Wind the clocks back to 2010. At 5 am, a day after his 16th wedding anniversary, police arrested Hari Prasad from his house in Hyderabad. They had him in custody for eight days. Why? He had just made history in India
Hari Prasad, Alex Halderman & Rob Gongrijpp had just hacked an Electronic Voting Machine.
Fear? (laughs) No. I don’t care about my life. When you’re working for the nation, the kind of valour that you get inside is different. It gives you a lot of strength you know?Hari Prasad, Technologist, Advisor to the Andhra Pradesh Goverment
After the hack, they wrote a paper and released a video showing how they did it.
Now with the 2019 elections approaching, we spoke to Hari Prasad.
Listen to the full story. Click on the player below:
Can an EVM be hacked? How can it be done?
There are several stages at which a criminal can attack these machines. One maybe at the origin itself, where a large-scale manipulation can happen without even knowing about it.
Like, if something is happening inside the machine, you’ll not even come to know. The chips that they’re buying today, they’re buying from a company in Japan and a company in the USA. Maybe with their history and all, you may say they’re the most reputed company so we’re believing them.
You write all those points out, I demand the election commission, these are those stages where we believe these machines will be secure. They have to mention that. They have to make it public, to the public, so that people know that where all this government or this Election Commission (EC) went by trust.
EVMs or their parts can be manipulated after the manufacturing stage itself, by adding or tweaking parts to do what an attacker wants. An attacker can do this months or even years in advance.
He goes on to tell me about how he saw an article in a leading daily claiming that the country will get new M3 EVMs which are “secure and unhackable”.
All that is fine when an attack comes from outside. But when an insider is compromised, what then? You’re calling them secure, while believing in the code inside, over which you have no grip. The other “security” is the checks and balances you’ve spread across lakhs of offices across the field, in the complete belief that everybody is sincere to their job.Hari Prasad
Prasad is a technology and software security expert. Alex Halderman is a professor of computer science and engineering at the University of Michigan. Rob Gonggrijp is a Dutch hacker who worked with Julian Assange on WikiLeaks in 2010.
How did the three of you get your hands on an authentic Electronic Voting Machine?
What happened is, somebody called me up, who is part of the election commission and said, “I want to get you an EVM. You’re claiming you can hack it. Will you be able to do it if we give [you] an original machine?”
We said yes. We were so excited because we already saw something and had an idea about how it can be done, so we said yes.
Once they got their hands on the EVM, their next step was to execute an attack. With 24 hours on their hands, they began cracking at it.
How did you go about the hack?
We demonstrated two of the loopholes, one was how to attack a display unit, in which the display is the only way to show the result, and the people all have to believe whatever is shown on the display. We simply had to put something as a man in the middle. That’s when everyone was talking about wireless or Bluetooth.
It’s not required that only wireless or Bluetooth be used. You can use any RF (radio frequency), so, we used the simple chips that we had on hand.
And the other thing we did was demonstrate how to manipulate the memory. We tried to demonstrate that the memory chip that’s used is also unsecured and it’s very simple to change the votes in the memory.
In fact, we also managed to show the votes that were cast, which means you can actually extract that data as well. There were other vulnerabilities in the machine as well, which we didn’t get time to explore.
What did you do after the hack?
We immediately wrote a paper about the vulnerabilities and released it. After that I went to the news channel, TV9, which is a famous news channel in Andhra Pradesh, and presented the video. We took the video in such a way that we demonstrated the Machine’s control unit’s number.
Why?
Because the Election Commission began saying that this is not our machine, that it’s a lookalike. That’s the reason we wanted to make it clear that this is machine belonged to the Election Commission.
After that they filed a case against me saying that the machine was stolen. In fact, the machine was sent back to them and it went to the same place from where it came. The only request from the person who sent us the the original EVM was not to disclose their name.
Police arrested Prasad from his house, at 5 am on 21 August 2010. Barely a day after his wedding anniversary. Prasad was only in custody for eight days. But eight days in police custody can do a lot to a man’s life.
What happened after your arrest?
I was held for eight days. After that, I was released on bail. In the bail order, the judge praised me saying that if what this guy has done is wrong, then the Election Commission has to prove some malicious intent on my part. They said that I should be rewarded. In fact, the order said that I should be rewarded, for exposing the loopholes and the flaws in the machine.
‘I suffered because of the 2010 incident. I lost about four and a half years of my professional career because no engineer was ready to work with me. I lost orders from my clients also. The software industry is a sensitive industry, you know. In fact, I stepped out of technology and went into real estate to survive.’
After that incident, police started coming to our office and started questioning all our engineers asking them what they tried to touch in the machine, what they tried to meddle with the machine, this kind of stuff will scare the engineers and they will run away. I actually had to virtually shut down. The same thing can happen to others also, if at all they raise their voice.
Did you ever fear for your life or your family’s lives?
Fear? (laughs) No. I don’t care about my life. When you’re working for the nation, the kind of valor that you get inside is different. It gives you a lot of strength you know? You’ll enjoy when you’re fighting for your country. I never cared about such kind of threats. Or I got such kind of threats. When I heard Shuja (Syed Shuja) saying that so many people got killed and all. I heard it’s a drama and he’s duping everyone. I don’t think we have such kind of, what you call...I don’t know.
The stakes are very high, and you can’t rule it out also, but I never faced any such kind of threats.My family doesn’t like it because they’re so scared.
Because they saw the police come from Mumbai and pick me up from my house at 5 am. 20th was the day of my marriage, and the next morning they picked me up from my home. And my wife was so scared. Any time somebody brings up this topic and somebody takes my name she gets worried. Because those eight days. It was only eight days, but for her, those eight days were hell.
Because people from outside were saying stuff like they may not leave him, they may kill him and all these kind of cinematic scripts will come to her right? Maybe that’s why the family was worried. I never bothered though. Till the time I never did anything wrong, or motive, I always feel that what I did is right and I stand by it.
Can VVPATs offer an alternative?
The Election Commission called us to demonstrate the VVPAT system some time around 2014. We gave our feedback saying that the present mechanism doesn’t completely suffice, because the VVPAT machine doesn’t give control to the voter to see whether what’s printed is right or wrong.
I mean to say the option to validate what the VVPAT has printed, does not exist.
Today it’s been observed that more than 80-90 percent people don’t observe what happens in the VVPAT.
In the surveillance cameras it was observed that people don’t wait to see the vote that’s printed out. They just press the button and come out. They don’t wait there to see whether it’s correct or not. Very few people are staying to see it.
That way, the whole purpose of introducing VVPAT to tackle the problem, fails.
On the other hand, if the contestant expresses suspicions, the Election Commission tells them to go to court and get a court order to recount the votes. This is a tedious process, and many people give up because of the long time and process. Many a time, a candidate is disqualified well after their tenure has ended.
How can EVMs be made secure?
To steal an election you don’t need to steal all the machines, you don’t need to manipulate all the machines. Manipulating even 10 percent of the machines is enough. Forget win or lose, even if one machine is hacked, then the entire technology is unfit for election. That’s what we have to consider.
It has to be 100 percent secure and transparent. This is what I have to say. So, I, even today, when the EC is claiming that they’re secure, I say, “Make it transparent so that you can shut down people like Hari Prasad.”
Make the entire architecture open. Put all the steps. Let the people question you. If at all you’re wrong. That’s called transparency.
Secrecy is not a process of securing democracy. Ballots have to be secret, not the process.
They are trying to make the process secret, which is completely denied from the beginning, by us. And if you take the recent elections, after the VVPAT. What you have to observe is, see the patterns before VVPAT and after VVPAT. There are many issues that have come out after VVPAT.
The citizens of the country need a free and fair election. Not just by some sort of confidence or trust. They can’t simply trust that because the Election Commission has said a machine is secure you believe they are secure. You have to witness that they are secure. And that can happen only if you keep everything open.
(With inputs from The Economic Times and IndiaEVM.org)
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)