Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Second Critical Crypto Flaw Found in Swiss E-Voting System

More crypto vulnerabilities found in Swiss e-voting system

More crypto vulnerabilities found in Swiss e-voting system

A second critical crypto vulnerability that can be exploited to hide vote manipulation has been discovered in the Swiss e-voting system, researchers revealed on Sunday.

The Swiss government, specifically the Swiss Post national postal service, in February announced the launch of a public bug bounty program for its electronic voting systems. Rewards of up to $50,000 have been offered and over 3,000 hackers from around the world have signed up for the program that ended on March 24.

Switzerland has been conducting e-voting trials since 2004 and Swiss Post believes it has now developed a fully verifiable system that can make e-voting widely available in the country.

However, it turns out that the components of the system designed to ensure that votes have not been manipulated, which should have already been thoroughly tested, have some potentially serious vulnerabilities.

Earlier this month, two teams of researchers reported that they had independently discovered a crypto-related vulnerability that could have been exploited for undetectable vote manipulation.

Scytl, the Spain-based electronic voting solutions provider that develops the system for the Swiss government, claims to have addressed that issue. However, the researchers said they had not seen the patched source code so they could not verify their claims.

The flaw also impacted the systems used in the Australian state of New South Wales (NSW), which also uses Scytl solutions.

All of the implicated parties downplayed the impact of the flaw, arguing that exploitation by an external attacker would have been a difficult task as it required deep access to the Swiss Post IT infrastructure and extensive knowledge of the system. However, the researchers highlighted that the e-voting system should be resistant to insider manipulation as well and the vulnerability demonstrated that it was not.

Advertisement. Scroll to continue reading.

The Swiss e-voting system is designed to shuffle votes to protect individual vote privacy. Servers in charge of this shuffling process should be able to prove that the input votes correspond exactly to the output votes to ensure that the number of votes has not been tampered with. The first vulnerability found by researchers was related to this process — it was possible to add or remove votes while apparently proving that there was no manipulation.

The second weakness, which the researchers also described as “critical,” is related to the votes themselves. Each vote is encrypted and a cryptographic method known as zero-knowledge proof is used to ensure that the voting authority doesn’t declare a different vote choice than what the voter selected.

“Zero knowledge means that it doesn’t reveal anything about the decryption key, so vote privacy is protected. And proof is supposed to mean that observers can run a verification algorithm to make sure that the claimed vote really is what’s hidden within the encryption,” explained Vanessa Teague, Associate Professor at the University of Melbourne and one of the experts involved in this research.

“But our research has found that this proof is not sound. It’s possible to generate a proof that passes verification, but changes the contents of the encrypted vote. It’s a little like leaving the ballot box observable all through polling day, yet somehow managing to slip different votes into the count,” Teague added. “It’s a technical process – but one that can be done by anyone who has access to the right part of the voting system.”

Unlike in the case of the first issue, exploiting this vulnerability does leave a trace, explained cryptography expert Sarah Jamie Lewis, executive director of a privacy-focused non-profit called Open Privacy and one of the people involved in this research.

Lewis revealed on Twitter that they had identified other “major issues” as well. The researchers have disclosed the technical details of their findings and released proof-of-concept (PoC) code. She believes these problems are not isolated and they are not easy to fix.

Both Swiss Post and the NSW Electoral Commission have been notified. Swiss Post has yet to make any comments on the findings, but the NSW Electoral Commission says it’s confident that its own systems are not affected by this second flaw.

It’s worth noting that these flaws were not reported to Swiss Post as part of the bug bounty program.

Related: Securing the Vote Against Increasing Threats

Related: Electronic Voting – The Greatest Threat to Democracy

Related: Georgia’s Use of Electronic Voting Machines Allowed for Midterms

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...