The electronic voting system that has been used in Estonia since 2005 cannot guarantee fair elections because of fundamental security weaknesses and poor operational procedures, according to an international team of security and Internet voting researchers.
The analysis performed by the team’s members, some of whom acted as observers during 2013 local elections in Estonia, revealed that sophisticated attackers, like those employed by nation states, could easily compromise the integrity of the country’s Internet voting system and influence the election outcome, often without a trace.
The team chose to analyze the Estonian system because Estonia has one of the highest rates of Internet voting participation in the world—over 21 percent of the total number of votes during the last local election were cast through the electronic voting system.
During their observation of the local elections and by later watching the procedural videos released by the Estonian election authority, the researchers identified a large number of poor security practices that ranged from election officials inputting sensitive passwords and PINs while being filmed to system administrators downloading critical applications over insecure connections and using personal computers to deploy servers and build the client software distributed to voters.
The researchers also used open-source code released by the Estonian government to replicate the electronic voting system in their laboratory and then devised several practical server-side and client-side attacks against it.
To use the Estonian system, voters insert their electronic national ID card into a card reader attached to their computers and use the PINs associated with their ID cards to cast their votes through a special application. The researchers developed malware that can record the PIN numbers and later change the votes while the ID cards are attached to voters’ computer for different operations.
The malware can be deployed in different ways, including through online exploits, through existing infections or through man-in-the-middle attacks during the download process. Attackers could also maliciously alter the voting software itself during the build process, if it’s created on a personal computer instead of in a controlled environment, the researchers said Monday during a press conference about their findings in Tallinn, Estonia.
The system uses a vote confirmation procedure based on QR codes than need to be scanned by users with their mobile phones after casting their votes. However, a compromised voting application can potentially alter votes and QR codes in real time, meaning this additional verification system can’t protect users from sophisticated attackers, the researchers said.
Such false verification attacks have been used in the real world against online banking users, so they’re not just theoretical and could easily be applied to Internet voting, they said.
To compromise the electronic voting servers, attackers could either exploit vulnerabilities over the Internet or could target the people responsible for deploying the servers by first infecting their computers and then altering the server software. Because of the lack of security checks and control, a malicious insider could also carry out such attacks, the researchers said.
The research team included J. Alex Halderman, a computer science professor at the University of Michigan who studied electronic voting systems in different countries around the world; Maggie MacAlpine, an advisor on post-election audits in the U.S.; Harri Hursti, a Finnish independent security researcher known for previously demonstrating a successful attack against a Diebold voting machine; Jason Kitcat, who previously led an investigation into electronic voting in the UK for the Open Rights Group, a digital rights organization; and Travis Finkenauer and Drew Springall, two PhD students at the University of Michigan.
“There are so many attack vectors by which you could dirty the machines used to set up the elections that we believe this to be a very credible and viable attack; and we have photographic evidence on our website showing a personal computer with links to poker sites being used to set up the critical election systems [in Estonia],” Kitcat said.
The Estonian election officials should improve their operational procedures, but “we’ve also shown fundamental flaws in the architecture of the system, which means that we can steal votes remotely from voters’ computers and those flaws cannot be fixed quickly or easily,” he said.
The researchers said they notified the Estonian National Electoral Committee, as well as political parties, academics and media organizations in Estonia of their findings at the same time on Saturday. The research was presented in greater detail Monday during a press conference and a full report will be made available on a website that also contains other supporting material, including videos and photos.
The Estonian National Electoral Committee declined to comment until it reviews the full report.
The researchers believe the Estonian Internet voting system should be discontinued before the upcoming European Parliament elections on May 25. More generally they believe that building a secure and accurate electronic voting system is not possible with the current technology when taking sophisticated attackers like nation states into consideration.