Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Find Critical Backdoor In Swiss Online Voting System (vice.com)

Posted by msmash on from the severe-consequences dept.

An international group of researchers who have been examining the source code for an internet voting system that Switzerland plans to roll out this year have found a critical flaw in the code that would allow someone to alter votes without detection. New submitter eatmorekix shares a report: The cryptographic backdoor exists in a part of the system that is supposed to verify that all of the ballots and votes counted in an election are the same ones that voters cast. But the flaw could allow someone to swap out all of the legitimate ballots and replace them with fraudulent ones, all without detection. "The vulnerability is astonishing," said Matthew Green, who teaches cryptography at Johns Hopkins University and did not do the research but read the researchers' report. "In normal elections, there is no single person who could undetectably defraud the entire election. But in this system they built, there is a party who could do that."

The researchers provided their findings last week to Swiss Post, the country's national postal service, which developed the system with the Barcelona-based company Scytl. Swiss Post said in a statement the researchers provided Motherboard and that the Swiss Post plans to publish online on Tuesday, that the researchers were correct in their findings and that it had asked Scytl to fix the issue. It also downplayed the vulnerability, however, saying that to exploit it, an attacker would need control over Swiss Postâ(TM)s secured IT infrastructure "as well as help from several insiders with specialist knowledge of Swiss Post or the cantons."

69 comments

  1. But by Anonymous Coward · · Score: 0

    But can we get back to the sloppy chicken and actual fucking spaghetti conversation?

    1. Re:But by arglebargle_xiv · · Score: 1

      You mean the spaghetti harvest in Ticino?

  2. One vulnerability less by rgbe · · Score: 1

    I have to say that this finding has made the whole system more secure. This is difficult to say for closed source systems.

    1. Re: One vulnerability less by Anonymous Coward · · Score: 0

      True

    2. Re:One vulnerability less by sycodon · · Score: 4, Insightful

      Online voting is folly. Even mail in voting lacks adequate chain of custody policies.

      --
      When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
    3. Re:One vulnerability less by Anonymous Coward · · Score: 1

      I have to say that this finding has made the whole system more secure. This is difficult to say for closed source systems.

      Well, not according to a related article.

      (...)
      Although Swiss Post claims the system has undergone three audits by auditing giant KPMG— among them an audit of the end-to-end encryption—it has never made the auditing reports public or indicated if anything significant got changed as a result of the audits.

      “Even if you sat down and read every line and determined everything was good, the code still wouldn’t pass the bar for being good code,” (...)

      (...) As part of the test, the Swiss Post is making the source code for the software available to participants. But the code wasn’t supposed to be open to just anyone to examine.

      Instead, to obtain access to it, participants have to agree to terms that were published with the announcement of the bug bounty program.

      “[Y]ou need to agree to these strange rules they have. So in the concept of free and open source code, it’s not really accessible,” said Hernani Marques, board member and spokesperson of the Chaos Computer Club of Switzerland. “I think they don’t get the concept of free and open code.”(...)

    4. Re:One vulnerability less by hcs_$reboot · · Score: 2

      Interesting. What's more secure: a heavy steel door or a 4096 bits key? Among the key combinations, one works for sure. The neophyte says "The door is not for me, too impressive ; but the key, if I'm lucky...". Back to votes, what's more dangerous: a hack that will allow someone working hard to change 1% of the votes, or some influent yet seemingly innocent media that pushes in one direction?

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    5. Re:One vulnerability less by Anonymous Coward · · Score: 0

      Yes, but paper votes are much harder to change on mass. It should be safe to assume that all digial systems can be compromised, and control of a government is a very powerful, very valuable thing. To think that attackers would not be well resourced is crazy. I support digital things for most purposes, but I absolutely think the world needs to stay (or return to) paper voting where fraudulent activity is very difficult, even for a well funded attacker, to implement on a large scale.

    6. Re:One vulnerability less by Anonymous Coward · · Score: 0

      Neither is secure.

      What you need is oversight.
      You vote with paper ballots from the moment the vote is cast until they are all counted no-one is alone with the ballots.

    7. Re:One vulnerability less by Anonymous Coward · · Score: 0

      The heavy steel door. For one simple reason: you have to go there and take it down and people will see you trying to get it down. An online system with a 4096 bit key? Well, you only need an internet connection. Nobody knows you're trying to connect and, of course, nobody knows if you succeed.

  3. needs more Blockchain by blackt0wer · · Score: 1

    Any system where records are opaquely held is ripe for abuse and fraud.

  4. Swiss cheese by ShanghaiBill · · Score: 5, Funny

    So the takeaway is that the Swiss make their voting systems the same way they make their cheese: full of holes.

    1. Re:Swiss cheese by youngone · · Score: 5, Insightful

      No, the takeaway is that the Swiss are testing the online voting system they haven't put into production yet, and they have found a major hole.
      Because they're Swiss, the next step will be to fix it.

    2. Re:Swiss cheese by rickb928 · · Score: 1

      And the next hole. And the next.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    3. Re:Swiss cheese by Immerman · · Score: 4, Insightful

      Hey, still beats the U.S. process, where every time a hole is found everybody ignores it, and possibly tries to silence those trying to raise awareness of the problem.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    4. Re:Swiss cheese by Anonymous Coward · · Score: 0

      Why is the default response of organizations, "oh, it's not our fault, it's not that bad."

      Fucking spineless pieces of shit.

    5. Re:Swiss cheese by Dunbal · · Score: 2

      Except they're asking the guy who put the hole there to plug the hole. So while he plugs it, he'll just make another hole.

      --
      Seven puppies were harmed during the making of this post.
    6. Re:Swiss cheese by Anonymous Coward · · Score: 0

      You cannot fix online voting. Too many bad actors that can easily be stopped with paper voting.

    7. Re:Swiss cheese by arglebargle_xiv · · Score: 1

      Because they're Swiss, the next step will be to fix it.

      Naah, the next step will be to sell it in different grades: Emmenthaler voting software, Appenzeller voting software, ...

    8. Re: Swiss cheese by Anonymous Coward · · Score: 0

      What holes? You mean the ones where non-citizens, dead people, and illegal aliens can vote and have their votes counted?

      That hole? Because we do not require ID? Because one of the major parties wants it that way?

      That hole?

    9. Re: Swiss cheese by Anonymous Coward · · Score: 0

      Yeah, you are one of those who believe that there are a lot of voter fraud that can sway the vote counted. If it was true, the current President wouldn't be the one you have right now. Got it?

  5. BORK BORK BORK by Anonymous Coward · · Score: 0

    Spaghetti code served up, BORK BORK BORK

  6. Mista Puhtaddah Head!! MISTA PUHTADDAH HEAD!! by Anonymous Coward · · Score: 0

    Back doors are NOT SECRETS.

  7. A comment and a question by AlanObject · · Score: 1

    First point: score one for open-source-based economy. The problem can now get fixed without the usual denials from the usual vested interests.

    Question: The article says the backdoor allows changes to be "undetected." If the voting system is online isn't there a way that you can go back and verify that your vote was counted correctly?

    1. Re:A comment and a question by Anonymous Coward · · Score: 0

      Question: The article says the backdoor allows changes to be "undetected." If the voting system is online isn't there a way that you can go back and verify that your vote was counted correctly?

      they found a way to fool a proof verification,

      the key thing here is privacy. the system must not only ensure verifiability, but must do so without disclosing votes. several encryption schemes and verification proofs are used so anybody can verify that a vote was counted as cast, and cast as intended, without ever having to see the actual vote contents.

      one of those proofs has been revealed vulnerable to attack which means someone with access to the system could alter votes in such a way that the mentioned proof still verifies, thus could alter votes 'undetected'.

    2. Re:A comment and a question by shilly · · Score: 4, Insightful

      There is *no* way to verify your vote was counted correctly with online voting. It's conceptually impossible -- at the end of the day, you're always reduced to trusting that the thing on the screen in front of you in some way corresponds to reality and isn't just telling you what you want to hear.

      What's worse is, quite a lot of quite clever people -- certainly much cleverer than the average voter -- are heavily invested in saying that you can, in fact, verify an online vote reliably. So they create and describe complex and elaborate protocols that they solemnly swear (or fervently believe) are 100% effective. But an average voter can't begin to know whether the protocols are effective. The complexity of these systems is well beyond their comprehension -- which is no slur on the average voter, I include myself in that category. Ultimately, we're still reduced to being asked to put our faith in a black box coupled with various people saying "trust us, it's totes legit".

    3. Re:A comment and a question by Mathinker · · Score: 1

      > There is *no* way to verify your vote was counted correctly with online voting.

      Unless you are volunteering to oversee the paper ballot counting process (of your own polling place, which if I am not mistaken is not usually even possible in most jurisdictions with paper ballots), the exact same is true for paper ballots. So what, exactly, is your point?

      If it's that overseeing paper ballot counting is within the abilities of far more individuals than overseeing online voting, then I agree.

    4. Re:A comment and a question by AlanObject · · Score: 1

      I can verify each and every ATM transaction and online banking transaction I ever made. Have for millions of dollars of transactions over decades.

      And the system has made mistakes. I see them, call up, and they are corrected. Sometimes the bank corrects them before I even notice.

      Not just me. Billions of customers world wide have the same capability.

      And we can't have a secure online voting system. Really.

    5. Re:A comment and a question by shilly · · Score: 2

      Don't you see the fundamental difference? An error at an ATM is checkable by you because it affects your bank balance. You know in advance what the right answer should be. An error (or deliberate falsification) of your vote count in an election is not checkable by you because you don't know in advance what the right answer should be when it's summed with all the other counts. This is an insuperable distinction.

    6. Re:A comment and a question by shilly · · Score: 3, Insightful

      It's a bit more than the fact that "overseeing paper ballot counting is within the abilities of far more individuals than overseeing online voting". It's that I don't *need* to check my individual result for a paper count. A big box of paper ballots is emptied in front of lots of people and lots of people then set to work counting. And other people check their counts. And check the sums when the counts from various boxes are added. There's no need to provide traceability of an individual vote because the conceptual model is different from an online vote: I physically place my paper ballot in the box which is in plain view of lots of people who all keep each other honest, and every step from then on is also in plain view of lots of people who keep each other honest. And it can all easily be recounted.

    7. Re:A comment and a question by AlanObject · · Score: 1

      You don't seem to understand the available technology very well.

      The list of all votes should be publicly accessible, countable by everyone and anyone. One URL per precinct, for example.

      Each vote is anonymous but has a digital signature. Anyone can verify any vote for which they have the key which is on the receipt they got when they voted. That could be either online or at the polling place on a cheap-ass voting machine. (A Raspberry Pi with a display and mouse could do it.) But the local voters will decide what is the legal way to vote.

      If fraud is suspected, which is possible but unlikely, many people will check their votes and complain if it looks like their vote is altered. If enough people raise a verifiable objection the authorities will be compelled to take action as directed by statute.

      If someone manages to steal keys it will be an issue of voter privacy but not anything to do with altering the outcome of the election.

      These are simple concepts that may be implemented by any of thousands (millions?) of unremarkable software coders using all open-source tools downloadable in minutes.

      The only reason this isn't done is a general illiteracy among the general population, the officials, and political leaders in some combination that make it nearly impossible to move forward. After all, everyone "knows" it is impossible to have 100% secure systems. What is hard to make them understand is that although you want to have your systems as secure as you can possibly make them the key to having high-integrity elections is not that -- it is having a 1) publicly accessible verification system that would detect any fraud that matters, and 2) election laws that would respond to any fraud or error that actually occurs.

    8. Re:A comment and a question by bill_mcgonigle · · Score: 1

      Trusting math means others can find holes and they can eventually be fixed. You should probably issue an HMAC on your vote using your private key (so then you have a key management problem, not a voting problem...) .

      Trusting people means every single time malfeasance will happen somewhere and that can never get better. So that's worse.

      But voting is the suggestion box of slaves so even if the technical problems are solved there's not likely to be any real change anyway. Securing voting is just a proxy symptom alleviation to the underlying problems.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  8. Everyone can be bought. by Anonymous Coward · · Score: 0

    It also downplayed the vulnerability, however, saying that to exploit it, an attacker would need control over Swiss PostÃ(TM)s secured IT infrastructure "as well as help from several insiders with specialist knowledge of Swiss Post or the cantons."

    Everyone can be bought. It is just a matter of the right price in the right currency. That currency could be anything, from money until the number of your children that will come home safely from school next week.

    1. Re:Everyone can be bought. by Askmum · · Score: 2

      Their comment shows how incomplete these people think. "Oh, you'd have to have access to our secure IT network and no hacker has that!".
      Granted, I'll give you that much. But you have. Your government has. And especially that last party can have a very large interest in keeping the power where they think it belongs.
      People seem to not realise that even though you can defraud paper ballots, the process is very hard and to be able to make significant impact you need a lot of people in on it. Defrauding an electronic ballot can be done by one person and can cover the complete ballot and can be undetectable. This single vulnerability is the reason why electronic ballots are a Bad Idea(tm).

  9. Trust, but verity by Wild_dog! · · Score: 2

    There must always be a paper trail.
    Then there is less likelihood that a breach won't be detected and an actual manual vote count is possible.

    1. Re:Trust, but verity by Anonymous Coward · · Score: 0

      Not just a paper trail. You also want to ensure the vote was given in freedom and privacy without undue pressure from anyone.
      Mail in ballots fail that test as well.

  10. Re:Coincidence only by Wild_dog! · · Score: 1

    So people get some sort of say in how things are.
    Elections have consequences.
    Don't vote
    Don't bitch about how things are.

  11. Keep it simple stupid by Anonymous Coward · · Score: 0

    1. All citizens generate their own public key and submit it in person to the government. The government makes note that citizen X has registered, but does not link their name with their key. Instead assigns them a universal identifier number.

    2. All votes are published online, encrypted and plain text. And searchable via Universal identify number.

    3. Once a citizen votes, they can check to see if their vote was manipulated, and others can count the votes. If a citizen comes forward and says their vote was changed, then you know someone was corrupt.

    The only added responsibility every voter has is to check to make sure their vote was not changed when the counting begins.

    1. Re: Keep it simple stupid by Anonymous Coward · · Score: 0

      3. Your boss demands that you show him your "private" voting record to prove that you voted the way he told you to vote, or else you're fired.

    2. Re: Keep it simple stupid by Anonymous Coward · · Score: 0

      This can still happen, he could demand you take a photo of your paper ballet.

      Also in your scenario he must confront you a minimum of 2 times, after the first you can record the second with police when he varifies your vote.

    3. Re: Keep it simple stupid by Anonymous Coward · · Score: 0

      In Soviet Russia, you take a photo of the ballot as your boss asks, then render the ballot invalid, return it and ask for another blank. You can even do it twice if two bosses ask for opposite votes and you do not want to vote at all.

    4. Re:Keep it simple stupid by shilly · · Score: 1

      "Sure, you can trust this public key generator. Course you can"
      "Of course no-one has linked your public key to your universal identifier number. You can totally trust us on that"
      "Absolutely, what you see on the screen in front of you when you search for a universal identity number really reflects the reality of how your vote was (or was not) counted"
      etc

    5. Re:Keep it simple stupid by Anonymous Coward · · Score: 0

      Well, you know, you don't and can't trust anyone, not even yourself!

  12. would need control ... as well as help by grep+-v+'.*'+* · · Score: 2

    an attacker would need control over Swiss Post's secured IT infrastructure "as well as help from several insiders with specialist knowledge

    I've got some chocolate to trade for a password or two. Or if not that, maybe some cheese?

    Science Daily: Social engineering: Password in exchange for chocolate

    --
    If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
  13. No machine based vote can be trusted ... by Anonymous Coward · · Score: 0

    ... simply either it is not anonymous or you are not able to scrutiny the fairness of the result.

    Until someone find a solution to this fact, you must avoid machine based bvote for important topics such as politics.

  14. Don't bother by rickb928 · · Score: 5, Insightful

    The state of the art is inadequate to ensure secure, valid, accurate vote acquisition and tabulation. And there is no reason to expect it will be any time soon.

    Just stop. Those most interested in electronic voting are either profiting from the deployment, or profiting from manipulating the results.

    --
    deleting the extra space after periods so i can stay relevant, yeah.
  15. Maybe Accept Third-Party Verification? by resistant · · Score: 0

    I've always suspected that electronic voting systems, in order to be truly resistant to incessant and widespread hacking attacks, will have to accept the concept of issuing encrypted, printed paper receipts of cast votes to individual voters that then can be voluntarily passed on to independent, third-party tabulation organizations that act as a reality check on official election results. Purely online voting systems can conveniently produce both electronic receipts and downloadable PDF documents. Sure, this move might be problematic for the fundamental concept of the secret vote, but what the hell. What's worse, having to cope with that particular can of worms, which arguably already is open, or having to cope with the strong possibility of invisibly stolen elections? You makes your trade-offs, and you takes your chances.

    That's my two cents worth of thought on the matter. No refunds! :^)

    --
    A truly excellent pizza parlor is a delight unto the heavens. Treasure the sauce and the toppings!
    1. Re:Maybe Accept Third-Party Verification? by green1 · · Score: 2

      Paper voting has neither problem...

      Look, I'm not against progress, I'm just against changing something that works when you don't have a replacement that can actually replace all it's existing features.

  16. "Shanghai" Bill is a known liar many times over. by Anonymous Coward · · Score: 0

    Bill got caught lying 12-25 times repeatedly stating "Blood plasma is sterile" and then later that "The Chinese Govt does not directly censor Chinese citizens" and other absolute bullshit head-in-ass retard-level lies. You're not trustworthy.

    You are not a source of information that anyone should or even could trust, knowing your dishonest history. Sorry. That's what accountability means when you get caught lying repeatedly, over and over, even after directly corrected.

    You're a liar, Bill.

  17. Not exactly reassuring by rgmoore · · Score: 3, Insightful

    It also downplayed the vulnerability, however, saying that to exploit it, an attacker would need control over Swiss PostÃ(TM)s secured IT infrastructure "as well as help from several insiders with specialist knowledge of Swiss Post or the cantons."

    Saying that the only people who could steal an election are a small cabal of government insiders is not particularly reassuring.

    --

    There's no point in questioning authority if you aren't going to listen to the answers.

  18. Re: Coincidence only by Anonymous Coward · · Score: 0

    I didn't tell you to vote. Seems like you could just find a voting machine that will take your vote. Doesn't seem to be a problem for most people. Excuse me while I explain to the moderators to stop telling me my posts are not editable and that I don't want to edit my post so shut your pie hole.

  19. it's less expensive just to cancel the vote by edris90 · · Score: 1

    As the US is thebiggest joke of the international community, I find it hard to believe that the Swiss haven't been laughing at us as we keep implementing more and more voting machines but keep getting proved to be hacked. Not just hackable. How they save themselves a bundle and just tell their people we're not having a real vote this year, and then just present whoever the voting machine manufacturer selected to win. we all expect governments to f*** over there people but do actually have to be so insultingly not sneaky about it and pretend nobody knows what they're doing?

    1. Re: it's less expensive just to cancel the vote by Anonymous Coward · · Score: 0

      1) the most powerful nation ever in the history of humanity is not a joke
      2) the rest of what you said ... well I stopped reading after the first part because why bother?

    2. Re: it's less expensive just to cancel the vote by edris90 · · Score: 1

      Well that's actually part of the joke where the most powerful Nation yet the most in capable of utilizing that power to eliminate problems in our own country. All the power all the GDP and we are too short sighted to use it for anything worth doing. It may as well not exist at all for all the good it does.

    3. Re: it's less expensive just to cancel the vote by edris90 · · Score: 1

      Humor is not measured by power humor is measured by weather people are making fun of us. Look up stupid American jokes, research what other countries average populist think about America. Get yourself a good sampling source from other countries and then you will not be able to deny how big of a joke the us is. Power is no barrier to acting a fool. It is a gateway to you are against which is a precursor to foolish thinking and behavior

    4. Re: it's less expensive just to cancel the vote by kaatochacha · · Score: 1

      Big deal. I don't worry about other countries making jokes. I worry about them shooting at me.
      Make all the jokes you want, chuckles.

  20. Should stay with paper by AHuxley · · Score: 1

    Count the paper votes in front of the needed set of witnesses.
    Send the same count from each area to a final vote count.
    Why trust a computer not to flip votes due to the politics of some NGO, think tank, mil, politics, other nation wanting Swiss votes to sway policy globally?
    Return to paper and count every vote.
    Make Swiss voting secure again.

    --
    Domestic spying is now "Benign Information Gathering"
  21. Re:Coincidence only by GlennC · · Score: 1

    Don't vote
    Don't bitch about how things are.

    I prefer to turn it around. If I vote and the same group of amoral corporate whores gets in, they can reply "Well, YOU voted for this!"

    Voting = plausible deniability for corrupt politicians.

    --
    Go on, citizen, stamp the vote card. R or D, your choice.
  22. Re:Coincidence only by Anonymous Coward · · Score: 0

    You are right about " the same group of amoral corporate whores".

    My post:
    Coincidence only (Score:-1)
    Tell me again why we still bother to vote.

    Thanks to the dumbass who -1ed me.

    Until we get big money out of politics, our little votes are meaningless!

  23. I know the problem.. don't need the code to tell by Anonymous Coward · · Score: 0

    The problem that is the critical flaw is that it's on the internet!!

  24. Only one by Anonymous Coward · · Score: 0

    There's only one vulnerability in electronic voting: it's the electronic voting machines. The patch is to use paper ballets. No person with any computer security experience should think these machines should be trusted.

  25. Swiss Cheese? by Anonymous Coward · · Score: 0

    full o holes =)

  26. Paper works ... by JasterBobaMereel · · Score: 2

    All computer systems are a black box, even if they are open source, how do you tell that is what the system is running ... and if you can, how do we know it is still running that after you looked ... and the system that is supposed to flag changes... who wrote that ... and can we verify it ... etc ... etc ... etc ...

    --
    Puteulanus fenestra mortis
  27. That's not a backdoor by Anonymous Coward · · Score: 0

    A backdoor is something deliberately created to allow a malicious actor to gain access. It's espionage shit.

    There is no evidence that this is anything other than your run-of-the-mill vulnerability. It's just bad engineer shit.

    The fact that these kinds of vulnerabilities are run-of-the-mill is reason enough to never trust e-voting. I don't get the need to invent sensational fake news to sell the story.

  28. Who cares? I give up by Anonymous Coward · · Score: 0

    Tired of the media telling me what to think.
    Tired of Silicon Valley censoring me.
    Tired of the government taxing and spending. Why don't they just take everything and just give me what they think I need.
    Now they're watering down my vote.

  29. A bit more intrincate than what it seems by CustomSolvers2 · · Score: 1
    After quickly skimming through the corresponding paper, it is clear that the detected problem has nothing to do with what is usually understood as "backdoor". Apparently, the researchers are complaining about certain parts of the implementation of an encryption algorithm not being as reliable as they should theoretically be. Here you have a descriptive quote:

    In summary: the implementation does not provide a proof, and the verifier cannot check, that the important assumption of discrete log hardness made by Bayer and Groth is valid here. It is possible for a malicious authority to generate the perfectly random G1,G2,...in a way that, at the same time, gives it a trapdoor that falsifies an assumption that is central to the security of the Bayer-Groth mixnet construction.

    In other words, the reported problem could only be exploited by directly affecting the given application/code. More specifically, certain (assumed-to-be) random numbers would have to be replaced (+ wrong results introduced). The critic is that, if that happened, the given encryption algorithm wouldn't know about that alteration, unlikely what should theoretically occur.

    So, the researchers found a way to theoretically affect a cryptographic algorithm in a way which, under ideal circumstances, shouldn't happen. This is what they meant with backdoor: possibility to modify the flow of information against the original intention of the program. Is that bad, should it be fixed, etc.? Sure. In fact, the main point here is precisely to not allow any unmonitored modification of precisely those results. On the other hand, the reference to a "critical backdoor" seems to imply a completely different thing. To not mention the fact that all this is a bit too theoretical and uncontrollable (even by assuming that I have access to the application, how could I get X more votes for party Y?).

    --
    Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
  30. I can see it now by kaatochacha · · Score: 1

    Switzerland votes to not be neutral, supports Russia!