The New South Wales iVote System: Security Failures and Verification Flaws in a Live Online Election

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9269)

Abstract

In the world’s largest-ever deployment of online voting, the iVote Internet voting system was trusted for the return of 280,000 ballots in the 2015 state election in New South Wales, Australia. During the election, we performed an independent security analysis of parts of the live iVote system and uncovered severe vulnerabilities that could be leveraged to manipulate votes, violate ballot privacy, and subvert the verification mechanism. These vulnerabilities do not seem to have been detected by the election authorities before we disclosed them, despite a pre-election security review and despite the system having run in a live state election for five days. One vulnerability, the result of including analytics software from an insecure external server, exposed some votes to complete compromise of privacy and integrity. At least one parliamentary seat was decided by a margin much smaller than the number of votes taken while the system was vulnerable. We also found protocol flaws, including vote verification that was itself susceptible to manipulation. This incident underscores the difficulty of conducting secure elections online and carries lessons for voters, election officials, and the e-voting research community.

References

  1. 1.
    ABC News. Computer voting may feature in March NSW election, February 2015. http://www.abc.net.au/news/2015-02-04/computer-voting-may-feature-in-march-nsw-election/6068290
  2. 2.
    Abendan, O.: How DNS changer Trojans direct users to threats. In: Trend Micro Threat Encyclopedia (2012)Google Scholar
  3. 3.
    Adida, B.: Helios: web-based open-audit voting. In: 17th USENIX Security Symposium, August 2008. https://vote.heliosvoting.org
  4. 4.
    Adida, B., De Marneffe, O., Pereira, O., Quisquater, J.-J.: Electing a university president using open-audit voting: analysis of real-world use of Helios. In: Electronic Voting Technology Workshop (EVT) (2009)Google Scholar
  5. 5.
    Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J.A., Heninger, N., Springall, D., Thomé, E., Valenta, L., VanderSloot, B., Wustrow, E., Zanella-Béguelin, S., Zimmermann, P.: Imperfect forward secrecy: how Diffie-Hellman fails in practice, May 2015. https://weakdh.org/
  6. 6.
    Ballani, H., Francis, P., Zhang, X.: A study of prefix hijacking and interception in the Internet. In: Proceedings of ACM SIGCOMM, August 2007Google Scholar
  7. 7.
    Bell, S., Benaloh, J., Byrne, M.D., DeBeauvoir, D., Eakin, B., Fisher, G., Kortum, P., McBurnett, N., Montoya, J., Parker, M., et al.: Star-vote: a secure, transparent, auditable, and reliable voting system. USENIX J. Election Technol. Syst. 1(1), 18–37 (2013)Google Scholar
  8. 8.
    Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zinzindohoue, J.K.: A messy state of the union: taming the composite state machines of TLS. In: 36th IEEE Symposium on Security and Privacy (2015)Google Scholar
  9. 9.
    Bilodeau, O., Dupuy, T.: Dissecting Linux/Moose: the analysis of a Linux router-based worm hungry for social networks, May 2015. http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf
  10. 10.
    Carback, R., Chaum, D., Clark, J., Conway, J., Essex, A., Herrnson, P.S., Mayberry, T., Popoveniuc, S., Rivest, R.L., Shen, E. et al.: Scantegrity II municipal election at Takoma Park: the first E2E binding governmental election with ballot privacy. In: Proceedings of the 19th USENIX Security Symposium (2010)Google Scholar
  11. 11.
    Culnane, C., Ryan, P.Y.A., Schneider, S., Teague, V.: vVote: A verifiable voting system. ACM Transactions on Information and System Security. To appear. Technical report at http://arxiv.org/abs/1404.6822
  12. 12.
    Durumeric, Z., Adrian, D., Mirian, A., Bailey, M., Halderman, J.A.: Tracking the FREAK attack. https://freakattack.com/
  13. 13.
    Estonian Internet Voting Committee. Statistics about Internet voting in Estonia, May 2014. http://www.vvk.ee/voting-methods-in-estonia/engindex/statistics
  14. 14.
    Gjøsteen, K.: The Norwegian Internet voting protocol. In: Kiayias, A., Lipmaa, H. (eds.) VoteID 2011. LNCS, vol. 7187, pp. 1–18. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  15. 15.
    Hastings, N., Peralta, R., Popoveniuc, S., Regenscheid, A.: Security considerations for remote electronic UOCAVA voting. National Institute of Standards and Technology, NISTIR 7770, February 2011. http://www.nist.gov/itl/vote/upload/NISTIR-7700-feb2011.pdf
  16. 16.
    Heninger, N.: Factoring as a service. Crypto 2013 rump session. https://www.cis.upenn.edu/nadiah/projects/faas/
  17. 17.
    Kaminsky, D.: It’s the end of the cache as we know it. In: Toorcon (2008)Google Scholar
  18. 18.
    Kusters, R., Truderung, T., Vogt, A.: Clash attacks on the verifiability of e-voting systems. In: 33rd IEEE Symposium on Security and Privacy, pp. 395–409 (2012)Google Scholar
  19. 19.
    Marlinspike, M.: New tricks for defeating SSL in practice. Black Hat (2009). http://www.thoughtcrime.org/software/sslstrip/
  20. 20.
    McKay, R.: Flaws in iVote’s re-vote process which attempts to defeat coercers. http://www.bigpulse.com/governmentelections#changevoteflaw. BigPulse
  21. 21.
    NSW Electoral Commission. legislative council–final distribution of preferences (2015). http://vtr.elections.nsw.gov.au/lc-home.htm#lc/state/dop/dop_index
  22. 22.
    NSW Electoral Commission. Index of iVote reports. http://www.elections.nsw.gov.au/about_us/plans_and_reports/ivote_reports
  23. 23.
  24. 24.
    NSW Electoral Commission. iVote system security implementation statement, March 2015. http://www.elections.nsw.gov.au/_data/assets/pdf_file/0007/193219/iVote-Security_Implementation_Statement-Mar2015.pdf
  25. 25.
    Räisänen, O.: The bank deal. http://oona.windytan.com/pankki.html
  26. 26.
    Ryan, P.Y.A., Teague, V.: Pretty good democracy. In: Christianson, B., Malcolm, J.A., Matyáš, V., Roe, M. (eds.) Security Protocols 2009. LNCS, vol. 7028, pp. 111–130. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  27. 27.
    Segaard, B., Christensen, D.A., Folkestad, B., Saglie, J.: Internettvalg: hva gjør og mener velgerne? (2014). https://www.regjeringen.no/globalassets/upload/kmd/komm/rapporter/isf_internettvalg.pdf
  28. 28.
    Springall, D., Finkenauer, T., Durumeric, Z., Kitcat, J., Hursti, H., MacAlpine, M., Halderman, J.A.: Security analysis of the Estonian internet voting system. In: ACM Conference on Computer and Communications Security (CCS), November 2014Google Scholar
  29. 29.
    Teague, V., Halderman, J.A.: Security flaw in New South Wales puts thousands of online votes at risk. Freedom to Tinker blog post, 22 March 2015. https://freedom-to-tinker.com/blog/teaguehalderman/ivote-vulnerability/
  30. 30.
    Victorian Electoral Commission. Report to Parliament on the 2010 Victorian State election; Section 11: Statistical overview of the election (2011). http://www.vec.vic.gov.au/files/ER-2010-Section11.pdf
  31. 31.
    Wolchok, S., Wustrow, E., Isabel, D., Halderman, J.A.: Attacking the Washington, D.C. Internet voting system. In: 16th International Conference on Financial Cryptography and Data Security (FC), February 2012Google Scholar
  32. 32.
    Zagórski, F., Carback, R.T., Chaum, D., Clark, J., Essex, A., Vora, P.L.: Remotegrity: design and use of an end-to-end verifiable remote voting system. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 441–457. Springer, Heidelberg (2013) CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.University of MichiganAnn ArborUSA
  2. 2.University of MelbourneMelbourneAustralia

Personalised recommendations