Researchers have already earned tens of thousands of euros for vulnerabilities found in Switzerland’s new e-voting system as part of a recently launched bug bounty program.
E-voting was first introduced in Switzerland nearly two decades ago. However, the country’s national postal service, Swiss Post, which is in charge of e-voting, has been working on a new system “with complete verifiability.”
Before the new system can be widely implemented, Swiss Post wants to make sure that it’s properly tested and secure. The organization launched the first e-voting bug bounty program in 2019, but it only ran for one month and resulted in the discovery of only around a dozen low-severity security issues.
However, at around the same time, a team of researchers analyzed the system’s source code — outside of any bug bounty program — and they uncovered potentially serious vulnerabilities related to cryptographic protocols, including flaws that could have led to undetectable vote manipulation. The findings were downplayed by the company that developed the voting system.
Last year, Swiss Post announced an ongoing bug bounty program on the YesWeHack platform, offering rewards of up to €230,000 (roughly $260,000 at the time of writing).
According to Swiss Post, it has already received 122 vulnerability reports as of January 20, 2022, including four issues that have been assigned a “high severity” rating. For all the valid vulnerabilities, it has paid out a total of €79,000 ($88,000).
Of this amount, €27,000 ($30,000) was earned by Ruben Santamarta, an experienced cybersecurity researcher who in the past years discovered many vulnerabilities, including in industrial, IoT, satellite, avionics and maritime systems.
Santamarta has so far identified 13 vulnerabilities in the e-voting system, but his research is ongoing and he expects to report additional issues. He also noted that the severity of some flaws is still being investigated and he expects to receive additional rewards for weaknesses that have already been disclosed to the vendor.
Nineteen researchers are listed in the hall of fame of the Swiss Post’s bug bounty program on YesWeHack and Santamarta currently has the highest ranking. The highest bounty paid out so far as part of this program was €40,000 ($45,000).
In a blog post published earlier this month, Santamarta disclosed the details of seven vulnerabilities, including a high-severity issue that has earned him €15,000. The high-severity flaw is related to the use of USB drives.
“In the Swiss Post e-voting system, some of the equipments that are in charge of performing critical tasks are air gapped, using a USB key to share information between them,” Santamarta told SecurityWeek. “I found a vulnerability in the way the contents of this USB key are handled, which allowed to overwrite arbitrary files in the affected computer.”
He explained, “Eventually, if a malicious actor — likely a nation-state taking into account the threat scenario — is able to surreptitiously supply a malicious USB key to the administrators (or even just a malicious administrator, which is assumed in Swiss Post’s threat model), it would be possible to run arbitrary code in the SDM, a computer which is a key asset in the e-voting system, thus leading to a potential compromise of the entire election process.”
Santamarta said he also found some vulnerabilities related to cryptography weaknesses that “weaken the underlying cryptographic protocol the Swiss Post e-voting system relies on.”
Related: Experts Warn of Dangers From Breach of Voter System Software
Related: Report Highlights Cyber Risks to US Election Systems
