Abstract
In the world’s largest-ever deployment of online voting, the iVote Internet voting system was trusted for the return of 280,000 ballots in the 2015 state election in New South Wales, Australia. During the election, we performed an independent security analysis of parts of the live iVote system and uncovered severe vulnerabilities that could be leveraged to manipulate votes, violate ballot privacy, and subvert the verification mechanism. These vulnerabilities do not seem to have been detected by the election authorities before we disclosed them, despite a pre-election security review and despite the system having run in a live state election for five days. One vulnerability, the result of including analytics software from an insecure external server, exposed some votes to complete compromise of privacy and integrity. At least one parliamentary seat was decided by a margin much smaller than the number of votes taken while the system was vulnerable. We also found protocol flaws, including vote verification that was itself susceptible to manipulation. This incident underscores the difficulty of conducting secure elections online and carries lessons for voters, election officials, and the e-voting research community.
Keywords
- Vote System
- State Election
- Interactive Voice Response System
- Registration Server
- Legislative Council
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, access via your institution.
Buying options
Notes
- 1.
Or rather, it did for the first week of voting, until we pointed this out to NSWEC.
- 2.
In the case of the web server, this would require forging a signature attached to the vote by the client. This signing step is evident in the JavaScript, but we could not find any documentation on how the signing key was derived or how the signature was verified. Hence we do not know whether a compromised web server could have simply created a new signature on any vote it received, or whether it would have needed to modify the JavaScript served to the client in order to get a valid signature on an altered vote.
- 3.
Some also use homomorphic tallying, but that would not work for Australian (preferential) voting.
References
ABC News. Computer voting may feature in March NSW election, February 2015. http://www.abc.net.au/news/2015-02-04/computer-voting-may-feature-in-march-nsw-election/6068290
Abendan, O.: How DNS changer Trojans direct users to threats. In: Trend Micro Threat Encyclopedia (2012)
Adida, B.: Helios: web-based open-audit voting. In: 17th USENIX Security Symposium, August 2008. https://vote.heliosvoting.org
Adida, B., De Marneffe, O., Pereira, O., Quisquater, J.-J.: Electing a university president using open-audit voting: analysis of real-world use of Helios. In: Electronic Voting Technology Workshop (EVT) (2009)
Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J.A., Heninger, N., Springall, D., Thomé, E., Valenta, L., VanderSloot, B., Wustrow, E., Zanella-Béguelin, S., Zimmermann, P.: Imperfect forward secrecy: how Diffie-Hellman fails in practice, May 2015. https://weakdh.org/
Ballani, H., Francis, P., Zhang, X.: A study of prefix hijacking and interception in the Internet. In: Proceedings of ACM SIGCOMM, August 2007
Bell, S., Benaloh, J., Byrne, M.D., DeBeauvoir, D., Eakin, B., Fisher, G., Kortum, P., McBurnett, N., Montoya, J., Parker, M., et al.: Star-vote: a secure, transparent, auditable, and reliable voting system. USENIX J. Election Technol. Syst. 1(1), 18–37 (2013)
Beurdouche, B., Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zinzindohoue, J.K.: A messy state of the union: taming the composite state machines of TLS. In: 36th IEEE Symposium on Security and Privacy (2015)
Bilodeau, O., Dupuy, T.: Dissecting Linux/Moose: the analysis of a Linux router-based worm hungry for social networks, May 2015. http://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf
Carback, R., Chaum, D., Clark, J., Conway, J., Essex, A., Herrnson, P.S., Mayberry, T., Popoveniuc, S., Rivest, R.L., Shen, E. et al.: Scantegrity II municipal election at Takoma Park: the first E2E binding governmental election with ballot privacy. In: Proceedings of the 19th USENIX Security Symposium (2010)
Culnane, C., Ryan, P.Y.A., Schneider, S., Teague, V.: vVote: A verifiable voting system. ACM Transactions on Information and System Security. To appear. Technical report at http://arxiv.org/abs/1404.6822
Durumeric, Z., Adrian, D., Mirian, A., Bailey, M., Halderman, J.A.: Tracking the FREAK attack. https://freakattack.com/
Estonian Internet Voting Committee. Statistics about Internet voting in Estonia, May 2014. http://www.vvk.ee/voting-methods-in-estonia/engindex/statistics
Gjøsteen, K.: The Norwegian Internet voting protocol. In: Kiayias, A., Lipmaa, H. (eds.) VoteID 2011. LNCS, vol. 7187, pp. 1–18. Springer, Heidelberg (2012)
Hastings, N., Peralta, R., Popoveniuc, S., Regenscheid, A.: Security considerations for remote electronic UOCAVA voting. National Institute of Standards and Technology, NISTIR 7770, February 2011. http://www.nist.gov/itl/vote/upload/NISTIR-7700-feb2011.pdf
Heninger, N.: Factoring as a service. Crypto 2013 rump session. https://www.cis.upenn.edu/nadiah/projects/faas/
Kaminsky, D.: It’s the end of the cache as we know it. In: Toorcon (2008)
Kusters, R., Truderung, T., Vogt, A.: Clash attacks on the verifiability of e-voting systems. In: 33rd IEEE Symposium on Security and Privacy, pp. 395–409 (2012)
Marlinspike, M.: New tricks for defeating SSL in practice. Black Hat (2009). http://www.thoughtcrime.org/software/sslstrip/
McKay, R.: Flaws in iVote’s re-vote process which attempts to defeat coercers. http://www.bigpulse.com/governmentelections#changevoteflaw. BigPulse
NSW Electoral Commission. legislative council–final distribution of preferences (2015). http://vtr.elections.nsw.gov.au/lc-home.htm#lc/state/dop/dop_index
NSW Electoral Commission. Index of iVote reports. http://www.elections.nsw.gov.au/about_us/plans_and_reports/ivote_reports
NSW Electoral Commission. iVote threat analysis and risk assessment, January 2014. http://www.elections.nsw.gov.au/_data/assets/pdf_file/0008/175760/NSW_Election_iVote_Threat_Analysis_and_Risk_Assessment_v3.0.pdf
NSW Electoral Commission. iVote system security implementation statement, March 2015. http://www.elections.nsw.gov.au/_data/assets/pdf_file/0007/193219/iVote-Security_Implementation_Statement-Mar2015.pdf
Räisänen, O.: The bank deal. http://oona.windytan.com/pankki.html
Ryan, P.Y.A., Teague, V.: Pretty good democracy. In: Christianson, B., Malcolm, J.A., Matyáš, V., Roe, M. (eds.) Security Protocols 2009. LNCS, vol. 7028, pp. 111–130. Springer, Heidelberg (2013)
Segaard, B., Christensen, D.A., Folkestad, B., Saglie, J.: Internettvalg: hva gjør og mener velgerne? (2014). https://www.regjeringen.no/globalassets/upload/kmd/komm/rapporter/isf_internettvalg.pdf
Springall, D., Finkenauer, T., Durumeric, Z., Kitcat, J., Hursti, H., MacAlpine, M., Halderman, J.A.: Security analysis of the Estonian internet voting system. In: ACM Conference on Computer and Communications Security (CCS), November 2014
Teague, V., Halderman, J.A.: Security flaw in New South Wales puts thousands of online votes at risk. Freedom to Tinker blog post, 22 March 2015. https://freedom-to-tinker.com/blog/teaguehalderman/ivote-vulnerability/
Victorian Electoral Commission. Report to Parliament on the 2010 Victorian State election; Section 11: Statistical overview of the election (2011). http://www.vec.vic.gov.au/files/ER-2010-Section11.pdf
Wolchok, S., Wustrow, E., Isabel, D., Halderman, J.A.: Attacking the Washington, D.C. Internet voting system. In: 16th International Conference on Financial Cryptography and Data Security (FC), February 2012
Zagórski, F., Carback, R.T., Chaum, D., Clark, J., Essex, A., Vora, P.L.: Remotegrity: design and use of an end-to-end verifiable remote voting system. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 441–457. Springer, Heidelberg (2013)
Acknowledgments
The authors thank David Adrian, Ed Felten, Rajeev Goré, Nadia Heninger, Harri Hursti, and Liz Minchin for assistance during this project. For their support and encouragement after we made our results public, we would also like to thank the tremendous community of election integrity scholars and advocates, including but not limited to: Duncan Buell, David Dill, Joseph Hall, Candice Hoke, David Jefferson, Noel Runyan, Ronald Rivest, Barbara Simons and Pamela Smith. This material is based in part upon work supported by the U.S. National Science Foundation under grants CNS-1345254 and CNS-1409505, and by the Morris Wellman Faculty Development Assistant Professorship.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Halderman, J.A., Teague, V. (2015). The New South Wales iVote System: Security Failures and Verification Flaws in a Live Online Election. In: Haenni, R., Koenig, R., Wikström, D. (eds) E-Voting and Identity. Vote-ID 2015. Lecture Notes in Computer Science(), vol 9269. Springer, Cham. https://doi.org/10.1007/978-3-319-22270-7_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-22270-7_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-22269-1
Online ISBN: 978-3-319-22270-7
eBook Packages: Computer ScienceComputer Science (R0)