The electronic voting system that has been used in Estonia since 2005 cannot guarantee fair elections because of fundamental security weaknesses and poor operational procedures, according to an international team of security and Internet voting researchers. The analysis performed by the team’s members, some of whom acted as observers during 2013 local elections in Estonia, revealed that sophisticated attackers, like those employed by nation states, could easily compromise the integrity of the country’s Internet voting system and influence the election outcome, often without a trace. The team chose to analyze the Estonian system because Estonia has one of the highest rates of Internet voting participation in the world — over 21 percent of the total number of votes during the last local election were cast through the electronic voting system. During their observation of the local elections and by later watching the procedural videos released by the Estonian election authority, the researchers identified a large number of poor security practices that ranged from election officials inputting sensitive passwords and PINs while being filmed to system administrators downloading critical applications over insecure connections and using personal computers to deploy servers and build the client software distributed to voters. The researchers also used open-source code released by the Estonian government to replicate the electronic voting system in their laboratory and then devised several practical server-side and client-side attacks against it.
To use the Estonian system, voters insert their electronic national ID card into a card reader attached to their computers and use the PINs associated with their ID cards to cast their votes through a special application. The researchers developed malware that can record the PIN numbers and later change the votes while the ID cards are attached to voters’ computer for different operations.
The malware can be deployed in different ways, including through online exploits, through existing infections or through man-in-the-middle attacks during the download process. Attackers could also maliciously alter the voting software itself during the build process, if it’s created on a personal computer instead of in a controlled environment, the researchers said Monday during a press conference about their findings in Tallinn, Estonia.
The system uses a vote confirmation procedure based on QR codes than need to be scanned by users with their mobile phones after casting their votes. However, a compromised voting application can potentially alter votes and QR codes in real time, meaning this additional verification system can’t protect users from sophisticated attackers, the researchers said. Such false verification attacks have been used in the real world against online banking users, so they’re not just theoretical and could easily be applied to Internet voting, they said.