A group of researchers has exposed a serious flaw in an Internet voting system developed by the same company behind a core component of New South Wales’ e-voting software.
Sarah Jamie Lewis from the Open Privacy Research Society, Université catholique de Louvain’s Olivier Pereira and Vanessa Teague from the University of Melbourne today published a paper that reveals problems with the way that the Swiss sVote system provided verification of ballots cast in an election.
The online voting system was developed by Swiss Post and Scytl — the software vendor that worked with the New South Wales Electoral Commission to build the iVote application.
The sVote Internet voting system is designed to allow the verification that the votes reported by the electoral commission match those that were cast — without compromising the identity of a voter.
However, the researchers say that the flaws would allow someone involved in administering the vote to potentially manipulate the results but still produce audit data that passes the verification process.
“The problem derives from the use of a trapdoor commitment scheme in the shuffle proof — if a malicious authority knows the trapdoors for the cryptographic commitments, it can provide an apparently-valid proof, which passes verification, while actually having manipulated votes,” the paper states.
“There is no modification of the audit process that would make it possible to detect if a manipulation happened.”
There were two attacks outlined by the group in their paper. The first requires knowledge of the randomness used to generate an encrypted vote.
“When you use public key encryption, you take the public key and your message and you add a little bit of randomness as well, just so that your public key encryption of your vote doesn’t look exactly identical to everyone else’s public key encryption of the same vote,” Teague, an associate professor at Melbourne Uni, told Computerworld.
“The first attack relies on knowing what that randomness was that was added in to the encrypted vote when it was generated.”
The second attack doesn’t require that knowledge, but does rely on some assumptions about how the candidates are encoded in a particular ballot.
Last month, Scytl and Swiss Post announced that they would conduct a public intrusion test (PIT) to assess the resilience of the voting platform. Swiss Post published source code in a GitLab repository, with access to the code and the ability to comment on it restricted to people who agreed to the terms and conditions attached to the PIT process.
That code was republished in a number of unofficial repositories. In a statement published on 22 February Scytl noted that “over the last days, several comments were made by some individuals outside the official channel, claiming that the cryptographic protocols were not secure and making general comments on the quality of the code”.
“These criticisms are mainly based on misunderstandings related to the cryptographic mechanisms, which have already been clarified and solved in the official repository,” the company said.
“The cryptographic protocols and mechanisms implemented in the code are very advanced and not commonly found in other software. This may make the analysis more complex for some of the individuals evaluating and posting public comments, who, in turn, foster misunderstandings and may generate confusions.”
The company said that because the cryptographic protocols used in the system “have achieved complete verifiability” that the source code had been published, “with the confidence that no attack might compromise the secrecy of the ballot box and the integrity of the election results”.
Lewis, Pereira and Teague were not participants in the PIT program.
Teague said that the researchers had notified Swiss Post of the problems they unearthed and that it had acknowledged the vulnerability and said it had addressed it.
“We have not seen the fix and we don’t know whether the correction is going to be incorporated into the code that they’re making available under their intrusion test right away,” Teague said.
The Melbourne Uni academic added that the group’s discovery of the vulnerability raised concerns over other possible flaws in the system.
“We’re a small band of three researchers — we spent a couple of weeks looking at it and we found this thing and demonstrated that it could be effectively used,” she said.
“There’s no reason to think that there aren’t other things as well; this was just the first thing we spotted after looking at it for a couple of days. So the concern, of course, is to wonder whether there might be other issues that are similar in nature but haven’t been detected yet.”
“Really, without an open, public assessment there’s really no guarantee at all that there aren’t other opportunities for undetectable electoral fraud that still is capable of producing what looks like a valid proof that everything’s okay.”
“Even if this particular issue is corrected, we do not know whether there might be other ways of manipulating votes while still producing an apparently-verifiable election outcome, or other manipulations that would lead to vote privacy violations,” the paper notes.
“The issues reported here are the result of the analysis of an isolated, but critical, part of the code. This voting system is highly complex, there are many other critical parts, and we did not look at them. As a result, we have no reason to believe, based on this work, than there are no other critical issues in this implementation.”
The paper states that there was no evidence the verification problem was introduced maliciously.
“It is entirely consistent with a naive implementation of a complex cryptographic protocol by well-intentioned people who lacked a full understanding of its security assumptions and other important details,” the paper states. It adds: “Of course, if someone did want to introduce an opportunity for manipulation, the best method would be one that could be explained away as an accident if it was found.”
Teague said the researchers’ discovery “absolutely” indicated a need for heightened scrutiny of NSW’s iVote system.
The NSW Electoral Commission said that the “identification of this issue does not affect the use of iVote for the NSW State election.”
“The affected component in the iVote system is the ‘mixnet’. Before votes are decrypted and counted, the mixnet is used to randomise the order of the votes to ensure they cannot be connected to individual voters. This is part of the process that ensures that iVote users have the same ability to cast a secret ballot as voters who use any other voting channel,” it said in a statement.
“Unlike the Swiss Post system, the machine on which the mixnet runs is not physically connected to any other computer systems either within or outside the NSW Electoral Commission. The machine is only used following the close of voting on 23 March. This machine is also securely housed within the NSW Electoral Commission.”
The weakness identified by the researchers related to potential actions by a malicious insider rather than an external threat.
“In order for this weakness to be an issue, a person would need to gain access to the physical machine,” a spokesperson for the commission said.
“They would need all the right credentials and the right code to alter the software. Our processes reduce this risk as we specifically separate the duties of people on the team and control access to the machine to reduce the potential for an insider attack. Scytl is delivering a patch which will be tested and implemented shortly to address this matter.”
“We’re pleased to have the opportunity to address this issue ahead of election day and remain confident in the security of the system,” the spokesperson added. “iVote is an important voting channel to ensure equal access to democracy, particularly for people with disability and remote voters, and we will continue working to strengthen its operation.”
Teague in 2015 revealed the existence of iVote vulnerabilities that allowed potential man-in-the-middle attacks to subvert votes. iVote browser sessions were susceptible to FREAK and a Logjam attacks.
There have been multiple versions of iVote, with Scytl building the platform’s core voting system that has been employed by the application from the 2015 NSW election onward. Other components — a registration and credential management system and a phone system for vote verification — were built by the NSW Electoral Commission.
Last year, Scytl won a $1.9 million contract to upgrade iVote ahead of the state election.
As part of the iVote refresh process, the state electoral commission in January invited “individuals who have a private or academic interest and expertise in electronic voting, or a related field” to scrutinise some source code ahead of the NSW election, which is being held later this month.
The commission said that it would potentially make available source code for “components mainly associated with the encryption, decryption, verification and validation of votes” for review. The source code review program required participants to sign a deed of confidentiality and privacy with both the commission and Scytl.
The program is part of a commitment by the commission to increase the transparency of iVote, as a component of the iVote 2019 refresh program.
The commission has indicated that it will release the “source code of certain components of the voting system” following the election.
“Security and transparency have always been a cornerstone for Scytl,” Scytl said in a statement.
“The recent publication of the source code as well as the public intrusion test are part of the company’s commitment to ensuring secure and transparent online voting processes. We are thankful to those researchers who helped us identify this issue and support us in building the future of secure online voting.”
Updated 13 March with comment from Scytl.