How to cheat in Brazilian Elections

This post is about an article I wrote to myself some time ago, that creates a very nice business in cheating the Brazilian electronic elections.

Enjoy.....

How to buy votes with confidence in the Brazilian Electronic Election System.(thoughts)


Brazil is know world-wide for its natural beauties and for thing like Samba, Pelé and Carnival, although we (Brazilians) know that Brazil has a lot of other things that are really interesting and attractive to us and for everybody else. But one thing that is becoming a trademark in Brazil's culture is corruption. Recent scandals lead to world wide headlines about Brazilian political and corruption systems.

What I want to expose with this writing is that one problem Brazil has nowadays on its democratic system, can, be even worst, if some computer science knowledge could be applied in bad ways and that the actual and past governments really do not care about a matter so important to guarantee the Brazilian democracy as a whole.

Brief Story:

Brazil was the first country to run a completely electronic election system on 2002, and the first prototypes to the actual Brazilian DRE (direct recording electronic) system was tested in 1996 in the Santa Catarina state (my home state), and were produced by local companies.

From that time, the system evolved and started being developed by very large and multi-national companies, like Diebold-Procomp, a branch of the same company that develops the US voting machines. During the development of the electronic election system, lot of power was given to TSE (the Brazilian Federal Elections Division), and with this power they developed a proprietary machine, based on Intel's 80386 platform, just adapted to run a proprietary software that create, store and count the votes, without giving you the possibility to recount or scrutiny the software without being under TSE rules.

Lots of complains were always made to TSE about the DRE security, but as TSE has full power over the system and the government does not have an interest in opening a Pandora box, normally all requests made to look inside the software or hardware are denied, or you must sign a NDA (Non disclosure agreement) with them prohibiting you to tell others about flaws(if they exist) on the system. I myself never saw the DRE election system by inside, but I have talked with people who did, and also read the authorized reports that TSE asked to be done by some Brazilian universities and research centers. I know the system as an outsider, so some of my consideration can be mistaken....

Description of the System:

Taking in consideration the hole process of the Brazilian election, we have normally the elections being run on the states, and the states have their own Election Divisions(TREs), probably this attack does not make sense on Nation wide, or even on State wide election, but on small cities, like the one where I am registered to vote (Massaranduba-SC, with 7500 voters), buying votes, or even chase people to vote according someone's instructions is something that really happens.

As I mentioned before, the city where I am registered to vote, needs, as any other city on Brazil, elect their Major, and the city counselors, know as "vereadores". In this city, with almost 12.000 inhabitants, just less than 8.000 people are entitled to vote, because as almost half of the population is out of voting age (too young or too old), we can not count on them. This city, according to Brazilian elections laws can elect 9 members to the city council to work there for 4 years. As past elections examples suggest, a counselor can be elected for sure with 250 votes or more. The most voted ones gets no more than 500 votes. This shows the distribution of votes to winners and losers, but this math is not always basic as it looks like, because the election laws, there are some tricks with counting the votes, where votes to the party counts to make easier to elect theirs council members. So even the looser votes count to elect the winners from their party.

In this election scenario, 1 or 2 votes can make the difference between being or not to being a city counselor, so they (the politicians) start "fighting" in the most different ways. Some time ago, I think 2 elections from the last one I missed because I am here in UK, I realised that there is a potential business to be run on the "counselor being thing". A counselor gets an income of 2500 reais/month including every thing, so he can somehow invest his money in a way that, for sure, it will return (without counting on acting in a bad way like corruption bribes) in an election. Suppose that a person really want to run this business, the total income as counselor will be 120k reais over the four years, why not invest part of it to become a counselor?

Answering this question, some people really think this as business, so they start figuring out how to make things happen, and normally one very good decision is start buying votes. The vote buying process consist in decide how many votes you need to buy, and how much you can spend on it. Supposing that you want a very big profit we can say that you are allowed to spend 25% on your supposed income, than in our case is 30k reais. Now the maths get really easy, with a good security margin, supposed you will buy 300 votes (we will have a bit more, because at least your family will vote for you), so you can pay up to R$100 per vote.

One thing that the candidate must take in care is that some people are not faithfully, and they will just grab the money and will not vote the agreed way, so normally the profit will lower in our business. Then, you need a way to check that your investment is running smoothly. This is what I propose next...

Description of Attack:

So I come with the solution to make this business even more profitable. We can make use of cheap high tech to control the investment, and even punish those clever that just wanted to grab the money and vote against what was proposed. What I am telling is about running a "Tempest attack in the voting machines to record the voting".

Eavesdropping is something that is not new and consist in analysis RF emitted by electronic circuits when they operate. There is some work here in Cambridge that can be directly applied to the Brazilian election system. I can take as base, Prof. Markus Khunn Phd Thesis. He developed a very easy and small system to capture RF emanation from computer monitors. This system can capture from some distance (that really does not matter for us) the images in a monitor (CRT or LCD) if the specific cautions were not taken in the environment were this computer runs. The real strength of this attack is that you are just ignoring the system's proposed security, and acting on misconception problems.

After reading a lot about the voting machines, I realized that the government did not care about a very simple attack like this, but that can make a real difference for some people's business, the recording of the vote and the correlations with the persons who voted, so how can we make this happen?

I propose to use Markus attack to steal the light emanated from the LCD screens, or even easier on the VGA circuit on the Brazilian voting machine, that is nothing more than a computer that works specifically for voting purposes as I briefly explained before. Then raised the question, how this can make "my proposed business" more profitable, and even if I can record, how would I correlate the voters with their vote?

The basic Idea is: as we know how to capture the screen emanations from the Voting machine and we know were it will be located (at least a room in a school or something else), we just need to install the screen tap device in the room were it is able to capture the screen, then we use election proposed security against the system. One thing I have not mentioned is that elections on Brazil normally are ran with a security mechanism called "conflict of interests". This means that in every room should be present a person nominated by one party running in the elections. In "our business" we can use this person to make the tie from voter and recorded vote. By knowing who was payed to vote, the person can just take note of the sequence number that this person has on the voting order, and than we can correlate later.

As an Example, we can tap the election system and record all votes, than the party person can see that Jean was the 4th to vote on the day, so when the election is finished, what we need to do is to just check the recording and see that Jean really voted the right way, and if not, we can go to his home and chase him to have our money back :).

The real difference in this new scheme is that you can buy votes with confidence, and when people realise that you can know with confidence their votes, you will not need to even TAP the election system anymore, because they will suspect that you arranged another way to spy their votes or even their minds.

Possible Solutions:

First we can think on very drastic solution, like that every voting machine should have a Faraday-Cage to protect the RF emanations from being captured by the tapping device, but this lead us to other problem. How to transport Faraday-Cages to the Amazon jungle, and how much this solution will cost.

By thinking I figured out that we can do some other different approaches, like we can produce noise, in such a way that the recording can be a bit more difficult, and this noise could be just a noise generator in the same frequency.

Then I started thinking about some changes in the software interface, that instead of showing the picture of the chosen candidate, can show all candidates, or other from the same party, just showing the picture of the chosen frame in different color (colors are difficult to grab with eavesdropping), or who knows, trying to use some hard water mark in the picture, that can make just it visible to the tapping device.