Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Vulnerabilities in Swiss E-Voting System Earn Researchers Big Bounties

Vulnerabilities in Swiss e-voting system

Vulnerabilities in Swiss e-voting system

Researchers have already earned tens of thousands of euros for vulnerabilities found in Switzerland’s new e-voting system as part of a recently launched bug bounty program.

E-voting was first introduced in Switzerland nearly two decades ago. However, the country’s national postal service, Swiss Post, which is in charge of e-voting, has been working on a new system “with complete verifiability.”

Before the new system can be widely implemented, Swiss Post wants to make sure that it’s properly tested and secure. The organization launched the first e-voting bug bounty program in 2019, but it only ran for one month and resulted in the discovery of only around a dozen low-severity security issues.

However, at around the same time, a team of researchers analyzed the system’s source code — outside of any bug bounty program — and they uncovered potentially serious vulnerabilities related to cryptographic protocols, including flaws that could have led to undetectable vote manipulation. The findings were downplayed by the company that developed the voting system.

Last year, Swiss Post announced an ongoing bug bounty program on the YesWeHack platform, offering rewards of up to €230,000 (roughly $260,000 at the time of writing).

According to Swiss Post, it has already received 122 vulnerability reports as of January 20, 2022, including four issues that have been assigned a “high severity” rating. For all the valid vulnerabilities, it has paid out a total of €79,000 ($88,000).

Advertisement. Scroll to continue reading.

Of this amount, €27,000 ($30,000) was earned by Ruben Santamarta, an experienced cybersecurity researcher who in the past years discovered many vulnerabilities, including in industrial, IoT, satellite, avionics and maritime systems.

Santamarta has so far identified 13 vulnerabilities in the e-voting system, but his research is ongoing and he expects to report additional issues. He also noted that the severity of some flaws is still being investigated and he expects to receive additional rewards for weaknesses that have already been disclosed to the vendor.

Nineteen researchers are listed in the hall of fame of the Swiss Post’s bug bounty program on YesWeHack and Santamarta currently has the highest ranking. The highest bounty paid out so far as part of this program was €40,000 ($45,000).

In a blog post published earlier this month, Santamarta disclosed the details of seven vulnerabilities, including a high-severity issue that has earned him €15,000. The high-severity flaw is related to the use of USB drives.

“In the Swiss Post e-voting system, some of the equipments that are in charge of performing critical tasks are air gapped, using a USB key to share information between them,” Santamarta told SecurityWeek. “I found a vulnerability in the way the contents of this USB key are handled, which allowed to overwrite arbitrary files in the affected computer.”

He explained, “Eventually, if a malicious actor — likely a nation-state taking into account the threat scenario — is able to surreptitiously supply a malicious USB key to the administrators (or even just a malicious administrator, which is assumed in Swiss Post’s threat model), it would be possible to run arbitrary code in the SDM, a computer which is a key asset in the e-voting system, thus leading to a potential compromise of the entire election process.”

Santamarta said he also found some vulnerabilities related to cryptography weaknesses that “weaken the underlying cryptographic protocol the Swiss Post e-voting system relies on.”

Related: Experts Warn of Dangers From Breach of Voter System Software

Related: Report Highlights Cyber Risks to US Election Systems

Related: False Claims on Voting Machines Obscure Real Flaws

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.