iVote developer acknowledges vulnerability, defends election security

Scytl argues iVote vulnerability “extremely difficult” to exploit

Election security / vulnerabilities
Thinkstock

The vendor that developed core components of New South Wales’ iVote system has released an analysis of a vulnerability discovered in the online voting platform, arguing that an attack based on it is “extremely difficult to implement in practice”.

In March this year, a trio of researchers revealed details of flaws they had unearthed in the Swiss Post sVote platform. sVote was built by Scytl, which also helped develop the current version of iVote used by the NSW Electoral Commission (NSW EC).

The flaws in sVote meant that an attacker could potentially subvert the system that verifies the votes reported during an election match those that were cast without compromising an anonymous ballot.

Last month, University of Melbourne associate professor Vanessa Teague confirmed that one of the vulnerabilities that she, along with Sarah Jamie Lewis from the Open Privacy Research Society and Université catholique de Louvain’s Olivier Pereira, had uncovered in sVote was also present in the version of iVote used for this year’s NSW election. (Teague is a participant in an NSW EC and Scytl program that gives security researchers access to iVote’s specifications and source code.)

“iVote’s decryption proof and verification specification are slightly different from those of the SwissPost system, but the same attack can still be performed after a slight modification,” a paper released by Teague (PDF) said.

Scytl and NSW EC both acknowledged Teague’s findings and thanked her for her work. “There is no indication of any interference with the iVote system at the recent State election or at any other election where the iVote platform has been used,” NSW EC director of election innovation, Mark Radcliffe said in a statement released after Teague published her work.

Scytl says its new analysis (PDF) is an attempt to assess the ease with which the vulnerability could be leveraged. A key argument advanced by the software vendor is that because of the difference in infrastructure used to run iVote and sVote, it is unlikely that an adversary would succeed with an attack.

In Switzerland “mixing and decryption were implemented in the same server and therefore the adversary can interact with the mixing process to hide any manipulation of the attacked vote,” the Scytl analysis notes

Unlike sVote, iVote relies on two different machines for mixing votes and decrypting them, and both are supposed to be isolated from any network. Votes are transferred from the mixing machine to the decrypting system via a USB drive. An attacker would need to access both systems to exploit the vulnerability, the analysis states.

“The conclusion is that the attack is extremely difficult to implement in practice, requires collusion between multiple actors, breaks a number of other controls and would be easily discoverable due to the presence of the ‘nonsense votes’,” Scytl argues.

In an email to Computerworld, Teague noted that Scytl emphasised that iVote had relied on an “isolated” server but that the system in question had needed to be patched during the state election period, to deal with the one of the vulnerabilities in sVote revealed in March by the researcher and her collaborators.

In addition, a post-election report on iVote (PDF) prepared by PwC for the NSW EC noted that something (the term has been redacted) “on air-gapped (offline) computers was not disabled” – indicating a potential attack vector for an adversary.

The Melbourne Uni researcher also noted that the iVote specification “doesn’t specify the mixing proof verification in any detail”. “So the iVote spec certainly doesn't guarantee that the attack would be detected in the mixing verification,” Teague said.

“To my mind, if the verification spec doesn't guarantee that an attack is detected, then the attack is undetected by the specified verification protocol, QED,” the researcher said.

Copyright © 2019 IDG Communications, Inc.

Download: EMM vendor comparison chart 2019
  
Shop Tech Products at Amazon