Switzerland’s e-voting system has predictable implementation blunder

/in


Last year, I published a 5-part series about Switzerland’s e-voting system.  Like any internet voting system, it has inherent security vulnerabilities: if there are malicious insiders, they can corrupt the vote count; and if thousands of voters’ computers are hacked by malware, the malware can change votes as they are transmitted.   Switzerland “solves” the problem of malicious insiders in their printing office by officially declaring that they won’t consider that threat model in their cybersecurity assessment.

But the Swiss Post e-voting system (that Switzerland uses) addresses the malware-in-voter-computer problem in an interesting way that’s worth taking seriously.  Each voter is sent a piece of paper with some special “return codes” that are never seen by the voter’s computer, so any potential malware can’t learn them.  And each voter is instructed to follow a certain protocol, checking the return codes shown on their screen against the return codes on the paper.

I described how it works here.  And then here I described some attacks and vulnerabilities, “threats that their experts didn’t think of”.   And one of those I wrote as,

The hacked app can change the protocol, at least the part of the protocol that involves interaction with the voter, by giving the voter fraudulent instructions.  There could be a whole class of threats there; I invite the reader to invent some.

When I say “predictable implementation blunder”, well, I predicted something like this.  But it’s a bit worse than I thought.

Andreas Kuster is a Swiss computer scientist living abroad, and a few months ago he received his election packet in the mail from his home canton of St. Gallen.  He discovered that the Swiss Post e-voting system had made a basic blunder:  the instructions to the voter about how to perform the return-code-checking protocol are not printed on the paper, they are only on the voting website itself.   That means if the voter’s computer is hacked by malware, the malware can direct the voter to a fake website that has different instructions, with a useless protocol. Or, as Kuster demonstrates, the malware can install a browser…

Source…