Manufacturer of India’s EVMs says its products can be hacked


After establishing the possible nexus between the beneficiaries of Gujarat Gas Scam and the manufacturer of microchips used in EVMs, Janta Ka Reporter investigated into the so-called unbreakable security features of EVMs. At least that’s what the technical paper provided on the Election Commission of India’s website claims.

It appears that knowingly or unknowingly, the EC has made false declarations to the people of India and, in the process, could also have misled the Supreme Court regarding the infallibility of EVMs.

As per the microchip manufacturer, Microchip Inc, their products are open to hacking, tampering and cloning. That, as per the manufacturer’s deposition in the US Court of Law, sharing of machine code (object code) is akin to sharing source code of a computer programme. The EC’s claims that the source code is protected is, therefore, also false.

The EC has stated many security features that protect the EVMs from possible hacking or tampering:

EVM Safety and Security Features (Extract page 13 subparagraph I, ii & v and page 14 subparagraph vii)

  1. EVM used by the Commission is a stand-alone non-networked, one time programmable (OTP) machine, which is neither computer controlled, nor connected to the internet or any network; and hence, cannot be ‘Hacked’.
  2. The machine is electronically protected to prevent any tampering/manipulation. The programme (software) used in these machines is burnt into a One Time Programmable (OTP)/Masked chip so that it cannot be altered or tampered with.
  3. After successful completion of such evaluation, machine code is given to the micro controller manufacturer for writing in the micro controllers. From this machine code, the source code cannot be read. Source code is never handed over to anyone outside the software group of PSUs.

vii.       The source code for the EVM is stored under controlled conditions at all times. Checks and balances are in place to ensure that it is accessible to authorized personnel only.

Janta Ka Reporter delved into the product details and its security features as guaranteed by the manufacturers. The Microchip Inc, USA, which is one of the EVM microchip manufacturers, clearly states that their product (microchip, MCU, semi-conductors etc) can be hacked and they can be tampered with or modified. OTP/Masked or burnt chip is not unbreakable technology and same should be accepted by the EC. The company’s statements are as follows:

CODE PROTECT: Microchip products meet the specification contained in their particular Microchip Data Sheet. Microchip believes that its family of products is one of the most secure families of its kind on the market today, when used in the intended manner, to the stated specifications and under normal conditions. There are dishonest and possibly illegal methods used to breach the code protection feature. All of these methods, to our knowledge, require using the Microchip products in a manner outside the operating specifications contained in Microchip’s Data Sheets. Most likely, the person doing so may be engaged in theft of intellectual property. Microchip is willing to work with the customer who is concerned about the integrity of their code. Neither Microchip nor any other semiconductor manufacturer can guarantee the security of their code. Code protection does not mean that we are guaranteeing the product as “unbreakable.”

Clearly, as per the manufacturer, their product is not 100% secure.

The second aspect of the EC claim that the source code is protected and has never been shared with any foreign vendors is also far from the truth. That unauthorised access of the source code to EC’s acceptance would make EVM very vulnerable. However, the EC did convert the source code into machine code (Object Code) before handing it over  over to the manufacturers for imprinting the code on the microchips in bulk production.

This claim by the EC is false because, as per the manufacturer Microchip Tech Inc’s declaration in the US Court in 2002, it said that the source code and object code were “two representations of the same computer program.(sic)” 

In the law suit, the manufacturer had reported that a Taiwanese company was manufacturing UNAUTHORISED CLONE of PIC 16C5x microcontrollers. To the acceptance of the manufacturer, Clones of its product existed in the market and could, therefore, exist in the market even today.


The parties’ dispute began in 1992, when Microchip came to believe that Syntek had begun to make and sell unauthorized clones of Microchip’s PIC 16C5x microcontrollers in Taiwan.

“Microchip’s PIC 16C5x microcode is a computer program. Computer programs are works of authorship entitled to protection under the Copyright Act. 17 U.S.C. § 101, 102. The Copyright Act defines a computer program as “a set of statements or instructions to be used directly or indirectly in a computer in order to bring about a certain result.” 17 U.S.C. § 101. Computer programs can be expressed in either source code or object code.   “Source code is the computer program code as the programmer writes it, using a particular programming language.” Compendium of Copyright Office Practices, § 321.01. Source code is a high level language that people can readily understand. “Object code is the representation of the program in machine language [binary] ․ which the computer executes. Id. at § 321.02. Source code usually must be compiled, or interpreted, into object code before it can be executed by a computer. Object code can also be decompiled into source code. Source code and object code are “two representations of the same computer program. “