The NSW Electoral Commission has responded to allegations that votes submitted to iVote may have been affected by a server vulnerability by saying the claims were overstated.
University of Melbourne Department of Computing and Information Systems research fellow, Vanessa Teague, and Michigan Centre for Computer Security and Society director, J.Alex Halderman, posted a blog with their findings on March 22.
“The ivote.piwikpro.com server has very poor security. It is vulnerable to a range of SSL attacks, including the recently discovered FREAK attack.”
However, NSW Electoral Commission CIO Ian Brightwell said the Commission has now reviewed the claims and received advice from CSC Cyber Security A/NZ, which said the claims about vulnerabilities in iVote were overstated.
“The proposed FREAK attack requires a high level of technical expertise and a number of pre-conditions to be successful and as such is not considered a real threat to iVote. We have been advised that the likelihood of someone intercepting votes online using this approach is as real as a malicious postman replacing a postal vote,” Brightwell said in a statement.
Brightwell said the Commission has always accepted that Internet browsers are vulnerable to attack.
“The Commission has not advocated that the operation of the iVote system was completely risk free and has deployed an advanced multi-layer security framework to ensure election integrity. Therefore, the Commission takes the view that any such large scale attack would be detected through one of the additional security layers, in this case, our verification service.”
According to Brightwell, Halderman and Teague are advisory board members of US based anti-Internet-voting lobby group Verified Voting.
He expressed disappointment that the researchers did not disclose their affiliation with the group and that they did not provide their report to the Commission before releasing it to media.
Follow Hamish Barwick on Twitter: @HamishBarwick