Are VVPAT machines really hackable? Response to allegations made by ex-IAS Kannan Gopinathan

Let us first make explicit our intentions in attempting such a response opposing allegations against the EVM-VVPAT combination 

 

We all were aware of the controversies relating to EVMS when they were first introduced.  Since EVMS are electronic devices and since they include a processor like thing inside them, there was a lot of hue and cry regarding the possibility of it being hacked. 

Control unit and ballot unit, source:ECI

  But the contentions regarding hacking were based on an incorrect understanding of what is happening inside the EVM and what it is made up of.  EVMS does not in any way work like desktop computers or even microprocessor based devices.  Once they are programmed during manufacturing process, there is no means by which it can be reprogrammed to make it behave like we want to.  It is more like a non-programmable calculator with the very basic set of electronics that do not in anyway resemble modern computers / programmable devices.  Moreover, EVMS and Ballot units used along with are standalone units that are not connected to external devices to be manipulated (they cannot be manipulated in the first place), neither do they have hardware enabling wireless communications.  Even many from the opposition parties accept this, ensuring us that EVMS are "calculator like devices" that cannot be hacked. 

 

It's such misunderstandings created by flawed arguments we wish to dispel in this article.

 

 

This article cannot be made an exhaustive technical analysis of the details behind EVM or VVPAT for two reasons:

 

1. It is intended for the general reader

 

2. Even the ECI has not published schematics of neither EVM nor VVPAT for obvious reasons. So we can go only by what ECI has stated in the public domain.

 

 

Now, the main argument is against the VVPAT machine, which was added as a means for the voter to verify if the machine has indeed cast the vote for the candidate he had in his mind. VVPAT machine contains information about the candidate list in the constituency, their symbols and how they've been arranged in the ballot unit. So, by checking the printout on the VVPAT machine one can verify if the ballot unit and the whole voting process was working the way it was intended to be. But there are a few things the critics brings to our notice which they thinks are major vulnerabilities of the VVPAT machine, when combined with the EVM- Ballot Unit duo allegedly compromises the whole election process, if his accusations are factually correct.

Configuration of CU, VVPAT and BU, source:ECI

Let's  sum up the main charges against the VVPAT and the EVM-VVPAT-Ballot Unit trio. 

1.     VVPAT is a patch work into the existing system.

2.     Since VVPAT sits between Ballot unit and Control unit, it can influence what goes inside of the control unit, i.e., information about the vote.

3.     VVPAT is not a standalone device since it is connected to external devices during symbol loading

4.     Since it is not a standalone device, it is prone to get hacked.

So, the main point against VVPAT is since it sits between the CU and the ballot unit, anyone somehow hacking the VVPAT tampering with its "programmable memory" can sabotage the whole election process and get the system to register votes for whomever the intruder wants. And he states the tampering can be done when the data containing candidate list, symbols etc. are loaded into the VVPAT using laptops or other compatible devices, likw symbol loading jigs. 

 

Now the statement that VVPAT sits between CU and BU is correct as one can see from the diagrams provided by Election commision of India. While it was the cable from BU connecting to the CU previously, the cable from BU now goes to the VVPAT and a second cable from VVPAT, similar to the BU-CU cable in the old philosophy, connects with the CU. There's nothing doubtful regarding this. Now it's the interpretative arguments about VVPAT and the connections involved that we wish to analyze. 

Interconnections of VVPAT, CU and BU, source:ECI

To begin with, the purpose of VVPAT was to bring in more transparency to the voting process through electronic means. The voter, unlike before, now has a secondary means of visual verification, a paper trail that shows the candidate he had voted for. Now, since a certain percentage of VVPATs are verified at the end of the election process, matching them against the votes cast on EVMs , it is not possible by any means to tamper with the election process exactly for these two reasons:

 

1.VVPATs are verified by the voters at the time of elections

 

2.VVPATs are verfied after the election is over too.

 

Is essence, VVPAT has brought in more transparency and trust factor in the election process.


What is VVPAT, source:ECI


Next, many from the opposition parties and  analysts makes the claim that the VVPAT machine is a very complex system digital system that is prone to hacking. They also says it contains device drivers such as those which would be used to actuate individual components such as printers, photodiodes etc. In effect, they compare the whole VVPAT to a general purpose mini computer. This is where the whole argument is erroneous. Simple machines such as standalone printers which are not normally connected to computers, and meant for very specific purposes such as a tocken machine or a billing machine, runs on something called "Application Specific Integrated Circuits(ASIC)". What it means that the IC used has been pre programmed, much like the one time programmable EVM. ASICs are not reprogrammable in the sense that you cannot change the code it runs on. 

Features of ASIC, source: sciencedirect.com

Malware can affect only those systems which resemble general purpose computers, which runs on an Operating system and has features like RAM etc.  The only thing it is designed to receive from an external device is the information about what it should be printing. Just like a token machine can be *programmed* to alter the content it is supposed to print by using a custom made application, VVPAT too is most likely desgined around an Application Specific integrated circuit, and the only thing one can change is what it prints, which is done by ECIL engineers before the elections, using symbol loading Jigs or laptops as we have been told by ECI. The code it runs cannot be changed since it should ideally run on an ASIC. We can simply disregard the allegation that VVPAT is hackable just by noting that it should ideally run on an application specific Interated Circuit designed to carry out a specific task, here printing and acting as a bridge between the BU and CU, and that its code cannot be accessed changed. 

 

This method of loading external data is also used in setting the Real Time Clock inside the Control Unit using time setting Jigs. Here too, the OTP(One Time Programmable ) chip inside the Control Unit has been preprogrammed to receive information about time and date, just as VVPAT receives the information of candidates using symbol loading Jigs/Laptops with symbol loading application made by ECIL. So, just connecting the EVM to an *external device* cannot change the code it runs on. The same logic applies to VVPAT running on an application specific IC, much like that of the EVM control Unit. 


Uploading date and time in CU using Jigs, source:ECI

ECI also mentions that newer models of EVMs are encrypted to the hardware level so that only ECIL/BEL components can be interconnected. This further weakens the argument that any type of tampering is possible. ECI also states these machines are not *stand alone* in the strictest sense, but needs to be occasionally interfaced with ECIL/BEL certified components for data upload, inspection etc.


Salient features of EVMs, especially the latest M3 model, source:ECI

Now since ECI hasn't yet released the internal schematics of both the EVM and VVPAT, our argument about VVPAT should hold just as good as that for EVM. 

Just as EVM ideally runs on a One time Programmable chip which isn't hackable, VVPAT too like other special purpose printers should run on Application based integrated circuits which aren't *reprogrammable* in the strictest sense of the word, and hence not hackable like a general purpose computer which runs on an operating system and has accessories lIke RAM etc. 

Critics makes another accusation that the introduction of VVPAT into the system is a patchwork which has compromised the security of the election process, because a "programmable" device is "sitting in" between Control Unit and Ballot Unit. 

But this philosophy of "cascading" multiple devices has always been there in election processes, right from its introduction. For instance, when the total number of candidates in a constituency exceeds 16, the maximum number of keys in a single Ballot Unit, additional units are cascaded, i.e., connected in series. The connection is shown below. 
Connection for cascading of multiple ballot units, source:ECI

So, to cast vote for, say 20th candidate, the voter has to use the second Ballot Unit, and the signal passes through the first Ballot Unit to the EVM. 
Rear view of CU, showing connector compartment, source:ECI

Now since ASIC based devices are themselves not "reprogrammable/hackable", the new arrangement devised by designers, Ballot Unit-VVPAT-Control Unit, is nothing different from the old Ballot Unit-Ballot Unit-Control Unit philosophy, since we have argued that VVPAT is not hackable and the only variable inside it is the data for printing. 

Cascading of ballot units, source:ECI

Based on this too , we can conceptually dispel the allegation that the signal given out by Ballot Unit is prone to manipulation by the processor inside VVPAT. For one thing, you cannot change the code of an ASIC based machine. Second, such a transfer of data, like that already employed in the cascading of Ballot Units, can be employed by a simple timed latch, another non programmable component. 

Now, coming to the uploading of symbols. What the critics say is in concordance with what the Election Commision of India has to tell- that symbols and other information are uploaded via laptops or other symbol loading machines. Now since the ASIC on which our VVPAT should ideally run, like any other ASIC, will treat this just as data and not as code, because they are non-reprogrammable in the first place.



Which means the worst one can do to a ASIC based VVPAT is to get it print something crazy. But this is an explicit error and can be noted by the voters  Now such types of attacks on printers have occured in the recent past, like these, where printers whose ports were open to the internet have been tricked into printing random stuff. 
A recent malware attack on printers

So the only kind of printers that are hackable atleast to this level are hobby based ones such as given below, which runs of programmable micro controller based platforms. But it would be naive to think any serious designer would go for it. 

A hobby project


Above all of these, as said in the beginning, the Control Unit of an EVM attaches a time stamp for each and every vote cast using a Real Time Clock (RTC). The presiding officer registers the sequence of voting too. The voting process is monitored by CCTV surveillance as well. So, during VVPAT matching, any discrepancy that crept in due to a possible hacking can be found out. This verification of VVPAT itself debunks the argument that the election process can be rigged by employing a malware. In fact, VVPAT has provided more transparency in the voting process and has elevated the trust factor common people would ascribe to elections through electronic means.

Time stamping in EVMs, source:ECI



So, the arguments by critics about VVPAT philosophy is both counter intuitive and wrong. 

VVPAT has brought in more transparency to the election process, since votes cast are now verifiable. Use of VVPAT itself knocks off the argument that these machine can be hacked without anyone noticing, since the voting process uses time- stamping and video surveillance.

VVPAT like printers are not complex digital machines like programmable general purpose computers in the strictest sense of the word. They run on Application Specific Integrated Circuits the code of which is unalterable.

It needn't contain executables like device drivers you would see in Operating System bases platforms, but the code has been pre programmed into it. 

Since ASIC based machines like VVPAT printers does not contain an operating system and RAM, you cannot manipulate it using any kind of malware. 

The Ballot Unit - VVPAT - Control Unit philosophy is essentially the same as the Ballot Unit - Ballot Unit - Control Unit cascading philosophy used in elections.

Here we may prove the equivalency of CU-BU-BU cascading and CU-VVPAT-BU cascading since both VVPAT and EVM+BU are not reprogrammable/hackable

 
Equivalency of CU-VVPAT-BU and CU-BU-BU connections

Even the data uploading in VVPAT is in agreement with what is done in the Control unit, for example, setting of time using Jigs.

Printers can only be hacked to the extent of being tricked into printing something esle it was not intended to, which would become obvious to the eyes. Such cases have been reported worldwide, and happens mainly because their input ports were being continuously exposed to the Internet, or a hacked computer. 

In essence, these arguments apply only to either general purpose desktop computers, or hobby designs such as described above. (Hobby designs use custom programmable microprocessor based platforms, like an Arduino Uno or Raspberry pi).

We would also like to point out that VVPAT machine is similar to the control unit of EVM in all respects, considering the arguments given above.


That the statement VVPAT being a "patchwork" on the existing system is far from logically correct even by considering the basic intentions behind incorporating VVPAT machine into the existing system. VVPAT was meant to function as a verification process in the existing scheme of things, and not as a correction to the old system. So, even going by an elementary level of reasoning, it doesn't look like the designers would have compromised an otherwise perfect methodology just to incorporate a verification mechanism. If adding something like a printer into it might dislodge its safety features, would such eminent designers have even gone for it. Now this defense is by no means fool proof, for only a reasonable technical examination of the arguments like that given above would vindicate it.