Reading headlines, it might surprise some that the United States is not the only country with serious voting technology challenges. In fact, recent years have seen issues in India, Africa, and Latin America; technical experts have examined some of those systems and found them lacking.
Today, I’m pleased to report that The Sentry – an NGO that works to prevent genocide and mass atrocities in Africa – released a detailed analysis (full report PDF) of the new system slated for use in the upcoming elections in the Democratic Republic of the Congo (DRC). The Sentry worked with Argentinian security researchers Javier Smaldone (@mis2centavos) and Alfredo Ortega (@ortegaalfredo) and myself to examine what little public information is available about this system. The verdict is not good.
These awesome Argentinian researchers, it turns out, had an opportunity to examine an earlier version of this system, also from South Korean company Miru, in 2016. At that time, they were able to show how completely insecure the Miru system was, including: publicly posted cryptographic keys allowing total modification of the system or vote data; radio transmission of each ballot, which was easily intercepted; and using chips embedded in each paper ballot (RFID tags) to load many more than one vote per ballot. Argentina stopped the procurement and legislative authorization process to obtain these machines shortly after the security researchers publicly presented these flaws to Argentinian legislators.
Fast forward to now: DRC has purchased 105,000 of these machines from Miru at a cost of US $130 million for use in their December 18 presidential election. As detailed in the report released today, the DRC machines appear to be the same machines that Miru attempted to sell to Argentina. In addition, this same company provided equipment to Iraq for their recent election, for which there will be a full recount of 11 million votes due to alleged machine irregularities.
In today’s report, we critique the newer version of the machine sold to DRC. The system has since been modified to use 2D barcodes (QR codes) printed on ballots, instead of encoding ballot data onto embedded (RFID) chips on each ballot. We point out that since each of these barcodes includes ballot-specific information to prevent double-voting, this destroys ballot secrecy in a fragile national environment where voter coercion and intimidation are very serious threats to election integrity. We further note that the system has a number of unprotected input ports. For example, a USB stick is inserted into the machine to activate a new voter session, despite the fact that USB sticks are a popular vector for malware to spread (cf. Stuxnet), and there is no indication that a rogue USB stick would be noticed by DRC election workers. Finally, these machines have 2G/3G cellular modems, the use of which is not specified by the DRC government. This means that the machines could be used to transmit official votes from polling locations to election headquarters over cellular connections that can be easily blocked or modified in transit.
In short, we make the case that to use this system safely, there are a lot of unanswered questions that should be addressed before anyone can say it can be used safely in DRC elections. We call on the DRC government to allow independent technical examination of their use of this system and to commit to mitigating any serious vulnerabilities found before such a system is deployed in Congo.