Redoble Family

The Automated Election System – Is it Hackable?

For the past few months, since the consortium of Smartmatic-TIM won the Philippines election automation project, doubts and fears about the system as well as the machines have been raised and discussed everywhere. While many already concluded that the machines are vulnerable to hacking and vote modifications, Smartmatic-TIM in defense have continuously denied such allegations and shouted to the whole world saying their system and machines are not prone to hacking.
So the unanswered question still lingers…is it really hackable?

The PROBLEM…

In the world of cyber security, it is presumed that nothing is impossible and everything is hackable. The only question is, WHEN? A system could be hacked tomorrow, next week, next month or next year, all these depends on the security measures implemented and the knowledge or the stupidity of those responsible in the field of cyber security.
Smartmatic-TIM has continuously failed to demonstrate the level of security their system has or the level of security they are planning to implement to prevent possible election fraud and/or election failure. They however successfully ignited the wrath of malicious hackers (http://www.tribune.net.ph/headlines/20090820hed5.html ) and crackers to attack the election automation system by irresponsibly screaming to the whole world claiming their system is unhackable and even offering a 10M PHP reward to those who can successfully hack the system. The thing is, there are hackers who hack not for money, but for fame and personal satisfaction, but definitely there are those who do it for money, and 10M PHP is more than enough to give a free invite to these people.
The ignorance of Smartmatic-TIM in terms of information security is obviously bottomless otherwise they wouldn’t have done that. Almost all those who dared hackers and irresponsibly advertised to the whole world that their system is secure have been hacked and humiliated.

As a Filipino, this is scaring me, not because I am a Smartmatic-TIM sympathizer but because this would mean a failure to the 2010 national election.

The QUESTIONS…
Although it is very valid to raise our doubts and fears on the security of these machines, I don’t think we are asking the right questions. A lot of experts have given their point of views and the Government has been talking about conducting a source code review (which is good) but all of them did not satisfy my own doubts and fears.

As far as I know, this is how data is going to be sent to the different levels (I could be wrong):

From Poll precincts —— Upload from PCOS machines located in poll precincts to Central
Server, Municipal level and Political Party Server

From Municipal level —– Upload from Municipal to Central Server, Provincial level, and to
Political Party Server

From Provincial level —– Upload from Provincial level to Central Server, NBOC and Political
Party Server

From National level  ——- Upload from NBOC to Central Server and Political Party Server

1st: How will you secure the physical level access of the machines?
2nd: How will you secure the logical level access of the machines?
3rd: How will you protect the votes stored inside the machines?
4th: How will you secure the votes sent from the machines to the different levels (municipal, provincial, national, etc) during transmission to prevent information sniffing and hijacking?
5th: How will you secure the data when it arrives at the municipal level, provincial level, national level, etc?

6th: How will you make sure that the integrity of the data sent or received was not compromised and that the person who sent the data and the person who opened and received the data are the persons authorized to process the data?

7th: If in case the data is hijacked, how will you make sure that data will be unusable to the person who hijacked the data.

8th: If the data has been compromised, how long will it take for the hacker to read and modify the data?

9th: If the data has been successfully modified, how will you prevent the hacker from uploading the data to all levels and make it look it was sent by an authorized person?
10th: On the municipal level, how will you ensure that the data sent to the provincial level, national level, etc. are authentic and came from the authorized person in the municipal level?

11th: How will you prevent a massive Denial of Service of Distributed Denial of Service Attacks from happening?

12th: How will you ensure the integrity of the data sent and received as well as the person who sent and received the data?
These are just some of the valid questions that Smartmatic-TIM so far failed to address and demonstrate.

The INVISIBLE THREAT
There is an ongoing war right now, it’s called Cyber War. Unlike the conventional type of war, cyber warfare is invisible, and you can be attacked by anyone from anywhere and you wouldn’t even know where the source of the attacks came from. There are also cyber mercenaries, those who get paid by successfully attacking a target, and no doubt these mercenaries would be more than happy to accommodate our corrupt politicians. How are you going to arrest or preempt an invisible threat or attacks? How are you going to pinpoint the location and source of these possible attacks?
A million dollar question that can only be answered by those who truly understand these invisible threats, as well as the invisible threat catalysts, not by those who pretend to be experts in cyber security and not by those who read a lot about cyber security but haven’t really done it.

The Filipino people deserves more, let us not put our trust to these pretenders, let us not put our future to these incompetent people, because protecting our votes this coming 2010 elections is protecting the future of our children and our children’s children.

So, going back to the first question…IS IT HACKABLE?

As an information security enthusiast and practitioner, my answer would be…WHO KNOWS? But I can surely say that Smartmatic-TIM guys are not that good and knowledgeable when it comes to information security and cyber attacks, they don’t understand how hackers think and they’ve got no freaking idea how they work. This makes it very scary. Unlike the saying ¨What you don’t know won’t hurt you¨, in cyber security, what you don’t know will definitely hurt you…BIG TIME!!!

Share on Facebook