Manufacturer of India’s EVMs says its products can be hacked

16

After establishing the possible nexus between the beneficiaries of Gujarat Gas Scam and the manufacturer of microchips used in EVMs, Janta Ka Reporter investigated into the so-called unbreakable security features of EVMs. At least that’s what the technical paper provided on the Election Commission of India’s website claims.

EVMs

It appears that knowingly or unknowingly, the EC has made false declarations to the people of India and, in the process, could also have misled the Supreme Court regarding the infallibility of EVMs.

As per the microchip manufacturer, Microchip Inc, their products are open to hacking, tampering and cloning. That, as per the manufacturer’s deposition in the US Court of Law, sharing of machine code (object code) is akin to sharing source code of a computer programme. The EC’s claims that the source code is protected is, therefore, also false.




The EC has stated many security features that protect the EVMs from possible hacking or tampering:

EVM Safety and Security Features (Extract page 13 subparagraph I, ii & v and page 14 subparagraph vii)

  1. EVM used by the Commission is a stand-alone non-networked, one time programmable (OTP) machine, which is neither computer controlled, nor connected to the internet or any network; and hence, cannot be ‘Hacked’.
  2. The machine is electronically protected to prevent any tampering/manipulation. The programme (software) used in these machines is burnt into a One Time Programmable (OTP)/Masked chip so that it cannot be altered or tampered with.
  3. After successful completion of such evaluation, machine code is given to the micro controller manufacturer for writing in the micro controllers. From this machine code, the source code cannot be read. Source code is never handed over to anyone outside the software group of PSUs.

vii.       The source code for the EVM is stored under controlled conditions at all times. Checks and balances are in place to ensure that it is accessible to authorized personnel only.

Janta Ka Reporter delved into the product details and its security features as guaranteed by the manufacturers. The Microchip Inc, USA, which is one of the EVM microchip manufacturers, clearly states that their product (microchip, MCU, semi-conductors etc) can be hacked and they can be tampered with or modified. OTP/Masked or burnt chip is not unbreakable technology and same should be accepted by the EC. The company’s statements are as follows:

CODE PROTECT: Microchip products meet the specification contained in their particular Microchip Data Sheet. Microchip believes that its family of products is one of the most secure families of its kind on the market today, when used in the intended manner, to the stated specifications and under normal conditions. There are dishonest and possibly illegal methods used to breach the code protection feature. All of these methods, to our knowledge, require using the Microchip products in a manner outside the operating specifications contained in Microchip’s Data Sheets. Most likely, the person doing so may be engaged in theft of intellectual property. Microchip is willing to work with the customer who is concerned about the integrity of their code. Neither Microchip nor any other semiconductor manufacturer can guarantee the security of their code. Code protection does not mean that we are guaranteeing the product as “unbreakable.”




Clearly, as per the manufacturer, their product is not 100% secure.

The second aspect of the EC claim that the source code is protected and has never been shared with any foreign vendors is also far from the truth. That unauthorised access of the source code to EC’s acceptance would make EVM very vulnerable. However, the EC did convert the source code into machine code (Object Code) before handing it over  over to the manufacturers for imprinting the code on the microchips in bulk production.

This claim by the EC is false because, as per the manufacturer Microchip Tech Inc’s declaration in the US Court in 2002, it said that the source code and object code were “two representations of the same computer program.(sic)” 

In the law suit, the manufacturer had reported that a Taiwanese company was manufacturing UNAUTHORISED CLONE of PIC 16C5x microcontrollers. To the acceptance of the manufacturer, Clones of its product existed in the market and could, therefore, exist in the market even today.

 

The parties’ dispute began in 1992, when Microchip came to believe that Syntek had begun to make and sell unauthorized clones of Microchip’s PIC 16C5x microcontrollers in Taiwan.

“Microchip’s PIC 16C5x microcode is a computer program. Computer programs are works of authorship entitled to protection under the Copyright Act. 17 U.S.C. § 101, 102. The Copyright Act defines a computer program as “a set of statements or instructions to be used directly or indirectly in a computer in order to bring about a certain result.” 17 U.S.C. § 101. Computer programs can be expressed in either source code or object code.   “Source code is the computer program code as the programmer writes it, using a particular programming language.” Compendium of Copyright Office Practices, § 321.01. Source code is a high level language that people can readily understand. “Object code is the representation of the program in machine language [binary] ․ which the computer executes. Id. at § 321.02. Source code usually must be compiled, or interpreted, into object code before it can be executed by a computer. Object code can also be decompiled into source code. Source code and object code are “two representations of the same computer program. “



16 COMMENTS

  1. Pressure must be kept on the EC , the BJP govt and PSU manufacturers. One or all of them are going to break down immediately after 18 th Results. I wish i had the power to assemble 1 cr people surroung the Counting centre and after the counting taking over all the EVMs for checking with VVPAT. This time we shd not even obey govt , EC or even SC order.

  2. obviously, as election commissioner 2 has been appointed by mr modi.
    1st time in india cec is not acting unbiased with an independent mind

  3. Multiple assumptions:

    1) The Microchip Inc, USA is one such company who does this. Their product might be hackable
    2) Source of the statement.

    Last but not the least to our reporter friend, if I change microcontroller, I change chip which means I change hardware. If you change hardware nothing is secure. I can as well keep a new fraudulent machine.

  4. Without further commotion, the EC should conduct elections in both ballot paper and EVM and tally the resukt. Only then, people may have confidence

  5. Is India such a sleeping country, that nobody goes to Supreme Court with this information ? That Supreme court is unaware that in Germany they went back from Evm to paper ballots and Germany is far far more developed electronic nation than us. So are Japan and Isreal that still use paper ballots.

    Can Supreme Court explain why more advanced nations still rely on paper ballots ?

    Just because a few goons loot ballot boxes you dont stop using them. U tell the world that in 21 st century India you cannot prevent looting of ballot boxes under your paramilitary forces.

  6. That’s all left to do for AAP Delhi Dialogue Commission: Complain, complain and keep doing after every election. Instead of developing merit to win, losing and complaining everywhere. The positive impact of good work AAP is doing in Delhi, is nullified by the negative attitude towards other parties, governments and the constitutional bodies like Election Commission.

  7. EC keeps denying the VVPAT count, thats where people believing in manipulation and thats correct as well. EC should come forward and get people faith if they are right!

  8. Why were Microchip controllers used? Controllers need not be reprogrammed, new ones can be put in. It is done in Weighbridges to pass overload trucks by using software in Intelligent Terminals that allow manual entry of decided weight, not what is measured by Weighbridge. People know who sell such units

    Give me one unit, I may tell you if it can be hacked. And how. Put all on net

  9. The units also do not operate in Indian temperatures as per new news. Obviously cheap commercial grade chips/ components used, not even Industrial grade.

LEAVE A REPLY

Please enter your comment!
Please enter your name here