A “major security hole” that could allow an attacker to read or change someone’s vote has been discovered in the New South Wales online iVote platform, security experts say. The iVote system allows people to lodge their votes for Saturday’s state election online, instead of visiting a physical polling station. It aims to make voting easier for the disabled or for people who live long distances from polling booths. However computer security researchers said they found a critical issue and alerted the NSW Electoral Commission on Friday afternoon. University of Melbourne research fellow Vanessa Teague, who found the security vulnerability, said it was a difficult hack to pull off, but could potentially affect ballots en masse. “We’ve been told repeatedly that votes are perfectly secret and the whole system is secure and it can’t be tampered with and so on, and we’ve shown very clearly than that’s not true – that these votes are not secret and they can be tampered with,” Ms Teague said.
She said the attack could allow another person to either read, or even manipulate a vote, before it was sent to the electoral commission’s servers. “The analogue would be pulling someone’s postal vote envelope out of the post, pulling out their vote and finding out how they intended to vote and then putting a different ballot in instead,” Ms Teague said.
“The point of course with the electronic equivalent is that an attacker wouldn’t necessarily need to be in New South Wales to do this and they could potentially do this in an automated way to a very, very large number of votes.” Ms Teague said the voter would be unaware their vote had been changed. She also said whilst the system hack would be difficult for an attacker to perform, many could successfully do it and she was not convinced any electronic voting system was safe.
“Just because they’ve patched this particular bug that they’ve been specifically notified of does not mean that they’ve fixed the fundamental questions around the security and verifiability of the system,” she said. “If anything the existence of this one particular bug serves to bolster the argument that these kinds of bugs are probably inevitable in these kinds of systems.”