The New South Wales Electoral Commission (NSWEC) is eyeing potential changes to its iVote platform ahead of the NSW’s 2019 election. iVote offers both browser-based Internet voting and telephone voting. It was used in the 2011 and 2015 NSW state elections, and as well as in the 2017 Western Australia election and a number of by-elections. … In 2015, cyber security researchers uncovered a vulnerability in iVote that could potentially be exploited to stage man-in-the-middle attacks to subvert votes. “We found a serious security hole that exposed the browsing session both to an attack called the FREAK attack and another attack called the Logjam attack,” one of the researchers, Dr Vanessa Teague from the University of Melbourne, last year told the hearing of a NSW parliamentary inquiry.
Both attacks involved intercepting code on its way from a third party service into the voter’s browsing session and allowed an Internet-based man-in-the-middle attacker to subvert the voter session entirely, expose how the person intended to vote, and send in a different vote back to the electoral commission, the researcher said.
“None of this would have looked untoward at the electoral commission end – it would have looked exactly like a valid vote from an eligible voter,” she added. “In fact, it would have been a valid vote from an eligible voter – it just wouldn’t have been that one that that voter intended to cast.”