Public safety tests (PSTs)
A Public Safety Test, also known as PST, is a fixed event in the electoral calendar - provided for in Resolution No. 23,444, of the TSE - where any Brazilian can present a plan to attack the electoral systems involved in the generation of media, voting, counting, transmission, and receiving files.
The PST involves several steps, including presenting the attack plans, presenting the system to investigators, opening the code and the attack period itself, ending months later when the TSE invites those involved to retest the system and check if the flaws have been fixed.
The TSE introduced the PST with the objective of strengthening the reliability, transparency, and security of the attainment, counting, transmission and receipt of votes, in addition to providing improvements in the electoral process.
When an investigator and his/her team succeed in their plan of attack, everyone wins, as the failure will be fixed, and the system will become increasingly secure.
The first edition of the Public Safety Test took place in 2009 and four other editions have been held since then: 2012, 2016, 2017, and 2019.
In 2016, it became mandatory and regulated by Resolution No. 23,444, of the TSE. The rule provides that the tests are carried out, preferably, in the year before the election, so that any flaws can be corrected in the ballot boxes that will be used in the election.
So far, 109 investigators have participated in public safety tests. In this universe, some contributed individually and others as part of one of the 28 teams in the five editions of the PST.
Any Brazilian, age 18 or over, who meets the requirements of the PST call for proposals can participate in the public test.
The technical reports presented by the researchers analytically demonstrate the executed test plans and, consequently, their results. Whenever failures are pointed out, opportunities for improvement are indicated, or the success of a plan of attack is proven, the TSE will carry out corrections and evolutions, as well as promote a new test - called the Confirmation Test - in which investigators will be able to apply a new attack along the same line and under the same conditions as the initial test and thus confirming the improvement.
In short, investigators are called upon to verify the improvements implemented and rerun their test plans to prove that the flaws have been addressed.
We have information that Switzerland carried out a Public Intrusion Test (PIT) for the first time in 2019.
In 2013, the California Association of Voting Authorities in the United States was formed to continue efforts toward publicly owned General Public License open-source voting systems.
We also verified the implementation of "hacker challenges" to invade commercial electronic voting machines (openly sold in the market and without restrictions and customizations for a particular electoral system and its security elements), such as the one held at Def Con 2017 - one of the largest information security events around the world, in which technicians from the TSE team were present.
Preparation: pre-registrations, registrations, test plans, presentation of systems, source codes and other activities prior to carrying out the PST.
Implementation: technicians come to the test site to put their previously defined plans into practice.
Evaluation: period in which the Evaluation Committee analyzes the test reports of each investigator or team, producing a final report with all the results.
The details of the attributions and composition of each one of the commissions can be found in Resolution no. 23,444, of the TSE.
So that the PST can be put into practice, four commissions are set up at each edition:
-
Organizing: plans and prepares the overall project, organizing activities. It is formed by professionals from different areas of the TSE.
-
Regulatory: defines the procedures and methodology, in addition to overseeing all stages of the process. It is also formed by professionals from the TSE.
-
Evaluation: validates the methodology and judgment criteria, as well as evaluating and approving the results. It has representatives from the academic/scientific community, the Federal Public Prosecutor’s Office, the Brazilian Bar Association, the National Congress, the Federal Police, and the Brazilian Computer Society, in addition to an electrical/electronic or computer engineer duly registered with the Regional Council of Engineering and Agronomy (Crea), appointed by the Federal Council of Engineering and Agronomy (Confea) and a representative appointed by the president of the TSE.
-
Institutional Communication: responsible for publicizing the PST, as well as responding to inquiries from the public and the press, formed by members of the TSE.
The details of the attributions and composition of each one of the commissions can be found in Resolution no. 23,444, of the TSE.
Based on institutional transparency – one of the pillars of the Brazilian Electoral Justice’s work –, the test brings together specialists in Information Technology and Information Security from the most diverse organizations, academic institutions, and public bodies to carry out plans to attack the software and hardware of the electronic ballot box and related systems.
With the test, the TSE mainly seeks to:
-
Identify possible vulnerabilities in electoral procedures and software.
-
Enable corrections and improvements to be made based on the results presented.
-
Test the reliability of the attainment and counting of votes.
-
Verify the robustness and maturity of the Brazilian Electronic Voting and Vote Counting System, with the main purpose of making continuous improvements in the electoral process, following the advances in world technology, especially in the areas of Technology and Information Security.
Timeline
- General information
The first edition of the Public Safety Test took place on November 10 and 13, 2009, with the aim of seeking society's collaboration to improve the electronic ballot box used in Brazilian elections.
The 37 computer and electronics specialists who participated in the initiative tried to attack the electronic voting system and find some kind of vulnerability.
- Documents (in Portuguese)
Final report of the evaluating committee
- Results
The first edition of the public safety test took place on November 10th and 13th, 2009. The 37 computer and electronics specialists who participated in the initiative carried out their activities with the objective of attacking the system and trying to find some type of vulnerability. None of the tests were successful in altering vote allocation or violating voting secrecy.
At the time, one of the investigators sought to break the confidentiality of the vote by capturing the electromagnetic radiation emitted by the ballot box keyboard while the voter types the candidate's number and, therefore, identifying the keys pressed by the voter. The test was not successful in an attempt to violate the confidentiality of the vote. The radio equipment used by the specialist was only able to capture this radiation at a distance of five centimeters from the electronic ballot box, which in practice would make the attack unfeasible because the ballot box installed in the polling station is necessarily isolated and under surveillance. Also, only one of the keys was correctly identified. In response, ballot boxes manufactured after the PST began to encrypt voter terminal keys, which produces a different electrical signal whenever a key is pressed, thus preventing any attempt to identify a pattern that characterizes a specific key.
Brazilian Navy investigators were able to introduce a file in the voting media used in polling stations, but the procedure was rejected by the ballot box system. Two changes attempted by investigators to system files were immediately detected by the installed security modules. First investigators tried to alter a file. Then they tried to generate the media without using the media generator, and finally they tried to start the system through another program. But all attempts were frustrated by the system's security barriers, mainly by digital signatures and the use of encryption mechanisms.
- General information
The second edition of the Public Safety Test took place from March 20 to 22, 2012, at the TSE headquarters, in Brasília. Twenty-four researchers participated in the event. They were divided into nine groups and carried out over 20 plans of attack.
- Documents (in Portuguese)
Final report of the evaluating committee
- Results
Of the improvements brought to the electronic process, the most significant was the one implemented by the Court in the Digital Vote Registry (DVR), a file that stores voters' votes, exactly as they were typed in the ballot box, but shuffled between each position. It is from the DVR that the zeroth and the ballot paper are created. The file also allows for the recount of votes by political parties and other interested parties.
At the time, the group formed by a professor and students from the University of Brasília had managed to redo the sequencing of the votes contained in the DVR. However, in order to carry out the violation of vote secrecy, it would be necessary to obtain the voter turnout sequence, which was not done by the team using the ballot box records.
- General information
The third edition of the Public Safety Test took place on March 8, 9 and 10, 2016, at the TSE headquarters, in Brasília. Thirteen investigators participated in the event, who had access to the internal and external components of the electronic voting system to create their attack plans.
- Documents (in Portuguese)
- Results
In one of the plans, the investigator was able to alter the results of a Ballot Box Bulletin (BB) and use it as input to the ballot box's Score System (SS), producing a new valid BB, but with corrupted results. SS is a system used in situations where the result of an electronically recorded ballot box was lost or when it was necessary to vote by paper ballots.
Fixing the vulnerability, TSE modified the BB's verifier code algorithm, which now has authenticator strength. In addition, a QR Code with digital signature was included in the Ballot Box Bulletin, allowing interested parties to check the authenticity and integrity of the BB.
In another plan, the group of researchers recorded the audio instructions used by the visually impaired for voting. These instructions include keystrokes and voter confirmation. Audio was turned on specifically for each previously registered voter or for all voters in a previously configured section, even if a registered voter did not need audio.
The TSE's response was to restrict the use of audio only to previously registered voters or when authorized by a polling station supervisor. In addition, whenever the audio is activated, a message is displayed on the voter's terminal alerting about the activation of the feature. If the audio is improperly activated, voters can ask the polling station to suspend their voting and verify the absence of extraneous equipment in the polling booth.
General information
The public safety test was carried out from the 27th to the 30th of November 2017, with 14 effective participants, 3 groups and 4 individual participants. Of the 13 test plans presented, 10 were executed, of which 4 contributed to the improvement of the electoral process and 6 did not.
Documents (in Portuguese)
Results
Three issues were found in the 2017 edition: encryption key leakage from the ballot box media in the source code inspection environment (the key included in the code was not removed from the inspection environment); a bug in the library digital signature verification mechanism (digital signature embedded in executable binary code); and absence of complementary digital signature in two libraries.
These three problems allowed investigators to modify the behavior of the ballot box's software during execution, with different results.
The bug in the signature engine has been fixed by TSE; the number of libraries has been reduced; software testing processes have been improved to ensure that all executables are signed and that signatures are properly validated; and all keys were removed from the ballot box's software source code (for 2018 a key derivation mechanism was used and from 2020 onwards, secure hardware will be used).
Another point observed during PST was the ability to boot the operating system from the ballot box in a virtual machine with the aim of performing a reverse engineering and thus revealing cryptographic keys. In response, operating system encryption has been strengthened so that only the ballot box can decrypt and boot the operating system.
1. General information
The fifth edition of the Public Safety Test took place from November 25 to 29, 2019. Once again, the test aimed to seek the collaboration of Brazilian society to improve the electronic voting system used in the country's elections.
The PST is an action arising from the TSE's strategic mission of "guaranteeing the legitimacy of the electoral process and the effective provision of jurisdiction, in order to strengthen democracy", and it brings together independent investigators to, individually or organized in teams, carry out plans to attack the internal and external components of the voting machine.
2. Documents (in Portuguese)
3. Results
Investigators who participated in the 2019 PST revealed two problems: access to the encryption key of the protected unit of the Installation and Security Subsystem - ISS, in which electoral systems are installed on the desktop platform; and control of the Gedai-UE application, due to the suppression of ISS access controls, allowing the application to generate a manipulated configuration file for the ballot box.
These problems have not allowed investigators to alter data on voters or candidates who feed the ballot box. Nor were they able to change the software of the electronic ballot box.
The main developments made after the 2019 PST were the strengthening of the ISS key protection and the use of the TPM security processor, present in the Electoral Justice workstations, to protect the Gedai-UE and the keys used by it. These evolutions prevent any attempt to undue control of Gedai-UE and generation of manipulated settings for the ballot box.
General information
In 2021, the Electoral Court will again promote the Public Safety Test of the electronic voting system, the PST.
The tests will take place from the 22nd to the 26th of November 2021 with the objective of seeking the collaboration of the Brazilian society for the improvement of the electronic voting system used in the country's elections. Any Brazilian citizen over 18 years old can participate in the event, held at the headquarters of the Superior Electoral Court (TSE), in Brasília/DF.
Timeline
Milestone 1 | Submission of the completed Pre-Registration form and supporting documents required | 8/26 to 9/29/2021 |
Milestone 2 | Publication of the pre-registrations approved | 9/30/2021 |
Milestone 3 | Presentation of appeals regarding the pre-registration phase | 9/30 to 10/04/2021 |
Milestone 4 | Publication of the result of the appeal referring to the pre-registration phase | 10/5/2021 |
Milestone 5 | Provision of explanatory videos on the electoral process | 10/11/2021 |
Milestone 6 | Signing and inspection of source codes | 10/11 to 22/2021 |
Milestone 7 |
Submission of the completed Test Plan form and complementary documents, if any | 10/11 to 25/2021 |
Milestone 8 | Publication of submissions approved | 10/26/2021 |
Milestone 9 | Presentation of appeals regarding the phase of submission approvals | 10/26 to 29/2021 |
Milestone 10 | Publication of the result of the appeals referring to the phase of submission approvals | 11/3/2021 |
Milestone 11 | Public drawing for selection of entries | 11/5/2021 |
Milestone 12 | Publication of the results of selected entries | 11/5/2021 |
Milestone 13 | Presentation of appeals referring to the selected entries phase | 11/5 to 8/2021 |
Milestone 14 | Publication of the result of the appeals for the selected entries phase | 11/9/2021 |
Milestone 15 | Request for tickets and per diems | 11/10 to 16/2021 |
Milestone 16 | Opening of public safety tests and accreditation of investigators | 11/22/2021 |
Milestone 17 | Implementation of public safety tests | 11/22 to 26/2021 |
Milestone 18 | Preliminary announcement of the results of the Public Safety Test and distribution of participation certificates. | 11/26/2021 |
Milestone 19 | Announcement of the final result of the Public Safety Test | 12/15/2021 |
Milestone 20 | Implementation of the Confirmation Test | 5/11 to 13/2022 |
Milestone 21 |
Announcement of the final result of the confirmation of the Public Security Test |
5/30/2022 |
Documents (in Portuguese)