How to Hack Indian EVMs?

Posted under Hacks, Technology on April 14th, 2017 by

TL;DR Yes. It is actually possible (technically speaking) to hack or tamper Indian EVMs but you need to have a lot of things going your way to pull off something like this. Election Commission of India has done its part to make it as difficult as possible.

Disclaimer: The following article has been written only for educational and research purposes to show the vulnerabilities in the current system. The author holds no responsibility if someone decides to use this hack in real life using the content of the article below.

Background

Well, this was not my primary choice for my second tech post. I was working on a bigger problem but I am still stuck on finding a proper implementable solution. This problem came about when I was browsing the web and found this news article which states that Election commission will hold an open hackathon for anyone who wants to try to tamper with it. I thought it was an exciting challenge because, if not for the hacking stuff, you would get to learn quite a lot. I posted about it on FB and few friends were commenting on how someone might be able to a hack an EVM.

Problem Statement

It was a fun discussion which really got me thinking. “Assume you were given the task of hacking the Indian EVMs. How would you do it?” Following article is how I attempted to take on the challenge.

First, understand the “user” requirements. Suppose somebody wants to find an exploit in the EVM (Electronic Voting Machine) and utilize it, then what would be their needs per se? Here are a few which I could think of,

  • Use it to manipulate the votes actually polled (Duh? Most basic requirement, I suppose)
  • Use the exploit in such a way that he/she won’t get caught doing it. (As discrete as possible)
  • Desirable to have it to be a plug and play solution (Leave no evidence behind for it to be found out later)
  • Should ideally circumvent all the security checks currently enforced in the system.

Now before we jump into finding an exploit, we should first understand the EVM hardware and the entire ecosystem which comes with it. Since I don’t have access to an EVM to hack in real life (Its always locked and stored away under security), I must make do with whatever information is out there in the public domain. I should study and analyze anything and everything about it, which is freely available.

Current System

The EVM

From the wiki, an EVM (as shown in the picture below) consists of 3 parts

  • Control Unit
  • Balloting Unit (which contains the candidate names)
  • 5m long interconnecting DB9 Serial cable with one end connected permanently inside the Balloting unit.

I think the entire hardware design of the system was handled by Bharat Electronics Limited(BEL), Bangalore and Electronics Corporation of India Limited(ECIL), Hyderabad and industrial design portion was done by Profs in Industrial Design Centre(IDC) in IIT Bombay.

Let’s go through the process of voting with an EVM.

When a voter wants to register a vote, the officer handling the control unit, after verifying the credentials of the voter, presses the large Blue Ballot button which enables the Balloting unit to accept the input from the voter. When voter comes and presses on one of the many blue buttons to register a vote against a candidate, a loud beep is sounded and the vote gets stored and saved in the Control unit. Even if one presses that button further or any other button, no further vote will be recorded as the machine gets locked till control unit activates it again.

Once the whole voting process is done, the polling officer presses the black button on the Control unit and closes the poll. Now the device is powered off and the interconnecting cable disconnected. Control unit is now stored under security protection till the vote counting day. On the vote counting day, control unit is used to display the results of the poll and the winner is announced.

EVMs are powered by a 6V alkaline battery pack so that it can be used in areas where there is no or intermittent electricity.

Election Ecosystem

Since you now know about the device and the poll day, let’s focus on everything before it, like the pre-poll preparation, device checking, security measures etc. After all, for you to pull off a hack you would need to know the entire ecosystem to find a vulnerability.

I suggest going through the link here. There are around 10-12 videos(1-5min) which explain the entire process. I watched the entire thing a couple of times. I wouldn’t want to go through the entire details of the process, but here is the gist of it.

  • The entire system is pretty foolproof and secure.
  • Each EVM undergoes a thorough testing procedure before being used in a poll and all the testing is done by engineers in presence of the representatives of the parties and video recorded.
  • Proper working EVMs are put through mock polls of 1000 votes and results are signed off and verified by all party representatives.
  • Working EVMs are sealed and numbered with a pink paper seal going around the device. These are the kind of paper seals used in currency notes. ID of the seal is paired with the EVM’s device ID and stored. This makes opening the device impossible, to access the electronics guts of the device, to have any chance of tampering with it(No luck there 🙁 ).

  • EVMs are randomized so that we really can’t say beforehand which EVM goes to which constituency during election time.
  • Day before the polling, each EVM is tested at the polling booths with a mock poll being conducted in front of the party representatives ensure the votes are registered properly and mock poll results are correct. A Mock poll certificate is to be generated and signed off on by all party representatives.

So, all in all, it’s a pretty tight ship to break into.
Let’s see now what might be the obvious loopholes which we can consider to hack the hardware.

  • Re-flashing the code written in the embedded main controller

    • Since it can’t be done at the polling station end because of the physical seals, it needs to be done at the manufacturer’s place.
    Again it’s not possible, because people have already plugged this loophole by using single flashable ICs(Meaning code can be flashed only once- Source Page 3 ) and they would most likely be doing a checksum verification. Anyway, even if we are able to reflash the device, what good will it do since you can’t be for sure the candidates position in the Balloting unit so far ahead. SO, this is also ruled out completely.

  • Physical hardware hack of the device/changing the circuitry inside

    • This is pretty much ruled out because of all the seals on the device. We really can’t access the electronics inside without breaking the seal.

So, what now then? Do we give up and go home? Nope. We dig deeper till we can find a suitable hack.

The Hack

Since all the above techniques were debunked, let’s examine the weak link of the entire chain to get an entry point.

  • Time of attack

    • As explained above, there are tests, checks, rechecks at each point till the poll day. So, our hack can only materialize on the polling day (Maybe in morning) or once the EVM has reached the destination polling booth and setting of the candidates name and orders has been done.(Maybe just before or after the final mock poll)

After thinking about it for quite some time, the weakest link for me is the third part of the EVM, which is the Serial Cable. The good old Serial cable. The vital part of the system which carries ALL the important data between the Balloting unit and the Control Unit like the votes being cast.

Now we go back to our “user” requirements and see how to formulate a hack on this weak link. The data after being stored in the control unit can’t be messed around with since we can’t access it (The bloody paper seals…) We need to modify the incoming data to the Control Unit. Now again, we can’t access the internals of the Balloting unit so how do we modify the data then?

It needs to be modified on the Serial cable. In computer security terminology, doing something like this is called Man-in-the-Middle Attack(Wiki). A basic example is if, A and B are communicating with each other, and there is an attacker C which comes in between A and B, listening to the communication and possibly altering the communication between two parties who believe they are directly communicating with each other.
For a web based system it looks like the following. Image Courtesy: Incapsula

Now our job is to design a Man-in-the-Middle Attack as discretely as possible. We really don’t need much to pull off such an attack. A Serial Sniffer (A device in series after the cable and before it goes to the Control unit) in the serial cable would solve the problem. But our challenge is to design one so small that it goes practically un-noticeable in the whole system.

If we observe the serial cable carefully, you will notice that it consists of a DB9 connector, one end of which is permanently connected to the Balloting unit and the other end goes to the back of the Control unit.

Serial Cable connects to the Ballot Unit Connector on the left side.
Now here we must make some real-life assumptions. Since I don’t have access to an EVM to test or verify let’s take some educated guesses.

  • Since they are using DB9 connectors, I am assuming they are using UART protocol which I believe is a safe assumption to make because engineers designing the system adhere to(atleast most of the time ?) proper standards.
  • Voltage levels in the Serial line is a hard one to figure out, but it can be either R232/R485 levels ( -15V to +15V levels) or TTL levels (0-5V or 0-3.3V). Based on the few pics of the EVM lookalike pictures of the PCBs which I have seen online, I haven’t seen a RS232 converter so I believe it’s safe to assume the signaling is 0-5V — This assumption actually doesn’t matter much because we can modify the Sniffer circuitry to handle the signal voltages, if needed.
  • Encryption of data being transmitted over the cable.

    • This for me is one of the guesses we must make which is slightly in the unclear area. I am inclined to think that earlier versions of the EVM might not have contained any encryption but the 2009 newer model might have some sort of simple encryption/coding done on the software level. Again, based on the pics I am seeing online, I am not seeing a dedicated encryption circuitry.

So here I go with assumption that they are either totally unencrypted or that some may contain some sort of simple encryption or coding which can be cracked with let’s say, couple of days of debugging the Serial data of an EVM with a logic analyzer. If that’s the case, decryption algorithm can be built into the Sniffer’s logic.

Let’s be honest here, I am sure I am not the first person to think of a Man-in-the-Middle attack on the serial cable. I am sure, team designing the system from ECIL and BEL might have thought about it. I am assuming that, they might have thought the Sniffer device would be a device which noticeable, which would probably be been seen by someone handling the system since the serial cable is actually exposed to general vies and anyone walking into the polling booth. If that’s the case, I am sure we can design something so small that its actually not noticeable unless you are looking for it. That’s just a design problem.

Electrical Design

So, what do we want our device to do? It should be able to read the incoming UART signals from the balloting unit, do some processing on it (modifying it) and send the modified signal to the Control unit.
Obviously, we need a small microcontroller to handle and modify the data stream. Since we can’t have a battery, a power supply regulator is needed take in whatever is the input voltage from the DTR line of the UART and convert it to the required voltage requirements of the microcontroller. Emphasis now is to make the circuitry and device extremely small.

On searching around for the smallest controller, I came across a 6pin controller from Atmel (Now Microchip) Attiny10 which has 4 I/O ports we need (2 for data in and 2 for data out) and fits the size of 2 x 2 x 0.5mm (l x b x h) which is perfect for our needs. Only problem with that one is it has only 1KB of program memory so assuming if we need to do some good amount of processing (i.e. if line is encrypted) we might not be able to do it in 1KB program space.
So, I am thinking of going ahead with something a bit more powerful and something which has Bluetooth capabilities. IC CSR8510 would bit the bill with a package size of 2.57 x 3.21 x 0.6mm. We might need Bluetooth capabilities if let’s say, we want to modify the data on the fly(But it increases the risk of getting caught also as it can broadcast the Bluetooth device name in the public)

As I mentioned earlier if the protocol used is RS232 then we would have to have a driver IC for voltage translation. MAX232 would fit the bill with two input and two output drivers. Size: 5 x 4 x 1mm (Again not so large).

We can go ahead with picking a low dropout voltage regulator which is small, from the LM1117 series, depending on the voltage requirements of the controller we use. Apart from these, there isn’t much in the circuit except for the passive capacitors/resistors. So, real estate needed for the circuitry isn’t that much.

I am not providing a schematic here for the simple reason that circuitry is simple enough to be built by anyone with decent knowledge in electronics with the components mentioned above. (Also, I didn’t have the time to draw one. ? )

Mechanical Design

Here the constraint now is to design something that is un-noticeable as possible. One end of our serial cable is open and it connects to the back of Control unit by opening of flap on the back of the control unit. This section is not usually seen outside as it resides inside the flap(Check this video). So that’s where we want our sniffer to be.
The sniffer attaches itself to the cable and the modified cable is plugged in to the Control unit. The dimensions of a DB9 connector which connects to PCB with a 90° bend is as follows

As you can see, the horizontal width of the cable head is 30.8mm and the connector takes up 16.33mm in space already. The Serial connector is terminated with a male header and Control Unit with a female header, hence our sniffer should have a female header and a male header on both its ends. Now a question arises as to where do we fit all the electronic components? Remember in the earlier section, we were noting down the dimensions of the ICs? That was exactly to fit it all in a small space.

A Normal Serial cable with Male DB9 Connector

After a few trials, I decided to go with a 2 PCB arrangement for PCBs (Each being 1mm thick) attached back to back and interconnected with each other with exposed pads. The rear end of both the male and female DB9 connectors gets soldered on to each separate PCB. Since we can’t put any components below those pads, we have to fit our microcontroller, regulators and passives on both sides of the connector. i.e. in a space of (30.88mm-16.33mm)/2 =7.3mm. We will fit the ICs in this rectangular section of 7.3mm x 12.55mm. When we did a rough mock up, ICs fit snuggly.

Now we need a casing to encase the entire thing. If you check out the Election commission videos, you will notice that the end of the Serial cable is black rectangular block which houses the male DB9 connector. For our hack to be foolproof, we need our casing to match the dimensions and color, which is relatively an easy task to do in the plastic manufacturing industry.
Here is what our Serial sniffer will finally look like.
Thanks to my buddy Avinash Iyer for 3D modeling this mockup in under an hour. Kudos to him. ?

Serial Cable with the 12mm long Serial Sniffer

The Sniffer section is colored differently in the rendering to make it look distinct. Ideally it will follow the same design of the existing cable to make it appear absolutely seamless. (Apologies for not making the cable look exactly like in the video, we were a bit short on time ?) The two green PCBs house the electronic parts and connects the 2 ends of the male and female headers.

The entire Sniffer device would be around 12mm long (same as the metal connector head of a normal USB pendrive) and with some optimization in mechanical design I am sure we can bring it under 10mm, which for me would really make it fall in the unnoticeable category. (Yes, I do agree you will be able to notice it if you are looking for it)

Execution

Now that we have got the device. How do we execute the hack? As I mentioned before, the best time for this would be sometime after the mock polls are conducted. For this hack, you would definitely need to have poll officers under your influence as he/she will be in charge of setting up the final device. A 12mm long device will fit in any pocket/purse so that you can sneak it in without raising any alarms.

On the day of the polls, while the instrument is being setup, one can easily slide this sniffer on the end of the Serial cable in a couple seconds before plugging it into the back of the control unit. Since there is a flap hiding it from normal view, it’s very hard to notice its even there.

Once its installed there, let’s assume we went ahead with the Bluetooth version, we can easily do a device firmware update via an Android app to select which candidate number to prefer in that polling booth. If we go for the non-Bluetooth version of the controller then we need the sniffer to be reprogrammed with a candidate number based on who should be favored. This is fairly simple as the list and order of the candidates on the ballot unit are usually known at least a week in advance.

The program in the controller can be configured to be activated only after let’s say 150 votes(So that it might pass a random mock test conducted) or it can be triggered to activate when a particular sequence of votes are casted.(Bunch of friends staying together in the voting line and voting in a particular sequence like ABBAC). To avoid suspicion of the votes being cast, we can actually formulate an algorithm which steals votes from the other candidates for every 3 votes casted and changes it to the candidate of user’s choice.

Once the polls are done for the day, while dissembling the cable, the poll officer can easily plug out the sniffer without anyone noticing. Thus, you have hacked a polling booth to your advantage.

Yes. I know scalability is an issue here, meaning you would need have one person under your control in every polling booth available. But, in reality, it would not be much of an issue as you are not looking to hack to every poll booth out there, you are only trying to sway the votes in critical poll stations so as to not arouse much suspicion.

How can Election Commission prevent this?

Now that we have wrapped up the hack, and we know for a fact that such a vulnerability exists, how can we work to prevent such an act? Let’s think about this from the other side.

  • If the vulnerability is in the open communication line that’s what we need fix upfront. We can use an extremely secure 128bit AES encryption with the help of additional hardware encryption ICs. This might be an overkill for our needs but hey ?. It would take even the fastest super computer a 1 Billion Billion(1018) years to brute force crack a 128bit AES encryption.
  • What makes our hack work is that we are not sealing off the back panel from access or currently there isn’t any protocol for checking that. If we make mandatory check of the cables and connector in front of the party representatives before the poll begins and they all sign off on it. It will render the above hack to be obsolete.

    • Conclusion

    We can safely say with a fair amount of certainty that the above hack is a possible scenario and we need to plug it in some fashion. But you need to hand it to the Election Commission of India, ECIL and BEL for making it extremely difficult to find an exploit in the system and to have rectified the potential problems with stricter security protocols in the conduct of the election based on feedback.

    One good thing about the current system is that they have made it un-connectable to the internet which would have made life easier during poll counting but would have opened a new can of worms for hacking scenarios.

    There was a detailed paper written about hacking of the EVMs by Alex Halderman and Hari K Prasad back in 2010. You can read about it here. Here they replace the display on the Control unit and then do a manipulation on the device. This is the paper which everyone refers to while criticizing the EVMs. Although I do think paper does a thorough analysis of the topic, but manipulating the hardware by opening it up, is a security flaw which Election commission has fixed with tamper proof paper seals.

    To conclude, although the above hack is technically feasible, to implement it in real life you really need to have a lot of things (like money, influence etc.) going your way.
    I am currently going through few long official documents from the Election Commission regarding EVMs so I might update this article in some time if I find any new information worth sharing.

    This was a fun exercise for me ?. Really enjoyed the challenge to find a loop hole in the system. Hope it was worth your time.
    Do let me know in comments or via email at amaldev.000@gmail.com if there are any issues with the proposed hack or if there any other ways which I didn’t think of.

    If you enjoyed this one you might enjoy my following post as well on
    How to Track your ₹2000 Currency Notes
    OR
    you can sign up for the spam free newsletter which will allow you to get update mails whenever I write a new tech article. ?

    Happy Hacking…

    Post Script

    Update: May 2nd 2017
    Its been two weeks since I published this post and I have been getting few feedbacks/connect requests/phone calls just on this blog post. I have also been taking with a couple of experts on this topic and reading up on few more documents from the Election commission. I thought I should update this post with some new info below.

    There was a Election commission Expert committee report on technical evaluation of upgraded EVMs(Download Here, Source). This report mentions the remote possibility of such an Man-in-the-Middle attack on the serial cable and has recommended to introduce dynamic coding of Key numbers to enhance the security of the data transmitted between the ballot unit and the control unit. What this means is, each of key strokes while voting, would have been encoded with probably a session key which changes at every vote-count in the newer models of EVMs(older units prior to 2009 would still be un-encoded). I am not sure what sort of encoding they use, but unless its a strong encryption(Which I doubt looking at the ICs on the device, based on pics online), a potential hacker would be able to sniff the line enough number of times before hand and decode the signals(and the key) with enough amount of recorded encoded signals. Hence my recommendation of 128bit AES encryption for future models is still valid .
    I have talked with an expert on the EVMs and he(or she) has mentioned that the newer model of EVMs(I think its model 3 or model 4) which are being designed right now(potentially for 2019 elections, but I dont know how many can made and deployed by then) have an even greater level of encryption on its communication line, which would eventually disable this hack. Good to know 😀

    Another information I would like to add is the introduction of Voter Verified Paper Audit Trail or VVPATs(Read in detail here). They are devices which will sit in between Ballot unit and the control unit and would print and display the votes in real time to the voter. When the voter presses on the candidate he wants to vote, the VVPAT machine will print(on thermal paper) the details of the vote, will display it to the voter discreetly for 5-6sec and then drop that paper in a box automatically. Thus physically registering a vote on paper as same as the one voted by the voter. So in-case there is a discrepancy, the printed votes can be counted. Its a good initiative but I am personally of the opinion that we are using another electronic device to secure an electronic device, so effectively opening up opportunities for new exploits. If the original device can be made as foolproof as possible, such a device might not be needed. But I think VVPATs will be a short term solution to instill security in the minds of the public.

    A Connection schematic for the VVPAT would be as follows
    Ballot unit —> Serial cable 1 —> VVPAT —> Serial Cable 2 –> Control unit.
    If they are looking at VVPATs as a long term solution to the problem, they might as well design Ballot unit and the VVPATs in a single module like one of those credit card swipe machines at retail stores(with receipt printing and) with a storage compartment connected to the control unit.

    If anyone is interested they should also read through this letter(Page 9 ownwards) from Election Commission answering few questions asked by a citizen regarding the EVMs.

    I want to conclude by saying that EC has been active in taking steps to secure the system whenever somebody has made a valid suggestion to them. Kudos to them for that. I do hope they continue to do so in the future and plug any holes(if any) because fair elections are the basis of a good democracy.

    Once again, hope you enjoyed the post. Thanks again for all the feedbacks and rebuttals.

    If you liked the post, Share it with your friends!

How to Track your ₹2000 Currency Notes

Posted under Product Design, Technology on December 31st, 2016 by

Background

TL;DR   Yes, Its theoretically possible to electronically track your currency notes with some modifications. Practically though, lot of money needs to be put in to make that happen.

Hi there,
In the initial days of demonetization in India (in which, 86% of country’s bank notes amounting $210 billion, were rendered invalid in a matter of four hours), there was a huge fake rumour floating among social media channels that the newly introduced ₹2000 notes contained a “Nano-GPS” chip to track your currency anywhere on the planet. As an engineer, I couldn’t help but chuckle at the idea that someone could be fooled into believing that. The  news became so big that the finance minister of the country had clarify in a press conference that it was indeed absurd.

For the next couple of days, even I was lapping up all that the social media was putting out on the topic. It was giving you your daily dose of mindless entertainment. But then something hit me, “OK. What if this is possible?“. I was asking myself, “Let’s say, you as an engineer is given the task of doing something like this, would you take up the challenge of coming up with a solution of tracking currency notes in the country?” That really got me thinking.

That’s the premise of my first blog post. How do you go about solving a technical product solution for tracking the currency notes? (Provided there is a solution even) This is my dig at providing a solution to this problem.

Problem Statement

So before you go into head first into solving a problem, it’s imperative that you put the ground rules on what is that you are trying to solve.
I am NOT trying to put a GPS tracking chip on a currency note. Let’s think more general, what is the GPS chip actually trying to solve??
It’s the tracking feature that’s the important factor here(whatever be the baseline technology you use).

So you got your first problem statement.

Currency Note should be trackable.

Thing is, currency notes were always trackable with their 9 digit serial numbers printed on them. We are looking for a solution in which tracking should be automatic and should not hinder the current existing way in which people use currency in a major way. For me the tracking should be unobtrusive, it should be somewhat seamless and each note should be unique in itself.
Also we should be able to do it from a distance also where you cannot actually see a note. Else it will be like doing a physical search of someone and doing an optical scan off the serial numbers which they carry in their wallets every single time OR doing something like  Eurobilltracker where people type the serial numbers to track where their notes are.

SO my most accurate description of the problem would be

Currency Note should be trackable, preferably from a distance and also it should be unobtrusive.

Now that we have got that out of the way. Let’s focus on “Why on earth would Govt. want to track your currency notes? “
Few points which come to my mind would be

  • Black Money hoarding in large currency notes to evade taxes.
  • To know the amount of currency notes in actual circulation (aka non-hoarded money).
  • Ransom money/Bribe money tracking.

Right enough of this, let’s get to the interesting part. How do we solve this problem as an engineer?

The Tech Involved

Now comes the big challenge to choose what kind of technology you want to use to solve the problem. This is where constraints start coming into play. The major constraint is the note itself. Heck! it’s just a piece of paper and we don’t have much to work with here.

After pinning down our problem statement, I am inclined to think that there isn’t a way other than the fact that you need to build a build a wireless system(For tracking from a distance) on a  piece of paper. Hmmm… that’s a challenge alright!!

Well I have been working with wireless  and embedded systems for last few years now. The major technologies for tracking include GPS(duh..??), Bluetooth, WiFi (All the ones in the 2.4GHz family), GSM, CDMA , AM, FM, Radars or some sort of custom RF communication.
We can’t use any of these, can we now? Why? All of these are devices(or modules) can’t be put in  a piece of paper because

  • They are bulky
  • They are active, meaning, they need a battery source to make them work.

Now we can’t  use them because of our constraint that we can’t place a large module or a battery on piece of paper(Although paper batteries have come a long way.) without effectively changing the form factory of your currency note in a major fashion.

So what we are looking for a passive device without battery. That brings us to RFIDs(Radio Frequency Identification).

RFID

In layman terms, you can assume RFIDs to be the big brother of your common cloth security tags(or stickers in library books) which you would find in the shops to prevent theft of items by sounding an alarm when you walk out through the security doors.

From whatever I could research on, I believe RFID is probably the best technology bet for our problem. They usually consist of a “tag“(which you attach to any object) and a “reader” which helps you uniquely identify the tag when it is really close to the reader.   These tags can be active(meaning requires a power source) or passive(doesn’t need a power source).
So passive tags are the ones we want to be looking into.

Although this technology has been around for quite some time now(like in Identification cards for opening doors etc), I am relatively new to this.  So as usual, Google is best way to understand how it works. I recommend going through the following video from Dave Jones at EEVblog to see how the RFID cards work. (If you don’t have time, it’s OK to skip the video as explain it very briefly below.)

So basically all that a passive tag contains is a loop antenna and an controller IC. Where does the IC it gets its power you might ask?
That’s actually got from the RFID reader. When the reader comes close to a tag, the magnetic field created by it, induces a voltage in the antenna of the tag and powers the IC, to generate a unique signal which is read back by the RFID reader. So RFID reader powers the IC without any batteries.

Well I had to see this myself, so decided to do a teardown myself. I had a RFID(or NFC, I don’t remember) card which I got while I was back in college in 2013 at IIT Bombay. It was from a company who was piloting a new payment product of theirs which allowed students to pay via this small sticker stuck on your wallet / phone. If you bring it next to Point of Sale device, it will automatically deduct the money from your card(Its similar to NFC payment these days but this was around 4 years ago)

Front of the Tag.
Dimensions: 35mm x 25mm x 0.45mm

Back of the tag.
That black rectangle is the RFID IC.

There was no seam to peel off different layers so I assume they molded in the IC and the antenna together the plastic.

If you look closely you should be able to see 8 dots in sets of four which corresponds to the molded copper wires inside  plastic. I didn’t have acetone in hand, to melt away the plastic to extract the antenna section.

After a lot scratching and cutting our IC pads are revealed which connects itself to the loop antenna. IC was around 0.33mm thick.

This perfectly fits our bill for the basic technology part. Its relatively small, can potentially fit your note, its wireless and can has capability of providing unique IDs.

Now for the biggest challenge,

How do you implement this?

Implementation

Here is where things really start getting messy. We are trying to put an RFID to a piece of paper. First let’s see what we have got to work with.

This is the new ₹ 2000 note.

Its dimensions are 66mm x 166mm. Fairly decent space for us. But that’s not the constraint here. It’s the note thickness. I tried to find the ₹2000 note thickness but couldn’t find it online. But based on this reference, thickness of a ₹1000 note is 110μm (1μm = 10^-6 m), just a couple of human hairs thick.

That’s something very small to embed electronics onto.

Then it got me thinking, “How would I fit my electronics into in that thickness??” This got me to research on how in depth into how RFID tags are implemented. As shown the teardown earlier, all you basically need is a loop antenna and  an IC. But now the problem is both of these have some significant thicknesses. If you see all those RFID tags and your credit cards you will see that thickness of these cards are around at least 760μm  which is 7 times the thickness which have to design our product around.

This got me searching far and wide in search of a suitable IC which can fit our needs. Those normal SMD IC packages which you see in most electronic devices like TSSOP, QFN etc are around 1mm(1000μm) in thickness. I thought ICs in smaller thicknesses are impossible to find. But I was able to find an NFC tag IC from NXP semiconductors, NTAG213 Series(Datasheet). NFC is a spinoff from the RFID technology with a bit more features.(Check here for differences between RFID and NFC).

Salient features of the NTAG213 IC which got me hooked were

  • Contactless transmission of data and supply energy (Perfect for us)
  • Operating frequency of 13.56 MHz(Higher frequency means better range of detection)
  • 7-byte unique serial number (Effectively 256 = 72 quadrillion or 72,000 Trillion Unique IDs. That’s a huge number)
  • True anti-collision(Important for us, will come up later)
  • Data retention time of 10 years (Good enough for a lifetime of a currency note)
  • Physical size of the IC package is only 75μm in thickness(That’s the Jackpot for us right there)

Right! Now we got IC we need, now for the loop antenna part.

Now let’s lay down the specs for our design, let’s say if we are to embed an IC on the note and make sure that it is trackable, we need to define a range of the tracking.

So what I am proposing now is this, Each note of  ₹2000 will be tracked at all cash counters of all banks as its where money technically comes into circulation and also in most point of sale counters. So if we assume the tags to be embedded in notes, I want the notes to be trackable in public places, toll counters, state borders(to monitor cash inflow and outflow via roads) without introducing any sort of inconvenience to the public. So that means our RFID reader must be able to read information from any person/vehicle carrying a currency note in a 15m radius.

Right now, I am not putting any restrictions in the RFID reader design, meaning I am not constraining it in its size or its power requirements because I intend it to be a fixed installation.

Problem with most current RFID(or NFC ) tags is that it’s really meant for short range (few inches) data transfer with its reader. So we need to build one with a longer range.

So what are the major things that affect its range? (Check here for the full list)

  • Gain of the reader antenna. Larger they are, the better.
  • Higher power output of the reader antenna
  • Tag size(Ours is restricted to the maximum size of the currency)

Tags work by getting its energy from the magnetic field by the RFID Readers, so larger the magnetic field(by larger size or larger power output) farther away the tag can be for detection.

Now we get into designing of the loop antenna section for our tags. The maximum size of the antenna for us is determined by the currency note size, which is 66m x 166mm for a ₹2000 note. But this size is actually good for us because it gives us almost double the antenna size which can typically fit a credit card sized RFID card.

If you are really interested to read about loop antenna design and how much magnetic field needs to be generated at the tag’s antenna I really recommend going through this brilliant AN710 – Application note from Microchip regarding Antenna design for RFID applications. I am not going in-depth on how to design one for our application.  (I did some rough calculations based on our design and came to know that it’s fairly simple to design one with our requirements). By tweaking the power and size of the RFID reader we should be able to get a 15m range.

For our design, I am proposing to go ahead with the printed versions of the loop antenna and not the enameled copper wire design which is usually used in RFID tags because of the thickness constraints.

So till now we have fixed 3 things:

  • Our main IC: NTAG213

  • Loop antenna design

  • Loop antenna’s printed form factor

How does all this come together in a currency note?

As discussed earlier, approximate thickness of a paper currency is 110μm. Well, we can’t basically print the loop antenna on paper so we have do it in a thin layer of material called polyimide. These are commonly used in flexible electronics(You might have seen them in flat cables connecting PCBs and are usually amber colored.) These are flexible and come in sheets of thickness as thin as 7.5μm. For our design, I am choosing polyimide sheet of thickness 12.5μm which is going to hold the 75μm thick IC as well as contain the printed loop antenna.

As you see in the picture above, that’s how our new currency would look like. Assumptions I did was that, we can’t have printable paper thinner than 110μm(which may not be really true, but I am no expert in papers). Layers 1 and 5 will contain the normal prints and the security features which a normal currency note would contain. These two layers are attached to polyimide layer with a strong double sided adhesive layer which is 5μm thick. The ICs and the printed loop antenna will be soldered on to the polyimide substrate.

There are 2 obvious issues with the above layer stack-up,

  1. Total thickness of the proposed currency is 242.5μm which is slightly more than double the thickness of the current notes, which is OK, as its still foldable in those dimensions but it’s still thicker than usual.
  2. Although in the figure the IC is supposed to fit in the mentioned dimensions, I really don’t expect it to sit absolutely flush with no bump on the surface. Most of these ICs come with a slight black blob of epoxy on top which will contribute to its thickness. But that can be effectively solved by making sure that the top side visual design is built in a way to minimize the visual impact(Although you will still be able to feel it.)

So to sum it up, above stack-up does work with some flaws.

Another option to reduce the problem of thickness is to go for an all polymer design or plastic currency. Few countries like Australia, Canada have been using plastic currency instead of currency made with paper for quite some time now. These are stronger, lasts almost 2.5 times the normal currency, are water-proof, doesn’t get dirty as its paper counterparts and most importantly it’s much harder to counterfeit because of its added security features.  But it’s more costly to manufacture the actual plastic note than its paper version.

Apparently RBI in India is planning to print plastic currency in the near future. So theoretically it’s possible to implement the above stack up much more easily by fusing the loop antenna and IC section into a single molded plastic layer(which contains the actual visual design of the each side of the note) which could be of the uniform thickness of 150μm – 200μm. This can potentially be a solution.

Yes. It’s a challenge but I think it’s doable.

Cost

Well, all this hypothesis works is fine, but it will only work if the cost of manufacturing is reasonable. Yes, it will be costlier than the traditional methods but we need to do a cost vs benefits analysis. The obvious benefits are

  • It has more security features built in and is hard to counterfeit.
  • It’s trackable.

So an ordinary paper note  ₹1000 note with dimensions 177mm x 73mm costs  ₹3.17($0.05) to print and ₹500 note with dimensions 167mm x 73mm costs ₹2.50($0.04). So printing costs of both those notes are only 0.3% and 0.5%  respectively compared to the actual face value of the notes.

So we can assume based on the new size of the  ₹2000(166mm x 66mm) note, it will be around ₹3, which is only 0.15% of the face value of the note.
The cost of electronics, antennas, adhesives can be roughly calculated based on the selling price of similar tags in the market. NTAG213 printed tags are being sold by one retailer for $1434 for 4000 tags. Usual selling price of hardware products are 2x-3x times the manufacturing costs. Let’s assume it to be 2.5. This is would mean a manufacturing cost of a single tag  would be ($1434/(4000 * 2.5)) = $0.14 = ₹9.5

So we are seeing an additional  price of ₹9.5. But I am assuming this to be around ₹4-₹5 because of the volumes which we are talking about. If Govt of India decides to manufacture this in full scale the minimum order quantity will be atleast 100 Million notes/year. I expect the suppliers to drop the prices drastically seeing those numbers.

Overall we can assume, with a fair amount of certainty that these notes can be manufactured for under ₹10 ($0.15)which is only 0.5% of the face value of the note, which for me at least is a reasonable investment which the government can do considering its benefits(But Hey, I am no economist!!!)

How is tracking done?

Technology is frozen, manufacturability and cost analysis is a decent pass, now how does the system work as a whole??

The currency note with the built in unique ID tags are released via banks to the general public. These tags, while they are transferred to the public, gets tracked at the initial point of dispersal with RFID readers in the bank cash counters automatically. These notes can also be associated and tagged with the Unique identification number of the person who is withdrawing this amount. This same feature can be built into all the ATMs as they dispense the notes. Then it will be tagged against the person and his card. So this takes care of the initial tagging of all bank notes that goes into circulation.

Now step 2 would be tracking the notes after the initial point of dispensing. This is where RFID readers in major road intersections and public places would help. These RFID readers would be powerful enough to pick up the tag information automatically from the notes inside your wallet, purse etc. on a 15m radius. All busy road intersections would be perfect for that data collection.

Earlier I insisted that these high power readers be kept in toll booths and all state borders as it’s the major source of transfer of money via road. Let’s say a few bundles of these notes are put in the trunk of a car and it passes through a high power RFID reader, it should be able to detect the all notes. This is why I chose the NTAG213 IC as it supports anti-collision. Meaning if you try to read multiple notes at the same time the signals can interfere with each other resulting in none of the devices getting detected. Anti-collision algorithms implemented at the RFID Reader will solve that issue.

Note: I am pretty sure everyone would be cursing me right now as this is a major privacy concern for all parties involved. Right now I am just looking at the technological aspect of the design and not the moral part of the entire exercise.

Also Step 2 is not fully bug free as someone can effectively shield their money from getting read by RFID readers by potentially wrapping the money in Aluminum foil before putting it in your purse/wallet(aka cheap Faraday Cage). I haven’t found out a solution to this bypass hack yet.

Step 3 would be tagging the notes along with the person when they purchase something over the counter with their money. So even when money might have changed hands from one person to another, from the initial point of dispersal, it will get tagged to a new person when it changes hands over a counter top. So that the system self-corrects itself every time when there is a cash transaction. (Which is pretty much similar to how digital/card payments leave a paper trial)

Conclusion

With all the above steps, I believe you can effectively track each and every currency in circulation. Although all of the above steps are not 100% foolproof its certainly providing something which is not existing right now and it can potentially help with the black money hoarding issue.

Well the moral implications of such an implementation is still up for debate. Personally speaking, I would not be really comfortable with Govt. tracking my wallet everytime I go out (Not because I have something to hide, but because its simply unnerving). But this brings us to the question, if we ever want to become a truly cashless society doesn’t the Govt always know how much you have in wallet/bank account already? Tracking your notes is just similar to that.

Let me know in comments your thoughts on the same and technologically if there is a smarter way to do something like this? All comments and criticisms are welcome…

 

If you liked the post, Share it with your friends!
1 50 51 52
Copyright © 2024 Amaldev. All Rights Reserved.