The result of the NSW election this Saturday is likely to be challenged after a security flaw was identified that could potentially have compromised 66,000 electronic votes. A number of parties, including the Greens, the National party and the Outdoor Recreation party have told Guardian Australia they would consider all of their options after the “major vulnerability” was revealed in the iVote system, an internet voting program being trialled for the first time this year. But a senior NSW Electoral Commission official said fears of vote tampering were overblown and the work of “well-funded, well-managed, anti-internet voting lobby groups”. While the iVote website itself is secure, Melbourne University security specialist Vanessa Teague discovered on Friday that it loaded javascript from a third-party website that was “vulnerable to an attack called the FREAK attack”. “The implication is that an attacker who controls some point through which the user’s traffic is passing could substitute that code for a code of the attackers’ choice,” she said. In layman’s terms, a hacker could intercept a vote for party A and turn it into a vote for party B without alerting the voter or the NSW Electoral Commission.
The vulnerability was discovered on a practice site set up by the commission. The source code for the actual system hasn’t been made available, but Teague said it was “identical”.
Teague and her colleague, University of Michigan computer science professor Alex Halderman, alerted the commission, and the vulnerable code was deleted from the system by 2pm on Saturday.
Advertisement “But during the time before they closed off the hole, about 66,000 votes were cast, and now all of those are going to have be somewhat in question because of the nature of the vulnerability,” Halderman said.
It was impossible to know if there were other flaws without seeing iVote’s source code and verification system, he said. “It’s a secret how it works. There could well be other vulnerabilities of similar severity and we don’t know.”
Full Article: NSW election result could be challenged over iVote security flaw | Australia news | The Guardian.