TSE finds 5 flaws in the electronic ballot box, but says that none alter elections – Legislation – Tecnoblog

The Superior Electoral Court (TSE) concluded the Public Security Test (TPS) and announced the results of the event at a press conference on Monday (29). The test, which usually takes place approximately a year before the presidential elections, brought together 26 researchers from all over Brazil who made “attacks” to explore technological flaws in the electronic voting machine. Experts found five flaws in the device, and experts from the Federal Police managed to enter the TSE network. But minister Luís Roberto Barroso, president of the organization, says that none of them is capable of changing the results of the elections.

Electronic voting machine (Image: Disclosure/TSE)
Electronic voting machine (Image: Disclosure/TSE)

No TPS attacks hit voting machine software

Every year, TPS brings together technology experts who put the voting machine and its systems to the test. This year, the 26 participants carried out a total of 29 plans to attack the device, 24 of which were unsuccessful, that is, they were unable to overcome any security barriers.

This was the biggest edition of TPS in the history of the event. Federal Police agents and university professors were among the experts who found the ballot box flawed.

Five plans succeeded in overcoming some security barrier. But Barroso says none of them is capable of threatening the election result:

Five plans found what we call a finding, which is some point that could be improved upon. None of them, I must say with relief, are truly serious. Serious is considered anything that has the potential to affect the outcome of the election. Therefore, no one was able to invade and pose a risk to the election result.

Barroso says that none of the attacks managed to affect the electronic voting machine’s software. There was also no successful attack by the hackers on the desktop program at the urn, responsible for releasing the names of candidates and voters.

Faults bring together a fake 3D panel and an electronic ballot box phone

The first finding came from an attack carried out by a group of students from the Faculdade Meridional (Imed) in Passo Fundo (RS), according to the Forget. Using a 3D printer, the participants produced a replica of the front panel of the electronic voting machine and attached it to the front of the device, as if it were a fake panel.

The replica then acts as a device capable of capturing each vote and, through the sequence of voters, it would be possible to break the confidentiality of the vote. “For this to be done, it would be necessary for someone to enter a panel the size of the ballot box in their robes, be able to put it in the ballot box without anyone seeing it, and for another voter to remove it,” Barroso said during the TSE press conference, citing the event as “quite improbable”.

The second plan managed to unscramble the ballot paper. The document contains the result of the total votes registered by the apparatus; at first, this information is sent in a scrambled way to the TSE, so that the agency can open the data and record them in the count.

However, the attack is not serious because the ballot box is printed and placed on the door of the polling station at 5 pm. “The shuffling of BU information is a historical reminiscence of a time when there was no digital signature”, commented the president of the TSE. “We are even considering the possibility of not having this shuffling anymore.”


TPS 2021 has had five successful attacks on the ballot box, but no failure compromises the elections, according to TSE president (Image: Press Release/TSE)

A third finding was from an attack in which hackers managed to bypass a transmission network security barrier and arrived at the TSE network port, but were stopped by a new barrier.

A fourth flaw is related to the electronic voting machine’s headset. The find affects the votes of the visually impaired and involves installing a Bluetooth device on the back of the device, so hackers can hear the vote being tallied in real time. Again, Barroso mentions that it would be necessary for someone to attach the equipment to the urn, something that would be noticeable to the board members.

PF experts invade TSE network but do not change data

The fifth and final failure of the TPS was considered the most alarming by the TSE. In the attack plan, experts from the PF Superintendence in Brasília managed to break into the court’s network.

However, according to the president of the court, the Federal Police technicians were not successful in tampering with existing votes or tampering with the TSE’s network system configurations.

Unlike the third finding, this attack bypassed the security barriers of both the transmission network and the TSE network. Although the electronic ballot box does not connect to the internet at any stage of the polling station, the TSE network is used to transmit votes to the Electoral Court.

Despite the TPS opening the source code – the language used in the programming of the ballot box software – to specialists for it to be put to the test, the TSE has been facing attacks against the electoral system in 2021.

President Jair Bolsonaro has already made statements in this regard, calling the Brazilian electoral system a “farce”, and claims that the source code for the ballot boxes could be changed. The representative disputes the results of the 2018 elections, in which the PT member Fernando Haddad won, but he has never presented concrete evidence of a change in the result.

Finally, Barroso stated that all participants who successfully attacked the electronic ballot box will have to return for the so-called TSE Confirmation Test:

“TPS exists to discover vulnerabilities and the TSE can fix them. The next step, in a few months’ time, is the Confirmation Test: those five people or entities that made some important security findings come back and do the same attack, to see if we can block them and prevent that from happening.”

The TSE Confirmation Test will be conducted in May 2022.

Leave a Comment