Researchers Find Critical Backdoor In Swiss Online Voting System

An international group of researchers who have been examining the source code for an internet voting system that Switzerland plans to roll out this year have found a critical flaw in the code that would allow someone to alter votes without detection. New submitter eatmorekix shares a report: The cryptographic backdoor exists in a part of the system that is supposed to verify that all of the ballots and votes counted in an election are the same ones that voters cast. But the flaw could allow someone to swap out all of the legitimate ballots and replace them with fraudulent ones, all without detection. "The vulnerability is astonishing," said Matthew Green, who teaches cryptography at Johns Hopkins University and did not do the research but read the researchers' report. "In normal elections, there is no single person who could undetectably defraud the entire election. But in this system they built, there is a party who could do that."

The researchers provided their findings last week to Swiss Post, the country's national postal service, which developed the system with the Barcelona-based company Scytl. Swiss Post said in a statement the researchers provided Motherboard and that the Swiss Post plans to publish online on Tuesday, that the researchers were correct in their findings and that it had asked Scytl to fix the issue. It also downplayed the vulnerability, however, saying that to exploit it, an attacker would need control over Swiss Postâ(TM)s secured IT infrastructure "as well as help from several insiders with specialist knowledge of Swiss Post or the cantons."

Swiss cheese

[ShanghaiBill]

So the takeaway is that the Swiss make their voting systems the same way they make their cheese: full of holes.

Re:Swiss cheese

[youngone]

No, the takeaway is that the Swiss are testing the online voting system they haven't put into production yet, and they have found a major hole.
Because they're Swiss, the next step will be to fix it.

Re:Swiss cheese

[Immerman]

Hey, still beats the U.S. process, where every time a hole is found everybody ignores it, and possibly tries to silence those trying to raise awareness of the problem.

Re:Swiss cheese

[Dunbal]

Except they're asking the guy who put the hole there to plug the hole. So while he plugs it, he'll just make another hole.

Trust, but verity

[Wild_dog!]

There must always be a paper trail.
Then there is less likelihood that a breach won't be detected and an actual manual vote count is possible.

Re:One vulnerability less

[sycodon]

Online voting is folly. Even mail in voting lacks adequate chain of custody policies.

would need control ... as well as help

[grep+-v+'.*'+*]

an attacker would need control over Swiss Post's secured IT infrastructure "as well as help from several insiders with specialist knowledge

I've got some chocolate to trade for a password or two. Or if not that, maybe some cheese?

Science Daily: Social engineering: Password in exchange for chocolate

Don't bother

[rickb928]

The state of the art is inadequate to ensure secure, valid, accurate vote acquisition and tabulation. And there is no reason to expect it will be any time soon.

Just stop. Those most interested in electronic voting are either profiting from the deployment, or profiting from manipulating the results.

Re:Maybe Accept Third-Party Verification?

[green1]

Paper voting has neither problem...

Look, I'm not against progress, I'm just against changing something that works when you don't have a replacement that can actually replace all it's existing features.

Not exactly reassuring

[rgmoore]

It also downplayed the vulnerability, however, saying that to exploit it, an attacker would need control over Swiss PostÃ(TM)s secured IT infrastructure "as well as help from several insiders with specialist knowledge of Swiss Post or the cantons."

Saying that the only people who could steal an election are a small cabal of government insiders is not particularly reassuring.

Re:One vulnerability less

[hcs_$reboot]

Interesting. What's more secure: a heavy steel door or a 4096 bits key? Among the key combinations, one works for sure. The neophyte says "The door is not for me, too impressive ; but the key, if I'm lucky...". Back to votes, what's more dangerous: a hack that will allow someone working hard to change 1% of the votes, or some influent yet seemingly innocent media that pushes in one direction?

Paper works ...

[JasterBobaMereel]

All computer systems are a black box, even if they are open source, how do you tell that is what the system is running ... and if you can, how do we know it is still running that after you looked ... and the system that is supposed to flag changes... who wrote that ... and can we verify it ... etc ... etc ... etc ...

Re:Everyone can be bought.

[Askmum]

Their comment shows how incomplete these people think. "Oh, you'd have to have access to our secure IT network and no hacker has that!".
Granted, I'll give you that much. But you have. Your government has. And especially that last party can have a very large interest in keeping the power where they think it belongs.
People seem to not realise that even though you can defraud paper ballots, the process is very hard and to be able to make significant impact you need a lot of people in on it. Defrauding an electronic ballot can be done by one person and can cover the complete ballot and can be undetectable. This single vulnerability is the reason why electronic ballots are a Bad Idea(tm).

Re:A comment and a question

[shilly]

There is *no* way to verify your vote was counted correctly with online voting. It's conceptually impossible -- at the end of the day, you're always reduced to trusting that the thing on the screen in front of you in some way corresponds to reality and isn't just telling you what you want to hear.

What's worse is, quite a lot of quite clever people -- certainly much cleverer than the average voter -- are heavily invested in saying that you can, in fact, verify an online vote reliably. So they create and describe complex and elaborate protocols that they solemnly swear (or fervently believe) are 100% effective. But an average voter can't begin to know whether the protocols are effective. The complexity of these systems is well beyond their comprehension -- which is no slur on the average voter, I include myself in that category. Ultimately, we're still reduced to being asked to put our faith in a black box coupled with various people saying "trust us, it's totes legit".

Re:A comment and a question

[shilly]

Don't you see the fundamental difference? An error at an ATM is checkable by you because it affects your bank balance. You know in advance what the right answer should be. An error (or deliberate falsification) of your vote count in an election is not checkable by you because you don't know in advance what the right answer should be when it's summed with all the other counts. This is an insuperable distinction.

Re:A comment and a question

[shilly]

It's a bit more than the fact that "overseeing paper ballot counting is within the abilities of far more individuals than overseeing online voting". It's that I don't *need* to check my individual result for a paper count. A big box of paper ballots is emptied in front of lots of people and lots of people then set to work counting. And other people check their counts. And check the sums when the counts from various boxes are added. There's no need to provide traceability of an individual vote because the conceptual model is different from an online vote: I physically place my paper ballot in the box which is in plain view of lots of people who all keep each other honest, and every step from then on is also in plain view of lots of people who keep each other honest. And it can all easily be recounted.