Last year, I published a 5-part series about Switzerland’s e-voting system. Like any internet voting system, it has inherent security vulnerabilities: if there are malicious insiders, they can corrupt the vote count; and if thousands of voters’ computers are hacked by malware, the malware can change votes as they are transmitted. Switzerland “solves” the problem of malicious insiders in their printing office by officially declaring that they won’t consider that threat model in their cybersecurity assessment.
But the Swiss Post e-voting system (that Switzerland uses) addresses the malware-in-voter-computer problem in an interesting way that’s worth taking seriously. Each voter is sent a piece of paper with some special “return codes” that are never seen by the voter’s computer, so any potential malware can’t learn them. And each voter is instructed to follow a certain protocol, checking the return codes shown on their screen against the return codes on the paper.
I described how it works here. And then here I described some attacks and vulnerabilities, “threats that their experts didn’t think of”. And one of those I wrote as,
The hacked app can change the protocol, at least the part of the protocol that involves interaction with the voter, by giving the voter fraudulent instructions. There could be a whole class of threats there; I invite the reader to invent some.
When I say “predictable implementation blunder”, well, I predicted something like this. But it’s a bit worse than I thought.
Andreas Kuster is a Swiss computer scientist living abroad, and a few months ago he received his election packet in the mail from his home canton of St. Gallen. He discovered that the Swiss Post e-voting system had made a basic blunder: the instructions to the voter about how to perform the return-code-checking protocol are not printed on the paper, they are only on the voting website itself. That means if the voter’s computer is hacked by malware, the malware can direct the voter to a fake website that has different instructions, with a useless protocol. Or, as Kuster demonstrates, the malware can install a browser plug-in that alters the behavior of the real website.
He immediately notified Swiss Post following their “responsible disclosure” protocols with a 90-day period where he didn’t go public. There’s been no remedy, so now he’s gone public.
Kuster’s fake protocol is not exactly what I imagined; it’s better. He explains it all in his blog post. Basically, in his malware-manipulated website, instead of displaying the verification codes for the voter to compare with what’s on the paper, the website asks the voter to enter the verification codes into a web form. Since the website doesn’t know what’s on the paper, that web-form entry is just for show. Of course, Kuster did not employ a botnet virus to distribute his malware to real voters! He keeps it contained on his own system and demonstrates it in a video.
Up front in his article is a good-faith explanation to Swiss voters about how they should use the real protocol to protect their vote. That is, he gives the instructions that Swiss Post should have printed on the paper. That’s useful, except for the millions of voters who won’t see his article: their votes could be at risk.
When I say, “worse than I thought”, it never occurred to me that the voter’s paper packet would have no description of the protocol, that they would leave the entire description of the protocol to the website that the protocol is supposed to protect. That’s a blunder.
Leave a Reply