Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Vulnerabilities in Swiss E-Voting System Earn Researchers Big Bounties

Vulnerabilities in Swiss e-voting system

Vulnerabilities in Swiss e-voting system

Researchers have already earned tens of thousands of euros for vulnerabilities found in Switzerland’s new e-voting system as part of a recently launched bug bounty program.

E-voting was first introduced in Switzerland nearly two decades ago. However, the country’s national postal service, Swiss Post, which is in charge of e-voting, has been working on a new system “with complete verifiability.”

Before the new system can be widely implemented, Swiss Post wants to make sure that it’s properly tested and secure. The organization launched the first e-voting bug bounty program in 2019, but it only ran for one month and resulted in the discovery of only around a dozen low-severity security issues.

However, at around the same time, a team of researchers analyzed the system’s source code — outside of any bug bounty program — and they uncovered potentially serious vulnerabilities related to cryptographic protocols, including flaws that could have led to undetectable vote manipulation. The findings were downplayed by the company that developed the voting system.

Last year, Swiss Post announced an ongoing bug bounty program on the YesWeHack platform, offering rewards of up to €230,000 (roughly $260,000 at the time of writing).

According to Swiss Post, it has already received 122 vulnerability reports as of January 20, 2022, including four issues that have been assigned a “high severity” rating. For all the valid vulnerabilities, it has paid out a total of €79,000 ($88,000).

Of this amount, €27,000 ($30,000) was earned by Ruben Santamarta, an experienced cybersecurity researcher who in the past years discovered many vulnerabilities, including in industrial, IoT, satellite, avionics and maritime systems.

Santamarta has so far identified 13 vulnerabilities in the e-voting system, but his research is ongoing and he expects to report additional issues. He also noted that the severity of some flaws is still being investigated and he expects to receive additional rewards for weaknesses that have already been disclosed to the vendor.

Advertisement. Scroll to continue reading.

Nineteen researchers are listed in the hall of fame of the Swiss Post’s bug bounty program on YesWeHack and Santamarta currently has the highest ranking. The highest bounty paid out so far as part of this program was €40,000 ($45,000).

In a blog post published earlier this month, Santamarta disclosed the details of seven vulnerabilities, including a high-severity issue that has earned him €15,000. The high-severity flaw is related to the use of USB drives.

“In the Swiss Post e-voting system, some of the equipments that are in charge of performing critical tasks are air gapped, using a USB key to share information between them,” Santamarta told SecurityWeek. “I found a vulnerability in the way the contents of this USB key are handled, which allowed to overwrite arbitrary files in the affected computer.”

He explained, “Eventually, if a malicious actor — likely a nation-state taking into account the threat scenario — is able to surreptitiously supply a malicious USB key to the administrators (or even just a malicious administrator, which is assumed in Swiss Post’s threat model), it would be possible to run arbitrary code in the SDM, a computer which is a key asset in the e-voting system, thus leading to a potential compromise of the entire election process.”

Santamarta said he also found some vulnerabilities related to cryptography weaknesses that “weaken the underlying cryptographic protocol the Swiss Post e-voting system relies on.”

Related: Experts Warn of Dangers From Breach of Voter System Software

Related: Report Highlights Cyber Risks to US Election Systems

Related: False Claims on Voting Machines Obscure Real Flaws

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider Horizon3.ai.

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights