integrity.

Trust in Technology

Even highly advanced companies like Google, Apple, and Microsoft have experienced security breaches, highlighting that no system is entirely hack-proof. The collaboration between TEC, Bharat Electronics Ltd., and Electronic Corporation of India Ltd. in designing EVMs indicates a high level of technical expertise. However, the same level of scrutiny and skepticism applied to other secure systems should also be applied to EVMs.

Theoretical Methods to Hack EVMs

1. Physical Tampering:
   • Method: Gaining unauthorized physical access to an EVM and manipulating its hardware or software.
   • Example: Inserting a malicious device or chip that alters vote counts or disrupts the machine’s operation.
   • Mitigation: Secure storage, transportation, and constant monitoring of EVMs; tamper-evident seals and physical security measures.
2. Software Manipulation:
   • Method: Installing malicious software that changes vote counts or compromises the EVM’s operation.
   • Example: Writing a malicious code or modifying the existing software to alter vote records.
   • Mitigation: Use of secure software development practices, regular software audits, and encryption.
3. Side-Channel Attacks:
   • Method: Exploiting indirect information leakage (e.g., power consumption, electromagnetic emissions) to infer or manipulate data.
   • Example: Monitoring power usage patterns to detect vote casting or attempting to interfere with the machine’s processing.
   • Mitigation: Shielding EVMs from electromagnetic emissions, securing power sources, and conducting regular audits.
4. Supply Chain Attacks:
   • Method: Compromising components during manufacturing or distribution.
   • Example: Introducing vulnerabilities in the hardware or software at any point from production to deployment.
   • Mitigation: Implementing strict supply chain security protocols, vetting suppliers, and conducting thorough inspections.
5. Communication Interference:
   • Method: Exploiting any communication interfaces EVMs might have (e.g., during result transmission).
   • Example: Intercepting and altering data during transmission between EVMs and central servers.
   • Mitigation: Using encrypted communication channels, physical security during data transmission, and redundancy checks.
6. Insider Threats:
   • Method: Individuals with authorized access manipulating EVMs for fraudulent purposes.
   • Example: Election officials altering results or tampering with machines.
   • Mitigation: Implementing stringent access controls, background checks, and multi-person oversight.
7. Malicious Firmware Updates:
   • Method: Installing compromised firmware updates that alter the machine’s functionality.
   • Example: Introducing firmware that skews results in favor of a particular candidate or party.
   • Mitigation: Using secure update mechanisms, digital signatures, and version control.

Notable Instances of EVM Hacking and Vulnerabilities

1. United States:
   • DEF CON Voting Village (2017-2019):
     • Details: At the annual DEF CON hacking conference, hackers demonstrated vulnerabilities in several voting machines used in U.S. elections. They were able to hack into machines within minutes, revealing security flaws.
     • Impact: Raised awareness about the need for better security and led to increased scrutiny of voting machine security.
2. India:
   • 2010 BBC Report on EVM Hacking:
     • Details: Researchers from the University of Michigan, led by J. Alex Halderman, demonstrated how they could manipulate an Indian EVM to alter election results. The team showed that it was possible to replace the machine’s microcontroller and insert a malicious code.
     • Impact: Sparked debates about the security of EVMs in India and led to calls for greater transparency and security measures.
3. Germany:
   • 2009 Constitutional Court Ruling:
     • Details: The Federal Constitutional Court of Germany ruled that the use of EVMs in the 2005 Bundestag election was unconstitutional because the machines did not provide a way for voters to verify their votes independently.
     • Impact: Led to a ban on EVMs in Germany, emphasizing the need for verifiable and transparent voting processes.
4. Netherlands:
   • 2006 Hacking Incident:
     • Details: Dutch citizens’ group “Wij vertrouwen stemcomputers niet” (We do not trust voting computers) demonstrated how the Nedap/Groenendaal ES3B voting machine could be hacked to alter vote counts.
     • Impact: Resulted in the Dutch government deciding to abandon the use of EVMs and revert to paper ballots.
5. Ireland:
   • 2004 EVM Scrutiny:
     • Details: Concerns were raised about the security and reliability of EVMs purchased from the Netherlands. An independent commission found significant security flaws, leading to the abandonment of the EVM project.
     • Impact: The government spent over €50 million on EVMs that were never used, returning to the use of paper ballots.
6. Venezuela:
   • 2004 Recall Referendum:
     • Details: Allegations of fraud during the presidential recall referendum led to accusations that the Smartmatic voting machines used were rigged. Despite various audits, skepticism about the election’s integrity persisted.
     • Impact: The incident raised questions about electronic voting’s reliability in politically sensitive environments.
7. Philippines:
   • 2016 Election:
     • Details: Allegations surfaced that the Vote Counting Machines (VCMs) used in the 2016 elections were susceptible to tampering. There were reports of irregularities and discrepancies in vote counts.
     • Impact: Led to legal challenges and calls for a more secure and transparent electoral system.
8. Brazil:
   • 2018 Presidential Election:
     • Details: Although no conclusive evidence of hacking was found, there were widespread allegations and concerns about the security of Brazil’s electronic voting system. The election faced numerous accusations of potential vulnerabilities.
     • Impact: Increased pressure on the government to enhance the security measures of the electronic voting system.