Australian online voting system may have FREAK bug

Mass tampering with votes possible, and 60,000 have already been cast …

UPDATE Next weekend, voters in the Australian State of New South Wales go to the polls to elect a new government. Some have already cast their votes online, with a system that may be running the FREAK bug.

So say Vanessa Teague and J. Alex Halderman, respectively a research fellow in the Department of Computing and Information Systems at at the University of Melbourne and an assistant professor of computer science and engineering at the University of Michigan and director of Michigan’s Center for Computer Security and Society.

The system in question is called iVote system and was launched in 2011 to assist voters who live 20 kilometres or more from a polling station, or those will be overseas or interstate on election day.

But Teague and Halderman say their proof-of-concept probe on a "practice" system showed it is possible to "... intercepts and manipulate votes ... though the same attack would also have succeeded against the real voting server," the pair wrote in analysis.

"The attack works if a voter uses iVote from a malicious network – say, from a WiFi access point that has been infected by malware.

"In our demonstration, the malicious network injects code that stealthily substitutes a different vote of the attacker’s choosing. We also show how the attacker can steal the voter’s secret PIN and receipt number and send them, together with the voter’s secret ballot choices, to a remote monitoring server."

Original and tampered votes shown in a test environment.

The iVote platform since patched was exposed to man-in-the-middle attacks thanks to external JavaScript served from ivote.piwikpro.com that was vulnerable to a range of SSL attacks, including the recently discovered FREAK attack.

Speaking to the ABC's AM program Teague says attackers could target the system from anywhere in the world and with sufficient but not tremendous levels of skill could automate the hacking.

"It would be could be difficult but not impossible," Teague says.

She criticised the iVote patching process saying it had merely extinguished one vulnerability and that more could remain undiscovered.

"Just because they have patched this particularly bad one does not mean they have addressed the fundamental security questions."

NSW chief information officer Ian Brightwell told the program it could not guarantee the security of the voting system due to inherent risk in all paper and electronic voting mechanisms.

"WIth all voting systems you have to have a certain degree of trust and we cannot guarantee the votes … but we are yielding the outcome we set out to achieve," Brightwell says.

Teague ripped into voting systems last year at the annual Ruxcon security fest in Melbourne, saying that there are too many security risks for such systems to be trusted.

UPDATE

The NSW Electoral Commission has responded to the paper reported above, as follows:

The paper identifies a security vulnerability which under limited circumstances could be used to attack the iVote system. The vulnerability identified was not within the voting system but rather an associated monitoring tool used by the voting system. The paper does not provide any evidence of an actual breach of the iVote production system. We have sought advice from the iVote core system service provider and our internet security consultants CSC Cybersecurity Australia. While the likelihood of such a risk occurring is considered low, the NSWEC has decided to remove the monitoring tool from iVote and effectively remove the identified risk.

The statement goes on to say "The identified risk is a variant of an already known and accepted risk for iVote" and that "The iVote system was designed to mitigate against this situation by offering electors the opportunity to verify their vote through an independent channel." ®


Biting the hand that feeds IT © 1998–2017