A summary of the findings of the Security Analysis of the Estonian E-voting System used for the October 2013 local elections.
Ahead of European Parliamentary elections on May 25, 2014, an international team has identified major risks in the security of Estonia’s Internet voting system and recommended its immediate withdrawal.
Estonia is the only country in the world that relies on Internet voting in a significant way for national elections. The system is currently used for Estonia’s national parliamentary elections, municipal elections and is planned to be used for the upcoming European Parliamentary elections. In recent polls, between 20 percent and 25 percent of voters cast their ballots online.
But the nation’s Internet voting system cannot guarantee fair elections because of fundamental security weaknesses and poor operational procedures, security and Internet voting researchers have found. The team includes J. Alex Halderman, an assistant professor of computer science and engineering at Michigan Engineering; Harri Hursti, an independent security researcher; Jason Kitcat, a UK Open Rights Group Advisory Council member; Maggie MacAlpine, a post-election audit advisor; and Travis Finkenauer and Drew Springall, Michigan Engineering graduate students.
The analysis performed by the team members revealed that sophisticated attackers could easily compromise the integrity of the country’s Internet voting system and influence an election’s outcome, quite possibly without a trace. The researchers recommend that the system should immediately be discontinued.
Research team members were officially accredited to observe the Estonian Internet voting system during the October 2013 municipal elections. These observations – and subsequent security analysis and laboratory testing – revealed a series of problems: Operational security is lax and inconsistent. Transparency measures are insufficient to prove an honest count. And the software design is highly vulnerable to attack from foreign powers.
“We didn’t see a polished, fully documented procedural approach of maintaining the back-end systems for these online elections,” said Hursti, who observed operations in the election data center in October 2013.
Videos published by election officials show the officials downloading essential software over unsecured Internet connections, typing secret passwords and PINs in full view of the camera, and preparing the election software for distribution to the public on insecure personal computers.
“These computers could have easily been compromised by criminals or foreign hackers, undermining the security of the whole system,” Hursti said.
Halderman pointed to fundamental weaknesses in the I-voting system’s design.
“Estonia’s Internet voting system blindly trusts the election servers and the voters’ computers,” Halderman said. “Either of these would be an attractive target for state-level attackers, such as Russia.”
Recent reports about state-sponsored hacking of American companies by China, and of European telecoms by the NSA, demonstrate that these dangers are a reality, Halderman said.
To experimentally confirm these risks, Halderman and Ph.D. students recreated the Estonian “I-voting system” in their laboratory based on the published software used in 2013. They successfully simulated multiple modes of attack that they say could be carried out by a foreign power.
“Although the Estonian system contains a number of security safeguards, these are insufficient to protect against the attacks we tried,” Halderman said.
In one attack, malware on the voter’s computer silently steals votes, despite the systems’ use of secure national ID cards and smartphone verification. A second kind of attack smuggles vote-stealing software into the tabulation server that produces the final official count. The team produced videos in which they carry out exactly the same configuration steps as election officials – but with the system under attack by a simulated state-level adversary. Everything appears normal, but the final count produces a dishonest result.
“There is no doubt that the Estonian I-voting system is vulnerable to state-level attackers, and it could also be compromised by dishonest election officials,” said Halderman. These attackers could change votes, compromise the secret ballot, disrupt voting, or cast doubt on the legitimacy of the election process.
The team recently arrived at these results and felt a responsibility to make them public ahead of the upcoming European elections, said Jason Kitcat from the Open Rights Group.
“I was shocked at what we found,” Kitcat said. “We never thought we’d see as many problems and vulnerabilities as we did. We feel duty-bound to make the public aware of those problems.”
While some of the problems can be corrected in the short term through changes to the system, others stem from fundamental weaknesses that cannot be fixed. With the growing risk of state-level cyberattacks, the team unanimously recommends discontinuing Internet voting until there are fundamental advances in computer security.
“With today’s security technology, no country in the world is able to provide a secure Internet voting system,” said Hursti. “I would recommend that Estonia return to a paper ballot only system.”
Maggie MacAlpine, a post-election audit advisor said, “While Estonia has an excellent e-government system, which they should continue to develop, they should take the Internet voting element of that off-line. Estonia has a well organized paper voting system which they should revert back to.”
The researchers’ full report, and videos explaining the key findings, have been published at https://estoniaevoting.org.