Online voting is impossible to secure
If you thought electronic voting machines were insecure, wait ’til you meet online voting.
Dr. Vanessa Teague is one frustrated cryptographer.
A researcher at the University of Melbourne in Australia, Teague has twice demonstrated massive security flaws in the online voting systems used in state elections in Australia — including one of the largest deployments of online voting ever, the 2015 New South Wales (NSW) state election, with 280,000 votes cast online.
The response? Official complaints about her efforts to university administrators, and a determination by state election officials to keep using online voting, despite ample empirical proof, she says, that these systems are not secure.
While insecure voting machines have received most of the attention since the 2016 U.S. presidential election, states and municipalities continue to use — even enthusiastically adopt — web-based online voting, including 31 states in the U.S., two provinces in Canada, and two states in Australia. Wales in the UK is pushing hard for online voting. The country of Estonia uses online voting for its national elections.
Security researchers point out flaws; election officials get angry and ignore security issues that threaten the integrity of the voting results. Teague’s story repeats itself around the world.
Democracy at stake
The purpose of an election is not just to select a winner, but to convince the loser, and their supporters, that they lost. Trust in the voting process is, therefore, an essential element to any voting system. “Voting over the internet is not secure enough to be trusted for government elections,” Teague tells CSO. “It’s not verifiable.”
Unlike electronic voting machines, online voting lets voters cast their ballots on a website with a click of a mouse or tap of a finger. While electronic voting machines could one day be used in conjunction with paper ballots to increase the security of the voting process, web-based online voting is not only insecure, but is impossible to secure, experts warn.
The purpose of an election is not just to select a winner, but to convince the loser, and their supporters, that they lost. Trust in the voting process is, therefore, an essential element to any voting system.
Yet politicians are pushing ahead with plans to offer online voting, despite the clear and present danger online voting poses to the integrity of the democratic process. “Like everything else on the internet, [online voting] is not secure, but the really important point for elections is that you wouldn’t even know if the outcome was manipulated or not,” Teague says.
Voting officials defend their decisions, arguing that online voting increases voter turnout and makes voting more accessible to voters who are unable to come in person, or who live far from a polling station, for instance soldiers and sailors stationed abroad, or voters who live in rural or regional Australia, or far northern Canada.
However, offering online voting also makes it accessible to every spy, gangster, mercenary, and hacker on the planet. Attackers could easily violate the sanctity of the secret ballot, modify votes, or even make the web application unavailable to certain voters on polling day.
Teague and other researchers have demonstrated such attacks against live election systems.
How to attack online voting
Online voting is more fragile than other online services, like banking, and far easier to attack. The cheapest and easiest way to attack an online voting system is to flood the web application with garbage traffic and DDoS it. Any script kiddie with some bitcoin can rent a botnet army of compromised IoT devices and overwhelm the voting server on election day. To prevent such attacks, companies typically use distributed denial of service (DDoS) mitigation services like Cloudflare or Imperva Incapsula.
Such services are suitable for many Silicon Valley-style applications, but are unsuitable for ensuring a free and open democratic election, Teague says. A DDoS mitigation service has to spy on traffic in order to stop DDoS attacks. That means it has to decrypt all traffic between the user and server to determine which traffic is good and which traffic is bad. To do so, it acts as a transport layer security (TLS) proxy and performs a “man-in-the-middle” attack — with permission, of course — against all traffic aimed at the online voting service it’s been hired to defend.
TLS is the encryption technology that makes HTTPS (the “green padlock” in a browser) work, which, under normal circumstances, would ensure the confidentiality of traffic end-to-end from the voter to the tally server. For a cloud-based DDoS mitigation service to work, however, the TLS encryption key sits on servers all over the world, and anyone able to hack into one of those servers and steal the TLS key is one giant step closer to changing the vote count.
Teague’s team found just this problem in the Western Australia 2017 state election. They discovered the online voting TLS encryption keys on servers in data centers in countries like Japan, Poland and China. Worse, the online voting web application shared that TLS key with “dozens of unrelated websites in countries such as the Philippines, Lithuania, and Argentina,” according to their report.
Any sufficiently motivated nation-state attacker could easily compromise one of these servers. Even more concerning, a nation-state could “acquire the credentials necessary to man-in-the-middle a foreign election in the context of an unrelated domestic law enforcement or national security operation,” [their emphasis] their report concluded.
The secret ballot has been a cornerstone of democracy since ancient Athens, and essential to preventing vote selling or voter coercion. No one, ever, should know how a voter cast their ballot. The use of a DDoS mitigation provider in an online election may prevent DDoS attacks that take the voting website offline, but it creates a giant target with a big red bulls-eye for any nation-state wanting to spy on voters or change their votes.
The secret ballot has been a cornerstone of democracy since ancient Athens, and essential to preventing vote selling or voter coercion. No one, ever, should know how a voter cast their ballot.
“Under what circumstances would you do a recount?” Aleksander Essex, an online voting security researcher at the University of Western Ontario, in Canada, asks. “That’s the real question, because you don’t have that transparency. With paper ballot voting, you can go back to the paper record, assuming you can follow the chain of custody. With online voting, you don’t know.”
Without transparency into how the voting process works, and the ability to verify the results, online voting casts a shadow across the legitimacy of elections that include it. Democracy dies in darkness.
”Serious security vulnerabilities” for Estonia’s online voting system
No country in the world has as much experience with online voting as the tiny country of Estonia. Living in the shadow of its much larger neighbor, Russia, Estonia has been offering online voting in government elections since 2005.
Researchers took a closer look at the country’s online voting system, and not only found security issues with the software, but hilarious operational security failures, including an official video of the pre-election process that showed wi-fi passwords posted on the wall, administrators filmed typing in root passwords, and a software build system that was also being used to play PokerStars.
“Estonia’s internet voting system has such serious security vulnerabilities that an international team of independent experts recommends that it should be immediately discontinued,” researchers concluded. “A state-level attacker, sophisticated criminal, or dishonest insider could defeat both the technological and procedural controls in order to manipulate election outcomes.”
Russia attacked Estonia with a massive DDoS attack in 2007 over the country’s decision to move a Soviet-era war memorial. According to The Guardian, the main targets of attack were government websites, the political parties, major news organizations, and two of the country’s biggest banks.
Nevertheless, Estonia’s National Election Committee rejected the security researchers’ findings, saying in a statement at the time, “We believe that online balloting allows us to achieve a level of security greater than what is possible with paper ballots.”
Australian online voting cover-up
The NSW state election of 2015 was so insecure that one seat in the upper house of the state parliament may have been decided by hacked votes. In response to the scandal, the electoral commission went to great lengths to avoid transparency regarding the security issues Teague and her team reported, and only revealed the true nature of the problem under close questioning in state parliament a year later.
Before the election, the state electoral commission told the Australian Broadcasting Corporation (ABC) that “People’s vote is completely secret… It’s fully encrypted and safeguarded, it can’t be tampered with.” Yet it took researchers only a few days to identify fatal flaws in the online voting web application that could have easily been used to spy on and even modify every single vote cast online, and to do so in an undetectable manner.
“This is a complete and total break of the most basic security goals of an online voting system,” Teague tells CSO. “No warnings in the browser. It successfully subverted the TLS connection to the third-party [analytics] service. It would have looked completely normal at the electoral commission end. It would have looked exactly the same as a legitimate vote. It was a legitimate vote from an eligible voter. Just not the one the voter intended to cast.”
Because the online voting platform, built by Spanish firm Scytl, is not open source, the researchers were unable to test the application prior to the election. They had to wait until the online voting system went live, and then examine the public-facing portions of the system.
To our knowledge, this is the first time enough votes to affect a parliamentary seat in a state election have been returned over an internet voting system while it was demonstrably vulnerable to attacks that would allow external vote manipulation.
Teague and her team reported their findings immediately to the Australian CERT, but by the time the system was fixed, more than 66,000 votes had been cast online — far more than the margin of 3,177 votes that decided one seat in the NSW Legislative Council.
“To our knowledge, this is the first time enough votes to affect a parliamentary seat in a state election have been returned over an internet voting system while it was demonstrably vulnerable to attacks that would allow external vote manipulation,” their report concludes.
The NSW electoral commission initially reported after the election that there were no anomalies seen while using the online voting platform, but a year later, under questioning in state parliament, admitted that there were, in fact, significant anomalies reported by voters. More than 600 voters who attempted to verify their votes using a rudimentary telephone-based system were unable to do so — a 10 percent failure rate, enough to call into question the voting result of the state election. “That to me is the bottom line,” Teague says. “The really important thing is that we didn’t find out the truth at the time.”
Regardless, the NSW government is pushing ahead, ignoring the danger signs. “The NSW Electoral Commission (NSWEC) intends providing iVote as a voting channel for the 2019 NSW State General Election,” a NSW electoral commission spokesperson told CSO by email.
Far from understanding the danger internet voting poses to free and open democratic elections, the NSW Electoral Commission went so far as to call Teague and her colleague, Alex Halderman of the University of Michigan, “anti-internet voting activists,” in their 2015 response to the security research. In fact, earlier this week the NSW government contracted a second time with Scytl, the online voting vendor responsible for the 2015 debacle, according to CSO’s sister publication, Computerworld Australia.
Closed source online voting software: a threat to democracy?
Unlike electronic voting machines, which researchers routinely pick up on eBay to reverse engineer, the complete lack of transparency around online voting systems hampers research and harms democracy, experts agree.
No commercial online voting platform makes its source code available for public scrutiny. Onerous non-disclosure agreements (NDAs) typically prevent security researchers from publishing their findings. This is the opposite of how paper-based elections work: Everyone knows and understands how the system works, and can even go watch ballots being counted, if they want to.
One online voting provider, Everyone Counts, touts its “Open Code Advantage,” which, they claim, “allows expert inspection and auditing of source code,” according to this pdf document served from their Squarespace website.
However, Teague says this claim is marketing nonsense. “It means that you have to sign a punitive NDA, which includes among its terms the requirement that even the fact you’ve signed an NDA is secret,” she tells CSO. “I don’t know of anyone with any sense of integrity who has signed it.”