Vulnerabilities Discovered in Swiss E-Voting System
Technical flaws were detected in the Swiss government’s electronic voting system. A team of cybersecurity researchers on Tuesday found this defect which could enable outsiders to replace legitimate votes with fraudulent ones.
Sarah Jamie Lewis, Olivier Pereira, and Vanessa Teague published a report, which details how the issue is related to the way Switzerland’s voting system receives and counts votes. Anyone familiar with the sequence of “shuffle proofs” — the cryptographic protocol the system relies on to verify votes — could manipulate ballots that would pass the system’s authentication test.
Though the country’s national postal service the Swiss Post, which developed the system along with Scytyl, a Spanish company, said: “the issue had been resolved.” But researchers believe this flaw personifies the kind of worst-case scenario. Election security experts have warned about as more governments move toward paperless voting.
The executive director of the Open Privacy Research Society, Sarah Jamie Lewis, in a series of tweets said, “This code is being held up as ‘state-of-the-art,’ and yet the system contained at least one critical cryptographic vulnerability – apparently left open for years.”
Nevertheless, both Scytl and Swiss Post are confident in this system, saying “the system as apparently been audited multiple times.” But the question remains how did those audits miss this critical issue?
“Let us not downplay this,” she said. “This code is intended to secure national elections. Election security has a direct impact on the distribution of power within a democracy. The public has a right to know everything about the design and implementation of the system.”
Switzerland has experimented with electronic voting since 2004 and has plans to make it a nationwide option as soon as October.
This disclosure comes right after the announcement from the Swiss government to reward up to CHF 50,000 (roughly $50,000) to any researcher who reported vulnerabilities in the e-voting system. The contest is scheduled to run through March 24.
Lewis, though not a part of the bounty program, but has revealed on other issues in the code, though they are not as serious as the one disclosed Tuesday. She said, “This code is simply not up to the standard we should require of critical public infrastructure.”
Kevin Jones743 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.