Security DJ

Introduction

My daughters, 6 and 8 years old, are very interested in the Eurovision Song Contest, which is a huge thing in Sweden. The Swedish final yesterday had close to 3.5 million viewers, which means that ca 40% of the Swedish population were watching.

My daughters, smart as they are, asked me about the voting system security. This is their first “democratic” election, so it is very important to them that their votes count and that there is no foul play. Maybe we should care about this, even though it is only a TV show? For many young people of Europe, this is their first election they participate in. What would happen to their view on democratic elections if they could not trust the outcome of this very first one for them? Since I am working with securing general parliament elections, I thought I give this some thought too. Here is what I found:

The rules

The rules for Eurovision Song Contest are posted here. However, the rules regarding the televoting are partly removed in this version. Hungary published the whole text here. Rules in summary:

• You can’t vote for your own country.
• Voting is via SMS text messages or telephone and shall be counted during a fixed time period.
• Scores of the songs in the Grand final shall be calculated on the basis of both the results of the televoting and the results of juries appointed.
• There is a backup routine where the Executive Supervisor of the European Broasdcasting Union can decide during the final that no votes should be counted, and that only the jury’s votes will decide the winner.
• “Each Participating Broadcaster shall do its utmost to prevent fraudulent voting in the Shows. It shall give full access to any EBU international monitors who may be sent to oversee all aspects of the televoting procedure, on any territory, with no notice given. The EBU and the Reference Group shall rule on the sanctions to be imposed on a broadcaster found to have participated, either actively or complicity, in any voting fraud”.

What the rules do not say

The official rules posted do not say what constitutes fraudulent voting. Since everyone can vote several times, 10 votes would probably not be considered fraudulent. 100 votes from me on my sister, if she would participate, would probably not be considered fraudulent. But would 1.000 votes? 10.000? 100.000? 1000.000? There is said to be a technical limit of 20 votes per “telephone number”. But today, having many phonenumbers is not like it used to be. You can have thousands of numbers tied to one single subscription for a very low cost (in this example 100 swedish numbers for 290 euros), or you can fake your CallerID using several different methods. You can come from anywhere on the Internet you choose, from whatever IP-number. It is VERY difficult to create a secure voting system in this environment.

The artists are like athletes. They are there to win. They have record companies behind them, and a team that is working with their act, their marketing, and everything the possibly can do to win. Winning is depending on the televoting. Given these circumstances, it would is only natural if each team give the voting system and the rules some thoughts. This is a game. The winner will of cause know the rules inside out and play the game as good as possible within the rules. The problem is that “fraudulent voting” is not defined for the voters, and we decide the televoting!

Ways to manipulate the voting system

You can manipulate the voting system without breaking any of the officialy posted rules. Morally, this would be wrong. But legally, it would be perfectly ok.  Without going into any technical details, here’s how:

1. Take an ordinary Laptop computer.
2. Register for a telephone line from an Internet telephony (VOIP) provider with several phone numbers (low cost) for outgong calls in the country were you want to vote (you need n=x/20 numbers, where n=numbers, and x=the numbers of votes you want to generate).
3. Remember; smaller countries with less interest for the song contest and lower voting fees will be less costly win.
4. Download Trixbox or any other free telephone exchange and automation suite. Make sure trixbox registers as your SIP-client (as your telephone) with the Internet telephone provider (you have to get the password from the provider).
5. Get the numbers for your artist from the web sites of the song contest (published the day before).
6. Use the functionality in trixbox to dial 100 or 1000 parallel voting calls until you have reached the number of votes you need to win in that country (check the official results from last year to find out how many you might need).
7. Make sure that calls are made from different numbers, maximum 20 votes per number.
8. Do this for each of the countries you want to win in (No need to go to Ukraine to get a phone number there to call from – you can sign up in your own country for any country).
9. For countries with SMS text voting; Get many anonymous pre-paid mobile SIM cards from different countries you want to win (often without any starting fee).
10. Connect these to a computer (you will need multiple SIM card readers) and start to fire away SMSs using an SMS application were you can set the message, recipient, and the number of times it should be sent.

In short, as a voting system – there is very little security. Just get over it. Eurovision Song Contest can be won by the highest bidder this time. You can “buy” the country you want to win. And as far as I can see this is according to the rules. The boradcasters even tell you straight out to vote as much as you can for your artist. However, the technical limit of maximum 20 votes per voter makes can make it quite expensive.

As an example, the difference in votes separating the artists Caronline af Ugglas (second place, 318.952) and Malena Ernman (winner, 322.657 votes) in the Swedish final for 2009 was 3.705 votes. Caroline could have won instead of Malena using just an ordinary laptop with trixbox for total voting cost of roughly 1500 euros, a cost for phone numbers of 537 EUROS ( 3705/20 * 2,9 euros ) and some preparation time.

Can fraudulent voting be detected

Yes, it is possible through logs that exist in the pan-European Televoting Platform operated by Digame Mobile. However, since the voting is spread out in different countries and on different networks and then aggregated, it makes the auditing quite technically complex. For this year’s national competitions, both Spain and Portugal removed thousands of fraudulent votes afterwards. But where is the driving force to take about voting problems in the Grand Final? None.

For a televoting fraud like this to succeed, the fraudsters would have to find a way around the 20 votes per number limit. This could be done through buying many numbers (as in the example above), getting temporary access to a (small )telephone operator’s unused number series, or by faking the voter identity in a way do that the pan-European Televoting Platform believes that is indeed a different voter (fake IP-numbers through proxies if needed and fake CallerID through a service or using the IAX protocol, or whatever else that works).

Another method to get less attention is to make the thousands of calls at irregular intervals (we are talking milliseconds here), so that any automatic detection system does not kick in because it understands that it is not regular calls or messages.

Televoting future

If a major televoting scam is seen, then this might be the end of televoting for the song contest. Maybe this is good.

So what shall I tell my daughters now? I will have to explain to them that this election might be rigged and bought, but the election to the parliament is secure. Yes, that is what I will say. Democracy works, but only when it really needs to.

This entry was posted on Sunday, March 15th, 2009, 9:22 am and is filed under Security Philosophy, Security Reviews. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.