Prof. Avishi Wall from the School of Engineering at Tel Aviv University: "The proposed electronic election system in Israel - a danger to democracy"

Avishai Wall: The solution of electronic election systems eVoting using the method developed by Tahila - the central body that provides secure browsing services to government offices - endangers democracy. Tahila's response: Other countries (such as Belgium and India) have been using computerized elections for a long time.

The solution of electronic election systems eVoting using the method developed by Tahila - the central body that provides secure browsing services to government offices, endangers democracy. This solution, based on identification technology through radio transmission (RFID) which should only work from very short distances of 5 centimeters - is very easy to hack. Any hacker who wants to disrupt the elections will be able to do so and actually determine the identity of our leader - in our place.

"RFID technology is not used for electronic elections anywhere in the world, and in terms of information security, being innovative is a recipe for disaster, not a compliment." Says Prof. Avishai Wall, professor of computer engineering at the School of Engineering at Tel Aviv University. Wall, these days at the IEEE-RFID 2010 conference in Orlando, is presenting experiments he conducted in which he and his research students Yossi Oren and Devir Shirman succeeded in demonstrating three scenarios for disrupting the vote.

The system is based on two components - the voting computer, and wireless smart cards that will be used as ballots. The voter receives a blank smart card, brings it closer to the reader of the voting computer, performs the selection action, and it is recorded on the card. He then passes the ticket to the ballot box. The election details are also stored in the voting computer. At the end of the day, the ballot box is opened, the tickets are retrieved from it and transferred again through wireless readers to be counted - this counting is mandatory, but if there is too great a gap between the voting computer and the manual counting, this may cause the ballot to be disqualified.

The smart card contains a wireless antenna, and a chip, which allows reading, writing and performing cryptographic calculations - for the purposes of encrypting the information. This is a sophisticated tag like in advanced credit cards, and not a simple RFID tag like for example the one affixed to perfume bottles in duty free.

"The first scenario is disabling the voting computer using a transmitter that needs low energy, for example a car's battery, using a method known as jamming. Although the computer is designed to read cards from a distance of up to 5 centimeters, we were able to reach a disruption in the laboratory from a distance of 2 meters, using the equipment of electronics enthusiasts. Our models predict that distances of 20-30 meters can also be reached. In other words - to park an innocent car outside the school and disable the polling stations located there."

"The second scenario is simply the destruction of the smart cards using the Zapper - a simple and cheap disposable camera in which the bulb is replaced by a 5 x 8 centimeter loop antenna. The camera battery produces a high voltage electromagnetic pulse (EMP) for a short period of time. Such a pulse amplified by the antenna burns all the smart cards in the vicinity - both blank and those that include a vote. Since the election system is designed to preserve the modesty of the individual and therefore does not preserve the details of the voter, it will be impossible to know which voter caused the disruption. Activating the device near the ballot box will disrupt all the cards inside, and invalidate the ballot. The action is also equivalent to burning the ballots, only without smoke and without fire and without leaving traces."

The third scenario is the most dangerous because it allows not only to destroy smart cards but also to make the computer register a vote for one party as a vote for another party. Prof. Wall calls this a Relay Attack or an "extension wire attack". The computer assumes that the card it is reading belongs to the person next to it, but it is possible to build a system that will make it really read another card of a voter who has already voted, which is for example inside the ballot box. Such an attack may, for example, transfer votes from party to party, turn off votes for a certain party by turning all the tickets that voted for that party into blank tickets, which means white tickets whose votes are invalid, and more. This attack can also be built with cheap hobbyist equipment.

Another weakness of the system is that the comparison of the counts is between one computer and another, and there is, for example, no manual printing of the votes that will be used to prove the real votes in case of inquiry (paper trail). "We will have to trust the computer in the event of a malfunction and be left with wrong results, even if they are illogical." According to Prof. Wall, Israel should learn from the experience in the US, where electronic elections have been held since 2000, and adopt some of the amendments made there in many countries in light of the experience, especially in the area of ​​the Paper Trail.

Prof. Wall's recommendation is not to adopt the system - which, in addition to being problematic in terms of information security, is also very expensive and economically unprofitable in a small country like Israel, where the entire vote counting procedure can be completed within a few hours with the current "paper technology". If the method is to be adopted, at least protection mechanisms against disruptions must be added to it, and first and foremost - cover the ballot box on all sides with a shielding material, such as aluminum foil, that will not allow electromagnetic radiation from the outside to read the cards or write on the cards.

In Prof. Wall's article several claims are made, below is our reference to his claims;

1 . Disruption through blocking
The claim is that it is possible to remotely disrupt the communication between the cards and the card readers installed at the voting stations. This communication is done through an electromagnetic field produced by the reader. This field is used both for supplying energy to the smart card (which does not have an independent battery) and for communication between the card and the reader. We will not bore you with complex explanations, but we will only say that the significant component in this communication is the magnetic component and not the electrical component.
To disrupt such communication, three conditions are required:
A. Most of the energy in the blocker's radiation is magnetic.
B. The blocker's antenna should be in a defined spatial position in front of the reader's antenna. If this condition is not met, enormous energy is required to disrupt the communication.
third. Even in an ideal situation of the antenna blocking in front of the reader, very strong energy is required to disrupt in practice. A magnetic field weakens very quickly as the distance increases (third power of the distance).
Such disruption must be discovered immediately and is tantamount to trying to disrupt the elections by setting the ballot box on fire, meaning it cannot be secret as the article implies.

Very similar chips are used today for electronic passports, which are currently issued by more than a hundred countries. The International Civil Aviation Organization (ICAO), which is the standardizing body for passports, has made attempts to disrupt RFID readers at airports. The organization concluded that this was impractical. First, a tiny distance is required between the blocker and the reader to succeed in jamming, and secondly, enormous energy is required.

2. Demolition of tickets remotely
As far as we know, the respected researchers did not claim to have actually done this, but relied on publications by German hackers who claimed to have succeeded in disabling RFID tags in supermarkets in this way. When it comes to RFID tags it is important to remember that it is not a single type. It is certainly possible to disable certain tags, which are used to mark products in the retail world, in the manner described in the article. On the other hand, the cards in question are something completely different. Each such card is resistant to pulses of thousands of volts through protections built into the chip hardware inside. To cause a pulse with a power that would damage the card, a simple device like the one described in the article (a device based on a camera flash) is not enough. Here, too, the antenna of that device is required to be very close to the card and in a very specific spatial position relative to it, otherwise such demolition cannot be carried out.
The protection of those chips stems from a completely different practical need - protection against static electricity. We all know the phenomenon of electric shock when touching a car, especially on dry days. The need to hold the smart card in the hand and insert it into the reader requires that it be designed in advance against the discharge of static electricity, hence the need for protection.
If the researchers mentioned in the article did manage to destroy a card of a similar type to the one used in the election system, we would be happy to know about it and receive all the details. If such a demonstration was not carried out in practice - it is appropriate to say so explicitly, for the sake of intellectual honesty.

3. relay attack ("extension wire")
This attack is based on equipment that can simulate a card on one side and a reader on the other. The claim is that by means of such equipment it is possible to link a card that has already been inserted into the ballot box and the voting stations, and then change the vote recorded on it.
Apparently this is possible, but in practice the reality is completely different.
The main factor that absolutely prevents such an attack is a pre-installed feature in the system. This feature prevents an already voted card from changing its contents after leaving the voting station. This feature was probably unknown to the researchers and therefore mistakenly believed that such an attack could be made.
Furthermore, even without this feature it is impractical to carry out such an attack. When there are several cards in the ballot box, it is not possible to isolate a particular card and communicate only with it. In fact, it is not possible to communicate with the cards at all when their number exceeds four.
This is where another factor comes into the equation. In contrast to jamming through blocking, proper communication between the card and the attacker's reader is required here. To operate a card from a range of 35 cm, a huge power is required (at least several hundred watts), and above all, a large antenna is required, which is in a position parallel to the card. It is hard to imagine a situation where any attacker could do this in reality.

4. paper trail
Regarding the use of "paper traces" there were many discussions during the development of the system, both internal discussions and discussions with the Ministry of Justice, which was a full partner in the process.
The unequivocal conclusion from those discussions was that this is certainly a beautiful principle on a theoretical level, but there is currently no practical way to realize it, taking into account all the principles that guide the development of the system, and in particular the principle of the secrecy of elections. It is important to emphasize that we do not rule out "paper trails" but we claim that the reasonable implementation of "paper trails" requires the sacrifice of other areas, such as secrecy.
A combination of "paper trails" will only add an unreasonable logistical burden and open an opening for manipulation of the voting system. Just for the sake of the example, if there is a continuous paper printer, then the order of the prints reveals what each citizen voted, and it is enough to record the order in which the citizens arrived at the polling station to completely eliminate secrecy. The low reliability of the printers also creates the need for maintenance. Accordingly, it is necessary for maintenance personnel to access the printers during election day, which increases the risk of attacking the system.
The debate about the need for "paper trails" in election systems is an old debate, and it is difficult to explain the different opinions without going into a very long discussion about such systems. The elections in the USA are usually cited as an example, but it is important to remember that these are completely different elections, which cannot be compared to the elections in Israel. In the USA, many officials are elected (sheriff, judges, district attorney, governor, etc.), and there the printed paper is used as part of the selection process, and for lack of choice.
We will also mention that other countries (such as Belgium and India) have been using computerized elections for a long time, and without paper trails. An interesting curiosity: in Belgium, computerized elections have been used since 1991.
In 2003, a "paper trail" mechanism was incorporated into Belgium's computerized system, but it was removed in 2004 after they concluded that it was unnecessary and created more problems than it was useful for.

5. the cost of the system
The sensitivity to the cost of the system was one of its main design considerations. During the development stages, a relatively expensive smart card was selected, but one that has great flexibility. Such a card is good for the development period, when lack of acknowledgments is high. For the final system, a very cheap smart card can be used, which can be recycled for the following election systems, without additional cost and above all without the risk of revealing the previous vote on it.
As mentioned, this issue was taken into account during the development and all the cipher mechanisms chosen are such that will not require the use of expensive smart cards, starting from that stage when there is certainty about the features and function required of the cards.

6. Is the implementation of the law guaranteed for an available government project or is it expected to be tendered?
An available administration, at the request of the Ministry of the Interior and in coordination with the Ministry of Justice, established the solution and was ready to run a pilot in the local authority elections in early 2009. This pilot, as I recall, did not take place due to delays in the legislative processes.
Following the pilot, a long and thorough process of learning lessons was planned. As part of the process of drawing lessons, the question of activation was supposed to be examined, including the possibility of activating the election system through franchisees selected in a tender.

Prof. Wall's response to the response of Zamin administration

"Available Government" responses to our research repeat comments we received from them in the past, and there are significant inaccuracies in them. Below are our responses to the claims one by one:

• 1. Disruption through blocking: We have already implemented an actual blocking of card-reader communication from a distance of about 2 meters. We are conducting more experiments and the range will increase.
• Technical details of the attack: Meanwhile, we used a transmission power of 1 watt, with a 40 cm diameter mobile antenna made from a copper tube of cooking gas. Such a tiny power can also be obtained from the USB connection of a laptop. Accurate computer models predict the possibility of jamming even from a distance of 20-50 meters with a larger antenna and the power of a few watts (available from a car battery).
• Scientific explanation: the argument that jamming must be based on a strong magnetic field (and therefore can only operate in a short range and requires a lot of energy) is wrong. A strong magnetic field is only necessary to activate the card's circuits - it is not relevant for blocking that works against the reader. Our jammer transmits a radio signal (RF) at the frequency of the upper side lobe of the load modulation modulation (14.4075MHz) and thereby blocks the reception circuit in the reader. Such radio frequencies in the HTG (high frequency) field are also used by radio amateurs and the transmission range reaches hundreds or thousands of kilometers.
• 2. "ICAO, the regulatory body for passports ... came to the conclusion that it is not practical": (a) The attack is completely practical and was carried out in practice - see 1. (b) In the binding of American passports, electrical shielding (metallic fibers) is integrated to protect against attacks, thanks, among other things, to previous research by collective. European passports without shielding were demonstrated to be very vulnerable to attack at the last USENIX conference.
• 3. Demolition of tickets:
• (a) We definitely built a zapper and even used it to destroy a JCOP card of the type planned for the Israeli elections - and filmed the process.
• (b) In the coming days we will upload a blue-and-white video demonstrating how we destroy the card.
• (c) Our zapper, as well as those of hackers in the world, works well against Contactless Smartcards from the ISO14443 family (and not against UHF tags in supermarkets as claimed). See YouTube video in the attached link.
• 4. Extension cord attack: "A feature introduced in advance into the system ... prevents a card that has already been voted on to change its content":
• (a) The Law on Elections and Characterization of the System allows a voter to change his vote an unlimited number of times and the system is supposed to support this.
• (b) The feature in question is not mentioned in the characterization document. Therefore, it is not clear what exactly it blocks and how exactly it works.
• (c) Since the feature is not in the specification document, it is not at all clear whether it will appear in the final realization of the franchise company.
• (d) It is certainly possible that such a protection mechanism, if it does exist, can itself be used to disrupt and block (for example by misleading the system into thinking that a vote has already been registered)
• (e) If "Tahila" makes available to us a prototype of a voting system we can try and experience an opinion.
• 5. Extension cord attack: "When there are several cards in the ballot box, it is not possible to isolate a particular card... when the number exceeds four". This is probably an engineering limitation of Tahila's equipment. The anticollision mechanism of the ISO14443-2 standard does allow one card to be isolated, even out of hundreds - meaning the cards will react. Subversive equipment built to implement an extension wire attack will not be bound by the engineering limitations of legitimate equipment.
• 6. Extension cord attack: "In order to operate a card from a range of 35 cm, a huge power is required (at least several hundred watts)" - not true. Ilan Kirschenbaum's students built an antenna with amateur equipment, and operated a standard card with a range of 25 cm at a power of one watt. The system was powered by a 12 volt battery of a home alarm system. See link to the article and link to the antenna photos.
• 7. The cost of the system: We have no real information about the cost of the elections today (with the "technology" of notes and envelopes) nor of the proposed system. But a very rough calculation that includes the price of the tickets (about $10 per ticket) multiplied by several million eligible voters, the cost of the reading equipment (say $5000 per polling station) multiplied by several thousand ballot boxes, plus the development cost and profit for the franchise company, easily requires a budget of fifty to one hundred million dollar. This money replaces only the cost of the ballots and envelopes - and not the operating cost of election day. One hundred million dollars can buy tickets for many election campaigns!

Links:
• Our demolition video (blue and white), an extension cord attack, a photo of the gas pipeline antenna, and letters to the American government that influenced the design of the electronic passports:
• A YouTube video (German) demonstrating building a zapper from a disposable camera and destroying Contactless Smartcards:
• Kirschenbaum's article-How to build a low-cost, extended-range RFID skimmer:

Sincerely,

links:
Prof. Wall's home page
Research results on RFID
The technical article on the election system in Israel

Y. Oren and A. Wool. RFID-based electronic voting: What could possibly go wrong?
In IEEE International Conference on RFID, Orlando, FL, April 2010