Skip to main content

Some thoughts on e-Voting vulnerabilities.

I'm a little bit surprised about today's Schneier blog post "Security Vulnerability of Switzerland’s E-Voting System

Just to add some context before continuing:  I've been researching into that specific e-Voting system since 2022.  I've reported quite a few vulnerabilities (I hold the 1st place in the 'SwissPost e-Voting' Bug Bounty program), also publishing detailed write-ups for some of these security issues. Even today I got some really bad vulnerabilities still being reviewed.

I understand, and support, all the precautions about e-Voting technologies security people usually express. That said, I can't understand the commonplace assertions that depict e-Voting as an unsolvable problem in general terms, which would irremediably leave us with just the 'paper' option. 

However, the worst part is that the issue described in that article, that apparently sustains the subsequent reasoning, is not even a vulnerability but a malware-based social engineering attack. Long story short: the claimed 'vulnerability' is that the e-Voting protocol is not explained in the printed documentation received by the voters, so if your computer is infected, the malware can modify the victim's browser to  show a malicious Swiss Post eVoting website in order to guide the voter through a different UI to 'bypass' the printed 'security codes', which provide the voters with the ability to validate the individual verifiability.

This is a social engineering attack because even if the full protocol is explained in the printed documentation you receive, the malware already present in your computer would simply adapt its approach by injecting into the locally rendered view of the Swiss Post e-Voting website that "a last-minute change introduced by the Chancellery has modified the protocol previously laid out. Please follow the new instructions.". Or, "Please scan the printed documentation you received and upload the image by using this webform to continue the voting process", and so on...

This situation is even easier to understand by extrapolating it to the 'analog world': the day of the election, while you're on your way to the polling station, you run into someone who eventually tricks you into changing your vote. It may happen, but I wouldn't claim that 'analog' voting is useless as a result.

There are some parts in the original description of the 'vulnerability' that I consider a little bit over the top, to be honest. 

"Even with a Master’s degree in computer science, I have difficulties matching the source code to the public documentation and the theoretical protocol. While third parties have formally verified the cryptographic protocol [7], it is difficult to compare the provably correct theoretical protocol to the actual implementation by Swiss Post due to the code size and complexity (over 60,000 lines of Java code, distributed over almost 800 files). Additionally, the possibility for an attacker to force clients to deviate from the intended protocol has not yet been thoroughly studied, leading to vulnerabilities like the one whose risk we showcased."

I don't even have a degree and I profoundly disagree with the previous statement: I've reviewed some of the largest codebases in the world, and this is the conclusion I mentioned in "Finding vulnerabilities in Swiss Post’s future e-voting system - Part 1", published a year ago. 

"Swiss Post e-voting platform is a quite complex system, comprised of different technologies, whose codebase is approximately 150,000 lines of code, most of them Java but also Typescript for the front-end applications. Please note that a significant part of the code is dedicated to implement custom cryptographic protocols and operations.  Despite this, code and component interactions are surprisingly easy to follow as everything is highly documented: cryptographic protocols, architecture, operations...The entire system seems to have been designed, defined and implemented in such a way that a 3rd party may properly audit it.  Actually Swiss Post paid special attention to this aspect by requesting an external auditability report."

This is also corroborated by independent reports, which provide formal metrics to back those conclusions. 

I know it's likely an unpopular opinion within the infosec community, but I see e-Voting as something positive that will facilitate the right to vote for many people in different situations and/or certain conditions. I also acknowledge that a massive undertaking is required to guarantee significant public trust levels around these technologies. SwissPost's approach to this task, which prioritizes transparency and open source, is, under my point of view, the right one.

E-Voting criticism is obviously legitimate and necessary, not in vain I periodically try to break the SwissPost e-Voting system, publicly detailing the outcome of these efforts. However, I think that we should refrain ourselves from challenging maths and code with either vague claims or commonplace assertions. 

Popular posts from this blog

SATCOM terminals under attack in Europe: a plausible analysis.

------ Update 03/12/2022 Reuters has published new information on this incident, which initially matches the proposed scenario. You can find the  update  at the bottom of this post. ------ February 24th: at the same time Russia initiated a full-scale attack on Ukraine, tens of thousands of KA-SAT SATCOM terminals suddenly  stopped  working in several european countries: Germany, Ukraine, Greece, Hungary, Poland...Germany's Enercon moved forward and acknowledged that approximately 5800 of its wind turbines, presumably those remotely operated via a SATCOM link in central Europe, had lost contact with their  SCADA server .  In the affected countries, a significant part of the customers of Eutelsat's domestic broadband service were also unable to access Internet.  From the very beginning Eutelsat and its parent company Viasat, stated that the issue was being investigated as a cyberattack. Since then, details have been scarcely provided but few days ago I came across a really inter

VIASAT incident: from speculation to technical details.

  34 days after the incident, yesterday Viasat published a statement providing some technical details about the attack that affected tens of thousands of its SATCOM terminals. Also yesterday, I eventually had access to two Surfbeam2 modems: one was targeted during the attack and the other was in a working condition. Thank you so much to the person who disinterestedly donated the attacked modem. I've been closely covering this issue since the beginning, providing a  plausible theory based on the information that was available at that time, and my experience in this field. Actually, it seems that this theory was pretty close to what really happened. Fortunately, now we can move from just pure speculation into something more tangible, so I dumped the flash memory for both modems (Spansion S29GL256P90TFCR2 ) and the differences were pretty clear. In the following picture you can see 'attacked1.bin', which belongs to the targeted modem and 'fw_fixed.bin', coming from t

Reversing 'France Identité': the new French digital ID.

  -------------- Update from 06/10/2023 : following my publication, I’ve been in contact with France Identité CISO and they could provide more information on the measures they have taken in the light of these findings: We would like to thank you for your in-depth technical research work on “France Identite” app that was launched in beta a year ago and for which you were rewarded. As you know, the app is now generally available on iOS and Android through their respective app stores. Your work, alongside French cybersecurity agency (ANSSI) research, made us update and modify deeply the E2EE Secure Channel used between the app and our backend. It is now mostly based on TLS1.3. Those modifications were released only a few weeks after you submitted your work through our private BugBounty program with YesWeHack. That released version also fixes the three other vulnerabilities you submitted. From the beginning of “France Identite” program, it was decided to implicate cybersecurity community,