Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Vulnerabilities in Swiss E-Voting System Earn Researchers Big Bounties

Vulnerabilities in Swiss e-voting system

Vulnerabilities in Swiss e-voting system

Researchers have already earned tens of thousands of euros for vulnerabilities found in Switzerland’s new e-voting system as part of a recently launched bug bounty program.

E-voting was first introduced in Switzerland nearly two decades ago. However, the country’s national postal service, Swiss Post, which is in charge of e-voting, has been working on a new system “with complete verifiability.”

Before the new system can be widely implemented, Swiss Post wants to make sure that it’s properly tested and secure. The organization launched the first e-voting bug bounty program in 2019, but it only ran for one month and resulted in the discovery of only around a dozen low-severity security issues.

However, at around the same time, a team of researchers analyzed the system’s source code — outside of any bug bounty program — and they uncovered potentially serious vulnerabilities related to cryptographic protocols, including flaws that could have led to undetectable vote manipulation. The findings were downplayed by the company that developed the voting system.

Last year, Swiss Post announced an ongoing bug bounty program on the YesWeHack platform, offering rewards of up to €230,000 (roughly $260,000 at the time of writing).

According to Swiss Post, it has already received 122 vulnerability reports as of January 20, 2022, including four issues that have been assigned a “high severity” rating. For all the valid vulnerabilities, it has paid out a total of €79,000 ($88,000).

Of this amount, €27,000 ($30,000) was earned by Ruben Santamarta, an experienced cybersecurity researcher who in the past years discovered many vulnerabilities, including in industrial, IoT, satellite, avionics and maritime systems.

Advertisement. Scroll to continue reading.

Santamarta has so far identified 13 vulnerabilities in the e-voting system, but his research is ongoing and he expects to report additional issues. He also noted that the severity of some flaws is still being investigated and he expects to receive additional rewards for weaknesses that have already been disclosed to the vendor.

Nineteen researchers are listed in the hall of fame of the Swiss Post’s bug bounty program on YesWeHack and Santamarta currently has the highest ranking. The highest bounty paid out so far as part of this program was €40,000 ($45,000).

In a blog post published earlier this month, Santamarta disclosed the details of seven vulnerabilities, including a high-severity issue that has earned him €15,000. The high-severity flaw is related to the use of USB drives.

“In the Swiss Post e-voting system, some of the equipments that are in charge of performing critical tasks are air gapped, using a USB key to share information between them,” Santamarta told SecurityWeek. “I found a vulnerability in the way the contents of this USB key are handled, which allowed to overwrite arbitrary files in the affected computer.”

He explained, “Eventually, if a malicious actor — likely a nation-state taking into account the threat scenario — is able to surreptitiously supply a malicious USB key to the administrators (or even just a malicious administrator, which is assumed in Swiss Post’s threat model), it would be possible to run arbitrary code in the SDM, a computer which is a key asset in the e-voting system, thus leading to a potential compromise of the entire election process.”

Santamarta said he also found some vulnerabilities related to cryptography weaknesses that “weaken the underlying cryptographic protocol the Swiss Post e-voting system relies on.”

Related: Experts Warn of Dangers From Breach of Voter System Software

Related: Report Highlights Cyber Risks to US Election Systems

Related: False Claims on Voting Machines Obscure Real Flaws

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.