Kenyan Elections and Alleged Hacking: A Look at the available evidence

Kenyan Elections and Alleged Hacking: A Look at the available evidence


On 9th August, a day after Kenyans voted in the 2017 General Election, opposition presidential candidate Raila Odinga alleged that the Independent Electoral and Boundaries Commission (IEBC) database had been hacked and an algorithm set to ensure an 11% difference in favour of incumbent President, Uhuru Kenyatta at all levels of results transmission. To back up the claims, Mr. Odinga’s political party National Super Alliance (NASA) presented a log file apparently showing the details of the hack. These claims have been repeatedly denied by the electoral commission. On 11th August, the IEBC declared Uhuru Kenyatta as the winner of the election with 54.27% of votes cast with Raila Odinga coming in second with 44.74%.
In an attempt to respond to the hacking claims, this post asks three questions: How is technology used in Kenyan elections? Was the log file presented evidence of an attack that changed the outcome of the election? How could this file have been obtained? This post audits the logs as evidence within the context of Kenyan elections ecosystem.

Hacking Claims

Context setting: Kenyan elections and Technology

Kenya’s current election technology system has its history rooted in the 2007 post-election violence. After the incumbent president, Mwai Kibaki, was hastily sworn-in after a contested election outcome, violence rocked various parts of the country, followed by retaliations that spread out for weeks. By the time an international mediation team brought the opposing sides to the negotiation table, multiple post-election violence reports documented over one thousand deaths, hundreds of thousands displaced, and property worth billions of dollars destroyed.
Following the mediation talks, the Independent Review Commission of Inquiry on the General Elections held in Kenya on 27 December 2007 (IREC) was set up, chaired by South African Judge Johann Kriegler, to examine the December 2007 Kenyan elections from various perspectives. One of the main findings of the commission was that it was impossible to establish with certainty who won the presidential election. To that end, the Kriegler Commission, as it was commonly known, prescribed ‘an effective, transparent and efficient system’ for voting in Kenyan. This guiding principle was soon adopted when, in a referendum in 2010, Kenyan voters approved a new Constitution. The Constitution of Kenya 2010 and election-related laws that followed the new Constitution (such as the Elections Act of 2011) are intended to implement the Kriegler Commission’s prescriptions.
Subsequent legislative amendments to the Elections Act as well as policy decisions by IEBC resulted in the introduction of an election management system incorporating a biometric voter registration and verification, identification, and an electronic results transmission system. Biometric-based digital registers were added to the existing print versions, printed voters’ cards were scrapped, and a digital layer was added to the physical tallying and aggregation of results. These efforts were seen as the panacea to election-related mistrust and mischief by improving the speed of the process and by including redundancies in the tallying process.
During the 2013 elections, biometric technology was used at the voter registration phase (Biometric Voter Registration – BVR) and Electronic Voter Identification (EVID), while text messaging service (SMS) was used for the Electronic Results Transmission System (RTS). On voting day (March 4, 2013), significant percentages (55% of the 952 streams sampled) of the EVID collapsed, with such failures forcing election officials to resort to manual systems. Furthermore the transmission system and the database servers failed halfway into use. The losing party Coalition for Reforms and Democracy (CORD), led by Raila Odinga, claimed that there was rigging of the election and that the technology failure was intentional and meant to allow doctoring of results through loopholes in the manual system. The Supreme Court of Kenya rejected a petition filed by CORD with the vote rigging allegations, ushering in Uhuru Kenyatta’s inauguration as the fourth president of Kenya.
It was against this background that election technology for the 2017 General Elections was cast. Several improvements were made to the system, the most important of them being incorporation of all technology elements into one system, the Kenya Integrated Election Management System (KIEMS). To improve the resilience of the hardware component, backup batteries were provided and web-service servers were used in place of the static servers to handle high traffic from IEBC and interested parties visiting their servers.
On election day, most regions reported smooth operations on voter identification and results transmission, but still some polling stations had technical issues with biometric voter identification that delayed voting. Results were relayed directly from the polling stations to the IEBC servers for broadcast. At around 4AM on 9 August 2017, NASA rejected the incoming results being streamed via the IEBC online portal, which were broadcast by television and radio stations countrywide.
At around 10AM on 9th August, Raila Odinga alleged, in a press statement dubbed ‘We Got Them’, that on election day, unknown hackers had gained access to the IEBC computer system using the credentials of the commission’s ICT manager, Chris Msando. Mr. Msando had been tortured and killed in July, just weeks before the election, although his killer(s) remain unknown. According to the press statement, using Mr. Msando’s credentials, the hackers allegedly “loaded an algorithm” that allowed them to manipulate the results being transmitted from tallying centres around the country. To back up these claims, Mr. Odinga presented to the media a log file apparently showing the details of the hack. In the next section, we look at the logs released by Mr. Odinga line by line to verify the claims of elections hacking.

Database Log Audit Findings

Along with the statement “We Got Them” NASA published 52 photographed pages which they claimed to be a log from “IEBC’s Core Server” that allegedly demonstrated manipulation of the server. They presented no evidence to show where they had retrieved the log or that the log was in fact from an IEBC server.
The log appears to be from the error log of a Microsoft database server named “MSSQL Server 2008” executed in a virtual machine [0.2Check]. To enable us to review the logs in a coherent manner, we converted the images into text using the OCR tool tesseract to produce a noisy recreation of the text file that NASA printed and photographed. Using that file we produced a timeline from a chronological order using the timestamps in the file. All links point to that file.
The resulting file contains around 1300 lines – 148 kilobytes – of time stamped warnings and errors produced from the startup and normal execution of a database server inside of a virtual machine [0.1] from 12:08 am on August 8th to 04:43 [0.2] the morning of the election. There are a few important lines included in the log that fall outside of the period and demonstrate definitely that the logs were altered before they were published [2]. A normal unaltered MSSQL Server error log would not write timestamps out of order like we observed in the original files presented to the media by NASA.
Other than the rearrangement of timestamps and several failed login attempts the log contains nothing unusual or noteworthy from a normal startup of the server. The error logs record the configuration and initialization of 54 databases [3.1], some generic system messages [3], some warnings related to poor configuration of the virtual machine [3.2] and the execution of several stored procedures [4][5].
The majority of the log lines record warnings related to the non default configuration of what is called database pragma. These lines act as a warning for the administrator about non-default, potentially problematic configurations [6] [7CITE].
There were four failed login attempts during the time period. Two appeared to use the username of Wafula Chebukati [8] [9], the IEBC Chairperson, and another Chris Msando [9] — the slain ICT Manager.
These failed logins provide the basis for the first of the NASA’s evidence-backed claims.
5) “At about 12:37 pm on the 8th of August 2017 hackers gained into our election database through the identity of Chris Msando … into the account of the Mr. Chebukati Chairperson.”
The evidence offered does not support this claim for two reasons. First the log line to which this point must reference, ostensibly the login of ‘msando’ (the conjectured account of Chris Msando), shows that the login attempt was rejected.
08/03/2017 09:05:23,Logon,Unknown,Login failed for user ‘msando’. Reason: The password of the account must be changed. [CLIENT: <local machine>]
If the login did succeed, immediately after the following line would have appeared [10 pg 18].
08/03/2017 XX:XX:XX,Logon,Unknown,Login succeeded for user ‘msando’ Connection: [Client: <local machine>]
Secondly, the timestamp of the failed login attempt indicates that it was created on August 3rd, while the timestamps of the failed login attempts for the users CheBukati [8] and chebukati [9] instead occur later after the proposed hack was stated to have occurred.
So, it is clear that these supposed logins did not occur as asserted in the press release, and the further claims that benign log lines demonstrate those errors are also untrue.
6) “They [the hackers] created errors into the IEBC Core Server (as highlighted at Page 2 of the document annexed to this statement) ..
These errors as previously mentioned are simply warnings produced by the database server [14]. The inaccurate and intentionally misleading statements continue throughout section 6, which contains the substance of NASA’s claims.

  1. a) “At 12:38 pm they introduced several progammes (xpstar.dll version 2009) to execute stored procedures in the library and the memory of the IEBC database intended to manipulate data.”

The xp_star.dll is a shared library that has been included in MSSql Server’s since 2000 [14.1] and the program that it runs, the stored procedure xp_instance_regread, finds the path on the file system where the database register is located [14.2] [14.3].

  1. b) “At 12:38 pm they loaded an algorithm which is a formula to create a percentage gap of 11 percent between our numbers in the presidential race”

There are only two other stored procedures that run at 12:38 pm, xp_qv [15.1] and xp_msver [15.2]. So the algorithm that produced this 11% difference must be one of them. According to Microsoft, the procedure xp_msver provides version information about the server [15]. The procedure xp_qv checks that the license is still valid [16] [16.1].
Thus there is nothing in the six log lines from 12:38 PM that indicates a command was executed that systematically manipulated the results stored in the database. If NASA intended to substantiate their claim, providing the volatile database files, the transaction log and database files would perhaps have been enough evidence for forensic investigators to substantiate this claim [16.3 pg 11]. Six error log lines is insufficient.
Points 6.c through 6.h all make very similar claims about database options used by the “hackers” for nefarious purposes. Each one of these claims is misleading and incorrect. Here are the five best ones:

Setting Value Documented meaning Claimed meaning
DATE_CORRELATION_OPTIMIZATION OFF Do not optimize queries that search date ranges. OFF is actually the default value. src They effectively disabled the system from detecting date and time.
AUTO_UPDATE_STATISTICS OFF Turns off a process called indexing which can speed up database performance. src This made sure that records sent from the field would not be reflecting on the system.
DISABLE_BROKER ON Turns off messaging queues for attached applications. src This was to disable the database from tracking the events happening in the database.
RECURSIVE_TRIGGERS OFF Guarantees that searches and updates to a database cannot be nested. src Switching those off ensures that the database would not keep record of anything.
AUTO_CREATE_STATISTICS ON Improves query planning by generating database indexes automatically. src .. enable their programme to traverse the database updating it with their set and desired values to avoid trace.

It is plainly visible that each of the claimed functions of these settings is imagined. The author of the press release goes on to extrapolate that these ‘malicious’ database options are then used to alter the results stored in all the other counties.
7) “Within just 12 hours, this attack on our democracy affected the Presidential Elections in all of the 47 Counties…”
As we have plainly shown, the evidence provided does not demonstrate a 12 hour attack . Further, the log does not even cover a 12 hour period. It either is a range of 3.5 hours [18.3] [18.4] or 153 hours, depending on whether or not we count the extra out of bounds lines [18.1] [18.2].
In summary, the audit suggests that the claims of hacking based on the provided log are untrue. The log and argument presented by NASA as evidence of election hacking is invalid because:

  1. NASA never demonstrated that the provided log is actually from an IEBC machine or that the IEBC uses MSSQL Server to tabulate the voting results.
  2. A normal unaltered MSSQL Server error log would not write timestamps out of order.
  3. The supposed logins did not occur and NASA’s further claims that benign log lines demonstrate those errors are untrue.
  4. The usage of the stored commands (xp_star.dll) on startup is a routine function call, not a malicious program as NASA claims.
  5. There are multiple inconsistencies between stated claims and provided evidence, like the duration of the attack and the misrepresentation of facts in sections 6c through 6h.

This however does not in any way rule out hacking, since there has been no access granted to the IEBC database or election documents for a comprehensive audit. This analysis simply states the logs presented are not proof of any hacking.

How were these logs obtained? A Hypothesis

Others have stated that the leaked documents are fabricated, and as stated above we believe that the logs have (at minimum) been altered. This warrants a theory as to how exactly the logs were obtained.
The database server seems to represent the storage of a component of an application to track the publication of the form 34A’s during the presidential election. Further, in a later statement, NASA’s claimed count of total electoral votes (8.04M for Raila Odinga, 7.7M for Uhuru Kenyatta) was disputed by the IEBC, observing that those totals from NASA neglected to count the Diaspora Vote and those of the incarcerated population.
As noted above the databases purported to be “IEBC’s Master Server” is also notably lacking a database to tabulate the results from voters uncounted from a specific county. This could be evidence that the published error log is in fact an error log from NASA’s own database and it would suggest that at least one person within NASA intentionally fabricated the published log.
Conclusions and Recommendations
Kenyan elections have explicit provision on how technology is to be used in an election, from voter registration, identification and transmission of results. Voting is manual and so is tallying. With hacking claims supposedly targeting the transmission, storage and publication of results, the fall-back to the manual paper trail is necessary.
Our preliminary analysis rules out hacking based on the evidence presented. Indeed we have postulated a hypothesis that the logs may have been fabricated, published and presented to the public. This should not be taken to mean the IEBC may not have been hacked. We are not in a position to make such a conclusion, as it requires access to the election system which we do not have. With the presidential election headed for a decision from the Supreme Court, and with NASA insisting on electronic tampering of results, the authors are of the opinion that a comprehensive audit of the system be done in a transparent manner to ensure the hacking claims are denied or confirmed from an evidence-led conversation.
As technology is increasingly integrated into election systems and processes, it is logical that election actors (in this case the IEBC, political parties, media organizations, and election observers) recruit competent ICT observers to match with the elections timeline (procurement, verification, polling and post-election phases). This will ensure technical components of the elections are adequately considered.

About the Authors
Moses Karanja is an information controls researcher at Strathmore University’s Centre for Intellectual Property and Information Technology Law (CIPIT), Kenya.
Nick Skelsey is the Lead Developer at The Hermes Center for Transparency and Digital Human Rights, Italy.

Leave a Comment

Your email address will not be published. Required fields are marked