EVMs: India’s Simplistic Security Brilliance
Well post-elections the EVM buzz all around the country seems to be forgotten, still as a naïve cybersecurity student the EVMs truly caught my attention.
We all have heard stories about how the Indian mind has successfully tackled and reached mars and moon through technological prowess, likewise we have also heard about the indigenous defense manufacturing strides made since independence but EVMs in my opinion stand as India’s most ignored and underrated technological brilliance.
Well to put it in cybersecurity context I would portray them as India’s simplistic security brilliance, henceforth a great case study to understand this philosophy and its implementation.
I anticipate that this could become a model and a referential benchmark for future of creating secure information systems and electronic solutions possessing similar needs.
While one would empathize to the magnitude of security issue that this has solved by analyzing global democracies and how even till date the so-called strongest and most powerful democracies have failed to innovate and implement a robust, hackproof e-Voting system.
Historical Context
Initially opposed as an idea by Late PM V.P Singh, the maiden EVMs ( Introduced for polls at the BEL Union Elections) were initially legislatively deployed during the assembly polls of Rajasthan, MP, and Delhi without any precedent during the ’98 general and assembly elections.
The EVMs have since then been drastically evolved and innovated, these have now been segregated based on the date of manufacture as M1 — ’98 based, M2–2010’s and the latest M3 — versions which are manufactured post 2013, though the core functionality-based approach remained the same yet contemplating to make it fairer and more tamper-proof they evolved keeping its core architecture intact.
- The M3 model differs from the other two, with that fact that the post-2013 now the machine code writing over the chips is now facilitated and possible at PSU premises, which was given to the chip manufacturer in the past.
- While M3 models were also accompanied with the peripherals getting added into this setup such as the VVPAT (Voter Verifiable Paper Audit Trail) which is basically a verification channel for the voters post casting to verify the admissibility of the right vote. Further allied to this something known as SLUs which are symbol loading units were also introduced.
- Due to lack of micro-controller producing facilities in India till date we import the MCU, typically the EVM utilizes the 8-bit Single-Chip H8/3644R Renesas Tech. manufactured MCU as per sources from the open domain.
Technical Deep-Dive
Understanding the EVM architecture and functionality granularly becomes primary to further understand the possible exploits and reverse engineering functions upon it.
The 3 core units of the modern M3 EVMs constitute as: Ballot Unit, Control Unit, and VVPAT.
Components of the Control Unit
- Main Circuit Board
- Renesas H8/3644-series Microcontroller (driven by an 8.8672 MHz crystal oscillator)
- Buttons for input
- Buzzer Subsystem
- Two Redundant EEPROM chips (Electrically Erasable Programmable ROM)
- Seven Segment Display
Components of the Ballot Unit
- Two Electrically Programmable Logic Devices (PLDs)
- Candidate Buttons allied to these PLDs
The highly secure software is permanently fused in an Internal Mask ROM, this is also sometimes referred to as OTP (One-time Programmable) based software i.e. burnt into the chip to make it unalterable and highly resistant reverse engineering-based hacks.
This would still seem to you as any normal electronic system setup but what features of this paradigm actually make the EVMs so unique?
The reason I refer to the EVMs as simplistic security brilliance is the fact that all the above-mentioned features are not technological revolutions but are rather based on standalone core components, which are orchestrated in a very beautiful manner without technologically over-exaggerating things and hence turning out to produce a perfectly scalable and viable result this is what simplistic security philosophy is to my understanding.
Let’s deep dive into the procedural aspects of how these components individually act so as to make this setup work:
1. Internal Mask ROM & OTP Chip: Tackling the Possibility of Reverse Engineering Exploits
- Mask ROM is a type of non-volatile memory where data is written during the manufacturing process of the semiconductor chip. The term “mask” refers to the photolithographic mask used to etch the circuitry of the ROM during chip production. The software is hard-coded into the chip and cannot be altered or reprogrammed after the manufacturing process.
- The term “mask” refers to the photolithographic mask used to etch the circuitry of the ROM during chip production. The data is hard-coded into the chip and cannot be altered or reprogrammed after the manufacturing process.
What exactly is photolithographic mask on internal ROM?
Masked ROMs produced through the photolithographic techniques are in the most simplistic manner are programs in machine code embedded purely and simply as 0s and 1s, this makes it highly resistant by design against any external post-fab manipulations. - Technically this process involves an extremely intricate design process of utilizing a patterned stencil over the silicon wafer.
Therefore, through this minute process established minute array like cells upon the semiconductor material substrate which act like memory cells for storing 0s/1s as bits.
While it must also be noted that it is economically much more feasible to get these masked units for largescale purposes like these. - The Reverse engineering process here is so tedious and near to impossible at such a scale, with the fact that just to understand the circuitry layout one needs high end manpower and specialized scanning electron microscopes (SEM).
- While one should never ignore the possibilities of reverse engineering investigations over such pre-dominant IC components post the ‘diesel-gate scandal ‘by the Volkswagen, which is an interesting result of a similar RE investigation.
2. Redundant EEPROM Chips for storage: Secure Storage
- Basically, utilized in usual electronic devices as components for peripheral data storage, which has uniqueness of being Electrically Erasable and Programmable (EEP).
- In-case of EVMs this becomes crucial as during the Demo stages (pre-election) the officials are supposed to stage multiple demo elections for scrutinizing the functionalities, and its accuracy hence this EEP feature facilitates this.
- Technically these are arrays of something known as floating gate transistors (Complex Electronic Term :), nowadays are available for multi-byte operations including electrically erasing through special signals.
- Further the unique redundant EEPROM setup in the EVM design allows dual storage of a single vote count hence identically storing such critical data like vote counts and configurations. This hence ensures highly synchronized write operations between EEPROM1 and EEPROM2 hence maintaining consistency and upholding utmost accuracy.
3. PLDs and No External Connectivity Slots: Simplistic and Standalone Communication
- The PLDs involved in here are basically minute ICs aimed at logic operations connected to buttons for signaling and other communications with the control unit from the ballot unit.
- Uniquely the entire EVM unit does not have any external interfaces or allied connectivity involved neither does these have the traditional debugging or JTAG ports hence make it withstand against any future perpetrations through these channels.
- Extreme Physical Sturdiness: Though not technical still a core part of this design philosophy
- Additionally, the EVM unit utilizes the sturdiest known plastics for outer packaging. (ABS and Noryl)
Unleashing Alleged Vulnerabilities
The 2010 paper jointly published by some popular west personalities (J. Alex Halderman-University of Michigan) and an Indian engineer named Hari Prasad was a comprehensive attempt to portray some allegedly practical vulnerabilities over the EVMs, but the ways which were suggested in there seemed to be illogical and ignored the high levels of physical security layer also manpower that guards these sacred machines.
Most of the suggested attacks in there like dishonest display attacks involved manipulating the design and structure of these EVMs which till date remains and sounds practically funny enough, similar are the other attacks portrayed like wireless signaling attack and etc.
Though this paper fueled up a huge debate in India which in-turn was a turning point in the EVM innovation journey as post this during the next decade since 2010 it enabled to further level up another layer of transparency by ideating the usage of VVPAT to counter any maliciousness involved into the EVM unit. Since 2019 elections the mandatory verification of VVPAT count has levelled up the transparency and accuracy of the EVMs.
The Gist
All in all, though this may seem distant to the core cybersecurity practices that we listen and hear about usually, but in true sense like the Karnataka High Court truly said “EVMs are a piece of technology that Indians should really be proud about.”
Further as a cybersecurity student what truly makes this peculiar is the simplistic approach towards modelling products and enabling security intrinsically into every component by design and by not making it a overlay fuss , this simplistic security philosophy is purely a security and technical brilliance.
Written by: Nitish Deshpande