View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
March 12, 2019updated 13 Mar 2019 9:11am

Critical Weakness Could Allow “Undetectable Vote Manipulation” on Swiss e-Voting System

Flaw had been found in 2017 but not fixed...

By CBR Staff Writer

Cryptographic flaws in an electronic voting system proposed for use in Switzerland would allow “undetectable vote manipulation”, security researchers concluded today.

Sarah Jamie Lewis, Olivier Pereira and Vanessa Teague found that the proposed Swiss e-voting system (built by Barcelona-headquarted Scytl) was open to manipulation owing to weaknesses in how encrypted electronic votes are “shuffled” to protect voter privacy.

The vulnerability could, in the worst case, allow “massive and centralized election fraud” cryptography expert Matthew Green noted.

Bizarrely, SwissPost, which was hoping to support elections across the country using the system, said the error was already identified in 2017.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

“However, the correction was not made in full by the technology partner Scytl, which is responsible for the source code. Swiss Post regrets this and has asked Scytl to make the correction in full immediately which they have now done.”

Computer Business Review has called and emailed Scytl requesting an explanation. Scytl’s existing systems have been used to manage over 100,000 electoral events electronically across more than 20 countries, including the USA, Mexico, France, Norway, Switzerland, Austria, BiH and India, the company says.

Swiss e-Voting System: Malicious Admin Could Manipulate Votes

The system tested also assumes a benign actor on the server side of the system, meaning an authority administrating (or a hacker penetrating) one of the system’s servers could manipulate votes whilst maintaining a clean audit trail.

Their paper, “the use of trapdoor commitments in Bayer-Forth proofs and the implications for the verfiability of the Scytl-SwissPost Internet Voting System” concluded: “A malicious administrator or software provider… could manipulate votes but produce a proof transcript that passes verification.”

The findings did not come as part of a widely publicised bug bounty programme promoted by Swiss Post on February 7. The researchers were caustic on that bounty programme, saying its disclosure terms were restrictive.

“If we really are set in living in a world with evoting then we need to come to terms with the scale of the challenge, understand that puffery, redacted audits and bug bounty marketing stunts have no place in building secure infrastructure”, Sarah Jamie Lewis – Executive Director at Open Privacy – wrote on Twitter.

She added: “We need to understand that it is unacceptable that the same organization that stands to benefit from running evoting infrastructure should be in a position of deciding what and when researchers can disclose issues.”

The findings come despite the system have been through several audits.

It comes as Switzerland looks to roll out e-voting across the country following extensive trials. SwissPost published the source code for the system last month (a legal requirement) offering a bounty of up to CHF150,000 for major vulnerabilities.

“If someone did want to introduce an opportunity for manipulation, the best method would be one that could be explained away as an accident if it was found. We simply do not see any evidence either way”

The researchers said they did not believe the vulnerability was a deliberate one. “Rather [It is] entirely consistent with a naive implementation of a complex cryptographic protocol by well-intentioned people who lacked a full understanding of its security assumptions and other important details.”

“Of course, if someone did want to introduce an opportunity for manipulation, the best method would be one that could be explained away as an accident if it was found. We simply do not see any evidence either way.”

Scytl responded: “The code has already been updated by using the random verifiable mechanism that was already implemented in the voting system but had not been activated. The e-voting system currently in use in various cantons is not affected by this situation. The finding exclusively concerns universal verifiability properties, which have never been used in a real election in Switzerland so far.”

“Security and transparency have always been a cornerstone for Scytl. The recent publication of the source code as well as the public intrusion test are part of the company’s commitment to ensuring secure and transparent online voting processes. We are thankful to those researchers who helped us identify this issue and support us in building the future of secure online voting.”

SwissPost said: “To exploit the weak point the attacker had to override numerous protective measures. They needed control over Swiss Post’s secured IT infrastructure, for example, as well as help from several insiders with specialist knowledge of Swiss Post or the cantons.”

This may not reassure all parties. As Sarah Jamie Lewis wrote after the source code was first released: “I wish the swiss election team the best of luck in ensuring that the thousands of new, highly configurable, ZKP code, written in Java, decomposed over hundreds of files, is up to the standard of securing national elections.”

See also: Election Systems Worldwide Vulnerable to Attack: FireEye

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.