NSW’s eVoting system under fire
- 08 August, 2016 07:30
In the aftermath of the 2 July federal election, Prime Minister Malcolm Turnbull and opposition leader Bill Shorten both indicated support for the potential use of eVoting to avoid drawn-out post-election ballot counting.
However, the eVoting platform used in Australia’s most populous state — New South Wales’ iVote system — has again come under fire.
The iVote system supports telephone and Internet-based voting in the state. The current version of iVote was produced by Scytl in partnership with the NSW Electoral Commission (NSWEC) and used in the 2015 state election.
The robustness, privacy and verification method of the system have been questioned by two university researchers, one of whom was previously instrumental in uncovering a security vulnerability in iVote.
NSW parliament’s Joint Standing Committee on Electoral Matters is currently conducting an inquiry into the 2015 state election. At a hearing on Friday, academics Dr Vanessa Teague from the University of Melbourne and Professor Rajeev Goré from ANU appeared before the committee to offer a less-than-flattering analysis of the iVote system.
Teague and Dr Alex Halderman from the University of Michigan in 2015 uncovered a security vulnerability in iVote that could potentially be exploited to stage man-in-the-middle attacks to subvert votes.
Teague told Friday's hearing: “We found a serious security hole that exposed the browsing session both to an attack called the FREAK attack and another attack called the Logjam attack. Both of which involved intercepting code on its way from a third party service into the voter’s browsing session, both of which allowed an Internet-based man-in-the-middle attacker to subvert the voter session entirely, expose how the person intended to vote, and send in a different vote back to the electoral commission.”
“None of this would have looked untoward at the electoral commission end – it would have looked exactly like a valid vote from an eligible voter,” she added. “In fact, it would have been a valid vote from an eligible voter – it just wouldn’t have been that one that that voter intended to cast.”
After the pair had revealed their findings, the NSWEC attacked the researchers and argued: “The proposed FREAK attack requires a high level of technical expertise and a number of pre-conditions to be present and as such is not considered a significant threat to iVote. We have been advised that the likelihood of someone intercepting online votes using this approach is similar to that of a malicious postman replacing a postal vote.”
Teague and Goré in their written submission to the inquiry said that there is only limited public information about iVote, “with no source code and only vague overviews of the system's structure available”.
“Security problems may be present, and exploited, without necessarily being noticed,” the submission argued.
It is “is entirely plausible that a serious security problem
affecting hundreds of thousands of Internet votes could compromise the
integrity of a future state election outcome,” the pair argued.
In her testimony on Friday, Teague also questioned the verification process of iVote, which is intended to allowed a voter to confirm that their vote had been accurately entered into the count.
“iVote was supposed to be verifiable – it was widely advertised as such,” Teague said. “It wasn’t. It really wasn’t”.
At the heart of any claims about verification there ought to be “one number,” she argued: The rate of failure. “You want to find out the fraction of people who tried to verify but failed. And that should give you some kind of estimate of the extent of a problem in the system as a whole,” she said.
More than a year after the election, the NSWEC is yet to reveal the number of people who tried to phone in and verify their vote but failed, she said.
In the statement issued after Teague and Halderman published their analysis of iVote’s security flaws, the NSWEC said: “Some 1.7% of electors who voted using iVote® also used the verification service and none of them identified any anomalies with their vote.”
However, Teague highlighted a statement in a post-implementation study of iVote commissioned by the NSWEC and conducted by PricewaterhouseCoopers that noted as an incident involving the iVote system: “Fix signature file, which was preventing verification.”
“I don’t see those two statements can possibly be consistent,” Teague said. “I think that the NSWEC website statement is leaving out the vitally important case of people who called in, tried to verify but were unable to retrieve any vote at all.”
That kind of failure is as important as a hypothetical case where a ballot cast via iVote is recorded for an incorrect candidate, she argued.
“We need to know about both those kinds of failures,” she said. In the case of an inability to retrieve any vote at all it could be due user error – a voter recording the wrong verification number – but it could also be the “failure model” if votes had been dropped off the system due to a software error or if the security problem identified by Teague and Halderman had been exploited to manipulate votes.
In her testimony Teague also noted that the PwC report states that the lockdown of the iVote system was lifted the day before the election, after about two weeks’ worth of votes had been collected via the platform. The lockdown was removed for Scytl to make performance improvements to the core voting system (CVS) database. Following the update the system was locked down again.
“My question is: Who tested that update?” Teague said. “Who certified that update? Who checked whether that update to the core voting system database didn’t have unintended consequences for the accuracy either of the votes already in the database or the votes that were going to be entered into the database on election day?”
Both Scytl and the NSWEC will appear before the inquiry this week.