NSW Electoral Commission invites scrutiny of iVote source code
- 30 July, 2019 14:34
The NSW Electoral Commission has launched a program that will offer security researchers access to the source code used for online voting during the 2019 NSW state election.
The security of the system has in the past been a source of controversy, with researchers uncovering a number of vulnerabilities in iVote and other voting systems also based on software developed by Scytl.
Dr Vanessa Teague from the University of Melbourne and Dr Alex Halderman from the University of Michigan in 2015 revealed details of potential vulnerabilities on the iVote system.
Then in in March this year, Sarah Jamie Lewis from the Open Privacy Research Society, Université catholique de Louvain’s Olivier Pereira and Teague published details of multiple flaws in the Swiss e-voting platform sVote, which was developed by Scytl.
At least some of the issues were believed to be present in iVote, although the NSW EC argued they would not be exploitable by a malicious actor.
iVote relies on components developed both in-house by the commission and developed by the Spanish-headquartered Scytl, which built the core voting system used by the application from the 2015 state election onward. Last year the company won a $1.9 million contract to upgrade iVote ahead of the March 2019 state election.
In January this year, the NSW EC invited security researchers to register their interest in scrutinising the iVote source code prior to the election. However, Teague told Computerworld that security researchers that wished to participate had to agree to not disclose their findings for up to five years.
The new program announced today by the commission requires participants to agree to a range of conditions, including reporting any vulnerabilities they unearth, and not publishing details of any bugs for at least 45 days after reporting them to Scytl and the NSW EC.
“To support continuous improvement to the iVote platform, the proprietary source code developed by Scytl will be published and made available to qualified reviewers for inspection and feedback,” the NSW EC said in a statement.
“Release of the source code is being undertaken as part of our commitment to transparency and scrutiny of the iVote system.”
Teague said that the purpose of any source code openness should be “to allow assessment of the system before the election, so that any bugs or vulnerabilities could be identified and patched”.
“Showing us something afterwards proves nothing,” she said. “Indeed, even showing us a system that isn't vulnerable to this specific attack, now, doesn't prove that the system they used at the time wasn't vulnerable, then.”
The NSW EC today also released two reports on iVote: A PwC examination of iVote-related procedures pre- and post-ballot, and the results of a review of the iVote 2.0 source code by Demtech.
The partly redacted PwC report found a range of shortcomings, including a “lack of adequate coverage” by the NSW EC security incident and event monitoring (SIEM) system, and a lack of adequate security awareness at the NSW EC call centre.
The report noted that Scytl employees were not subject to the same background checks that NSW EC employees and contractors are, due to Spanish employment laws.
PwC also called out the commission’s patching policy, which had not been updated since 2012 and does not include procedures to apply critical patches when the iVote system is locked down ahead of an election.
One partly redacted finding related to the secure erasure of “critical voting information stored on removable media”. PwC said that control was not adhered to at one of the data centres that hosted iVote.
The Demtech code review was not based on the final version of the iVote code used the state election.
Analysis via code-scanning analysis “has shown that the overall quality of the code is in general high, and that the implementation is largely free from bad and insecure programming patterns with the exception of the code implementing the mixer, which is still under development and apparently has not undergone quality assurance,” the Demtech report said.
The company also conducted a manual examination of the code, noting that some parts of it still seemed to be under development when Demtech was given the snapshot of the iVote source. The company found that design documentation and implementation were “not always in sync”.
“The source code contains several TODO comments and in particular, the code for error and exception handling in the mixer is still under active development,” the report said. Demtech also found unused functionality in the code base that was outside of the scope of the review.
“The presence of such code is a security concern, since if it is executed, for example, by an insider attacker, it could be used to crash the application, or poison databases and log files,” Demtech said.
The NSW EC and Scytl both examined Demtech’s report. The commission said that it “concluded that, while there were items raised that needed attention, there weren’t any issues of sufficient gravity that would preclude using the software in the State General Election”.
“Scytl noted that the findings have been considered in the version of the voting system used for the 2019 election and others to be taken into account for future releases of the system,” the commission said. “On a number of points, Scytl provided additional information to address the issues raised.”
One concern flagged by Demtech related to the proof of correct decryption of votes. One of the sVote vulnerabilities identified by security researchers allowed, under certain circumstances, the creation of false decryption proofs. The NSW EC said at the time that the vulnerability was “not relevant” to iVote.