#1250715: Vulnerability in Swiss e-voting system could have led to vote alterations
Two separate teams of security researchers and academics from universities in Australia and Switzerland have revealed today vulnerabilities in the e-voting system that the Swiss voting commission plans to roll out for future elections.
Among the reported vulnerabilities there is one that security researchers said it could allow an attacker with local access to a voting machine --or the voting machine vendor itself-- to tamper with cast votes.
The vulnerability resides in the cryptographic system that verifies that the cast votes are the same ones that are being reported, however, researchers say this cryptographic scheme is weak and allows someone to swap votes.
A technical explanation is available in a short write-up by the University of Melbourne and in an in-depth report by the Bern University of Applied Sciences.
Swiss Post, the Swiss organization in charge of the Swiss e-voting system, and Scytl, the Spanish company which developed the system, have both issued statements thanking the researchers and announcing fixes.
Last month, Swiss Post opened Scytl's e-voting solution to public penetration tests, made the e-voting system's source code available to participants, and promised cash rewards as high as $50,000.
The vulnerability reported by the two teams of researchers wasn't submitted through Swiss Post's bug bounty platform, but researchers --mostly cryptographers-- took advantage of the public source code to look at voting system's cryptography protocols.
Scytl latest statement is a far cry from a harsher and more critical statement it released at the end of February after security researchers first started looking at its e-voting system's code and debating it on Twitter.
In that statement, the company criticized the security researchers who signed up for its bug bounty program but shared the e-voting system's source code online despite being told that the source code was only meant for contest participants only.
Swiss Post said that more than 3,000 security researchers have signed up for the contest, which is set to end on March 24.
Additional flaws in the Swiss e-voting system are also detailed here.
|Date added||March 14, 2019, 12:25 p.m.|